User Guide for ZYXEL models including: ZyWall USG Flex Series, Firewall, ZyWall USG Flex Series Firewall, NT01650
User's Guide
ZyWALL USG FLEX
Series
Default Login Details
LAN Port IP Address User Name Password
https://192.168.1.1 admin 1234
Version 4.60 Edition 1, 10/2020
Copyright © 2020 Zyxel Communications Corporation
IMPO RTANT! READ C AREFULLY BEFO RE USE. KEEP THIS G UIDE FO R FUTURE REFERENC E.
This is a User's Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in product features or web configurator brand style. Every effort has been made to ensure that the information in this manual is accurate. Note: The version number on the cover page refers to the Zyxel Device's latest firmware
version to which this User's Guide applies. Re la te d Do c um e nta tio n · Quick Start Guide
The Quick Start Guide shows how to connect the Zyxel Device and access the Web Configurator wizards. (See the wizard real time help for information on configuring each screen.) It also contains a connection diagram and package contents list. · CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the Zyxel Device. Note: It is recommended you use the Web Configurator to configure the Zyxel Device. · Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. · More Information Go to suppo rt.zyxe l.c o m to find other information on Zyxel Device.
ZyWALL USG FLEX Series User's Guide
2
Do c um e nt C o nve ntio ns
Wa rning s a nd No te s
These are how warnings and notes are shown in this guide.
Wa rning s te ll yo u a b o ut thing s tha t c o uld ha rm yo u o r yo ur de vic e .
Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Synta x C o nve ntio ns
· All models in this series may be referred to as the "Zyxel Device" in this guide.
· Product labels, screen names, field labels and field choices are all in bo ld font.
· A right angle bracket ( > ) within a screen name denotes a mouse click. For example, C o nfig ura tio n > Ne two rk > Inte rfa c e > Ethe rne t means you first click C o nfig ura tio n in the navigation panel, then Ne two rk, then the Inte rfa c e sub menu and finally the Ethe rne t tab to get to that screen.
Ic o ns Use d in Fig ure s
Figures in this user guide may use the following generic icons. The Zyxel Device icon is not an exact representation of your device.
Zyxel Device
Generic Router
Wireless Router / Access Point
Switch Internet
Firewall
Server
Network Cloud
Smartphone
USB Dongle
ZyWALL USG FLEX Series User's Guide
3
Contents Overview
C o nte nts O ve rvie w
Introduction ........................................................................................................................................... 27 Initial Setup Wizard ............................................................................................................................... 51 Hardware, Interfaces and Zones ........................................................................................................ 70 Quick Setup Wizards ............................................................................................................................. 79 Dashboard .......................................................................................................................................... 113 Monitor ................................................................................................................................................. 124 Licensing .............................................................................................................................................. 196 Wireless ................................................................................................................................................. 202 Interfaces ............................................................................................................................................. 228 Routing ................................................................................................................................................. 325 DDNS ................................................................................................................................................... 352 NAT ....................................................................................................................................................... 358 Redirect Service .................................................................................................................................. 375 ALG ....................................................................................................................................................... 381 UPnP ..................................................................................................................................................... 388 IP/MAC Binding ................................................................................................................................... 403 Layer 2 Isolation .................................................................................................................................. 408 DNS Inbound LB .................................................................................................................................. 412 IPSec VPN ............................................................................................................................................ 418 SSL VPN ................................................................................................................................................ 454 L2TP VPN .............................................................................................................................................. 460 BWM (Bandwidth Management) .................................................................................................. 465 Web Authentication .......................................................................................................................... 481 Hotspot ................................................................................................................................................ 513 Printer Manager .................................................................................................................................. 531 Free Time ............................................................................................................................................. 543 IPnP ....................................................................................................................................................... 548 Walled Garden ................................................................................................................................... 551 Advertisement Screen ....................................................................................................................... 557 Security Policy ..................................................................................................................................... 560 Application Patrol ............................................................................................................................... 586 Content Filter ....................................................................................................................................... 595 Anti-Malware ....................................................................................................................................... 620 Reputation Filter .................................................................................................................................. 640 IDP ........................................................................................................................................................ 651 Email Security ...................................................................................................................................... 675 SSL Inspection ...................................................................................................................................... 693 IP Exception ......................................................................................................................................... 707 Object .................................................................................................................................................. 710
ZyWALL USG FLEX Series User's Guide
4
Contents Overview Device HA ........................................................................................................................................... 826 Cloud CNM ........................................................................................................................................ 833 System .................................................................................................................................................. 841 Log and Report ................................................................................................................................... 902 File Manager ....................................................................................................................................... 915 Diagnostics ......................................................................................................................................... 931 Packet Flow Explore ........................................................................................................................... 952 Shutdown ............................................................................................................................................. 959 Troubleshooting .................................................................................................................................. 963
ZyWALL USG FLEX Series User's Guide
5
Table of Contents
Ta b le o f C o nte nts
Do c um e nt C o nve ntio ns ......................................................................................................................3
C o nte nts O ve rvie w .............................................................................................................................4
Ta b le o f C o nte nts .................................................................................................................................6
Pa rt I: Use r's G uide .......................................................................................... 26
C ha pte r 1 Intro duc tio n ........................................................................................................................................27
1.1 Overview ......................................................................................................................................... 27 1.1.1 Model Feature Differences .................................................................................................. 27
1.2 Registration at myZyxel .................................................................................................................. 28 1.2.1 Grace Period ......................................................................................................................... 29 1.2.2 Applications ........................................................................................................................... 29
1.3 Management Overview ................................................................................................................ 32 1.4 Web Configurator ........................................................................................................................... 33
1.4.1 Web Configurator Access .................................................................................................... 33 1.4.2 Web Configurator Screens Overview ................................................................................. 36 1.4.3 Navigation Panel .................................................................................................................. 40 1.4.4 Tables and Lists ...................................................................................................................... 48
C ha pte r 2 Initia l Se tup Wiza rd.............................................................................................................................51
2.1 Initial Setup Wizard Screens .......................................................................................................... 51 2.1.1 Internet Access Setup - WAN Interface ............................................................................. 51 2.1.2 Internet Access: Ethernet .................................................................................................... 52 2.1.3 Internet Access: PPPoE ......................................................................................................... 53 2.1.4 Internet Access: PPTP ........................................................................................................... 55 2.1.5 Internet Access: L2TP ............................................................................................................ 57 2.1.6 Internet Access Setup - Second WAN Interface ............................................................... 59 2.1.7 Internet Access: Congratulations ....................................................................................... 60 2.1.8 Date and Time Settings ........................................................................................................ 61 2.1.9 Register Device ..................................................................................................................... 61 2.1.10 Activate Service .................................................................................................................. 63 2.1.11 Service Settings .................................................................................................................... 64 2.1.12 Service Settings: SecuReporter .......................................................................................... 65 2.1.13 Wireless Settings: Management Mode ............................................................................. 66
ZyWALL USG FLEX Series User's Guide
6
Table of Contents
2.1.14 Wireless Settings: AP Controller ......................................................................................... 67 2.1.15 Wireless Settings: SSID & Security ...................................................................................... 67 2.1.16 Remote Management ...................................................................................................... 68
C ha pte r 3 Ha rdwa re , Inte rfa c e s a nd Zo ne s ......................................................................................................70
3.1 Hardware Overview ....................................................................................................................... 70 3.1.1 Front Panels ............................................................................................................................ 70 3.1.2 Rear Panels ............................................................................................................................ 72
3.2 Installation Scenarios ..................................................................................................................... 74 3.2.1 Desktop Installation Procedure ........................................................................................... 74 3.2.2 Rack-mounting ...................................................................................................................... 75 3.2.3 Wall-mounting ....................................................................................................................... 76
3.3 Default Zones, Interfaces, and Ports ............................................................................................ 77 3.4 Stopping the Zyxel Device ............................................................................................................ 78
C ha pte r 4 Q uic k Se tup Wiza rds..........................................................................................................................79
4.1 Quick Setup Overview ................................................................................................................... 79 4.2 WAN Interface Quick Setup .......................................................................................................... 80
4.2.1 Choose an Ethernet Interface ............................................................................................. 80 4.2.2 Select WAN Type ................................................................................................................... 81 4.2.3 Configure WAN IP Settings ................................................................................................... 81 4.2.4 ISP and WAN and ISP Connection Settings ........................................................................ 82 4.2.5 Quick Setup Interface Wizard: Summary ........................................................................... 85 4.3 VPN Setup Wizard ........................................................................................................................... 86 4.3.1 Welcome ................................................................................................................................ 86 4.3.2 VPN Setup Wizard: Wizard Type .......................................................................................... 87 4.3.3 VPN Express Wizard - Scenario ............................................................................................ 88 4.3.4 VPN Express Wizard - Configuration ................................................................................... 89 4.3.5 VPN Express Wizard - Summary ........................................................................................... 89 4.3.6 VPN Express Wizard - Finish .................................................................................................. 90 4.3.7 VPN Advanced Wizard - Scenario ..................................................................................... 91 4.3.8 VPN Advanced Wizard - Phase 1 Settings ........................................................................ 92 4.3.9 VPN Advanced Wizard - Phase 2 ....................................................................................... 94 4.3.10 VPN Advanced Wizard - Summary .................................................................................. 95 4.3.11 VPN Advanced Wizard - Finish ......................................................................................... 97 4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type ............................................. 98 4.4.1 Configuration Provisioning Express Wizard - VPN Settings ............................................... 98 4.4.2 Configuration Provisioning VPN Express Wizard - Configuration .................................... 99 4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary ...................... 100 4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish .............................. 101 4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario ................. 102
ZyWALL USG FLEX Series User's Guide
7
Table of Contents
4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings .... 103 4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2 .................. 104 4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard - Summary ................ 105 4.4.9 VPN Settings for Configuration Provisioning Advanced Wizard - Finish ....................... 108 4.5 VPN Settings for L2TP VPN Settings Wizard ................................................................................. 108 4.5.1 L2TP VPN Settings ................................................................................................................ 109 4.5.2 L2TP VPN Settings ................................................................................................................ 110 4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary .................................................... 110 4.5.4 VPN Settings for L2TP VPN Setting Wizard - Completed ................................................ 112
C ha pte r 5 Da shb o a rd ........................................................................................................................................113
5.1 Overview ....................................................................................................................................... 113 5.1.1 What You Can Do in this Chapter ..................................................................................... 113
5.2 The General Screen ..................................................................................................................... 113 5.2.1 Device Information Screen ................................................................................................ 115 5.2.2 System Status Screen .......................................................................................................... 116 5.2.3 Tx/Rx Statistics ...................................................................................................................... 116 5.2.4 The Latest Logs Screen ....................................................................................................... 117 5.2.5 System Resources Screen ................................................................................................... 117 5.2.6 DHCP Table Screen ............................................................................................................. 118 5.2.7 Number of Login Users Screen ........................................................................................... 119 5.2.8 Current Login User ............................................................................................................... 120 5.2.9 VPN Status ............................................................................................................................ 120 5.2.10 SSL VPN Status .................................................................................................................... 121
5.3 The Advanced Threat Protection Screen .................................................................................. 121
Pa rt II: Te c hnic a l Re fe re nc e ......................................................................... 123
C ha pte r 6 Mo nito r..............................................................................................................................................124
6.1 Overview ....................................................................................................................................... 124 6.1.1 What You Can Do in this Chapter ..................................................................................... 124
6.2 The Port Statistics Screen ............................................................................................................ 126 6.2.1 The Port Statistics Graph Screen ....................................................................................... 127
6.3 Interface Status Screen ................................................................................................................ 128 6.4 The Traffic Statistics Screen .......................................................................................................... 132 6.5 The Session Monitor Screen ........................................................................................................ 135 6.6 The Login Users Screen ................................................................................................................ 137 6.7 Dynamic Guest ............................................................................................................................ 138 6.8 IGMP Statistics ............................................................................................................................... 139
ZyWALL USG FLEX Series User's Guide
8
Table of Contents
6.9 The DDNS Status Screen ............................................................................................................... 140 6.10 IP/MAC Binding ........................................................................................................................... 141 6.11 Cellular Status Screen ................................................................................................................ 142
6.11.1 More Information .............................................................................................................. 144 6.12 The UPnP Port Status Screen ..................................................................................................... 145 6.13 USB Storage Screen .................................................................................................................... 146 6.14 Ethernet Neighbor Screen ........................................................................................................ 147 6.15 FQDN Object Screen ................................................................................................................ 148 6.16 Virtual Server Load Balancing .................................................................................................. 150 6.17 AP Information: AP List ............................................................................................................... 151
6.17.1 AP List: More Information ................................................................................................ 155 6.17.2 AP List: Edit AP ................................................................................................................... 158 6.18 AP Information: Radio List .......................................................................................................... 161 6.18.1 Radio List: More Information ............................................................................................ 163 6.19 AP Information: Top N APs ........................................................................................................ 165 6.20 AP Information: Single AP .......................................................................................................... 166 6.21 ZyMesh ......................................................................................................................................... 167 6.22 SSID Info ....................................................................................................................................... 168 6.23 Station Info: Station List .............................................................................................................. 169 6.24 Station Info: Top N Stations ........................................................................................................ 170 6.25 Station Info: Single Station ......................................................................................................... 171 6.26 Detected Device ....................................................................................................................... 172 6.27 The Printer Status Screen ........................................................................................................... 173 6.28 The IPSec Screen ........................................................................................................................ 174 6.29 The SSL Screen ............................................................................................................................. 175 6.30 The L2TP over IPSec Screen ....................................................................................................... 176 6.31 The App Patrol Screen ............................................................................................................... 177 6.32 The Content Filter Screen .......................................................................................................... 178 6.33 The Anti-Malware Screen .......................................................................................................... 179 6.34 The Reputation Filter Screen ...................................................................................................... 182 6.35 The IDP Screen ............................................................................................................................ 183 6.36 The Email Security Screens ......................................................................................................... 185 6.36.1 Email Security Summary ................................................................................................... 185 6.36.2 The Email Security Status Screen ..................................................................................... 187 6.37 The SSL Inspection Screens ........................................................................................................ 188 6.37.1 Certificate Cache List ....................................................................................................... 189 6.38 Log Screens ................................................................................................................................. 190 6.38.1 View Log ............................................................................................................................ 191 6.38.2 View AP Log ....................................................................................................................... 192 6.38.3 Dynamic Users Log ............................................................................................................ 194
C ha pte r 7 Lic e nsing ...........................................................................................................................................196
ZyWALL USG FLEX Series User's Guide
9
Table of Contents
7.1 Registration Overview .................................................................................................................. 196 7.1.1 What you Need to Know .................................................................................................... 196 7.1.2 Registration Screen ............................................................................................................. 197 7.1.3 Service Screen ..................................................................................................................... 197
7.2 Signature Update ......................................................................................................................... 199 7.2.1 What you Need to Know .................................................................................................... 199 7.2.2 The Signature Screen .......................................................................................................... 200 7.2.3 Auto Update ........................................................................................................................ 200
C ha pte r 8 Wire le ss .............................................................................................................................................202
8.1 Overview ....................................................................................................................................... 202 8.1.1 What You Can Do in this Chapter ..................................................................................... 202
8.2 Controller Screen ........................................................................................................................ 202 8.2.1 Connecting an AP to the Zyxel Device ............................................................................ 203 8.2.2 Connecting an AP to the Zyxel Device Manually ........................................................... 203 8.2.3 Connecting an AP to the Zyxel Device Using DHCP Option 138 .................................. 203
8.3 AP Management Screens ........................................................................................................... 204 8.3.1 Mgnt. AP List ....................................................................................................................... 204 8.3.2 AP Policy .............................................................................................................................. 211 8.3.3 AP Group ............................................................................................................................. 212 8.3.4 Firmware ............................................................................................................................... 218
8.4 Rogue AP ....................................................................................................................................... 220 8.4.1 Add/Edit Rogue/Friendly List .............................................................................................. 222
8.5 Auto Healing ................................................................................................................................. 223 8.6 RTLS Overview ............................................................................................................................... 224
8.6.1 What You Can Do in this Chapter ..................................................................................... 224 8.6.2 Before You Begin ................................................................................................................. 224 8.6.3 Configuring RTLS .................................................................................................................. 225 8.7 Technical Reference .................................................................................................................... 226 8.7.1 Dynamic Channel Selection .............................................................................................. 226 8.7.2 Load Balancing ................................................................................................................... 227
C ha pte r 9 Inte rfa c e s ..........................................................................................................................................228
9.1 Interface Overview ...................................................................................................................... 228 9.1.1 What You Can Do in this Chapter ..................................................................................... 228 9.1.2 What You Need to Know ................................................................................................... 228 9.1.3 What You Need to Do First ................................................................................................. 233
9.2 Port Role ......................................................................................................................................... 233 9.3 Port Configuration ........................................................................................................................ 234 9.4 Ethernet Summary Screen ........................................................................................................... 235
9.4.1 Ethernet Edit ........................................................................................................................ 237
ZyWALL USG FLEX Series User's Guide
10
Table of Contents
9.4.2 Proxy ARP ............................................................................................................................. 253 9.4.3 Virtual Interfaces ................................................................................................................ 254 9.4.4 References ........................................................................................................................... 255 9.4.5 Add/Edit DHCPv6 Request/Release Options ................................................................... 256 9.4.6 Add/Edit DHCP Extended Options ................................................................................... 257 9.5 PPP Interfaces ............................................................................................................................... 258 9.5.1 PPP Interface Summary ...................................................................................................... 259 9.5.2 PPP Interface Add or Edit .................................................................................................. 260 9.6 Cellular Configuration Screen ..................................................................................................... 265 9.6.1 Cellular Choose Slot ........................................................................................................... 268 9.6.2 Add / Edit Cellular Configuration ...................................................................................... 268 9.7 Tunnel Interfaces .......................................................................................................................... 274 9.7.1 Configuring a Tunnel .......................................................................................................... 276 9.7.2 Tunnel Add or Edit Screen .................................................................................................. 277 9.8 VLAN Interfaces ........................................................................................................................... 281 9.8.1 VLAN Summary Screen ....................................................................................................... 282 9.8.2 VLAN Add/Edit ................................................................................................................... 283 9.9 Bridge Interfaces .......................................................................................................................... 294 9.9.1 Bridge Summary .................................................................................................................. 296 9.9.2 Bridge Add/Edit .................................................................................................................. 297 9.10 VTI ................................................................................................................................................. 308 9.10.1 Restrictions for IPSec Virtual Tunnel Interface ................................................................ 308 9.10.2 VTI Screen .......................................................................................................................... 309 9.10.3 VTI Add/Edit ....................................................................................................................... 309 9.11 Trunk Overview ........................................................................................................................... 313 9.11.1 What You Need to Know ................................................................................................. 313 9.12 The Trunk Summary Screen ........................................................................................................ 316 9.12.1 Configuring a User-Defined Trunk ................................................................................... 317 9.12.2 Configuring the System Default Trunk ............................................................................ 319 9.13 Interface Technical Reference ................................................................................................. 320
C ha pte r 10 Ro uting ..............................................................................................................................................325
10.1 Policy and Static Routes Overview ........................................................................................... 325 10.1.1 What You Can Do in this Chapter ................................................................................... 325 10.1.2 What You Need to Know ................................................................................................ 326
10.2 Policy Route Screen ................................................................................................................... 327 10.2.1 Policy Route Edit Screen .................................................................................................. 329
10.3 IP Static Route Screen ................................................................................................................ 334 10.3.1 Static Route Add/Edit Screen .......................................................................................... 334
10.4 Policy Routing Technical Reference ........................................................................................ 336 10.5 Routing Protocols Overview ..................................................................................................... 336
10.5.1 What You Need to Know ................................................................................................. 337
ZyWALL USG FLEX Series User's Guide
11
Table of Contents
10.6 The RIP Screen ............................................................................................................................. 337 10.7 The OSPF Screen ......................................................................................................................... 339
10.7.1 Configuring the OSPF Screen .......................................................................................... 342 10.7.2 OSPF Area Add/Edit Screen ........................................................................................... 343 10.7.3 Virtual Link Add/Edit Screen ........................................................................................... 345 10.8 BGP (Border Gateway Protocol) .............................................................................................. 346 10.8.1 Allow BGP Packets to Enter the Zyxel Device ................................................................ 347 10.8.2 Configuring the BGP Screen ............................................................................................ 347 10.8.3 The BGP Neighbors Screen .............................................................................................. 349 10.8.4 Example Scenario ............................................................................................................. 350
C ha pte r 11 DDNS ................................................................................................................................................352
11.1 DDNS Overview ........................................................................................................................... 352 11.1.1 What You Can Do in this Chapter ................................................................................... 352 11.1.2 What You Need to Know ................................................................................................. 352
11.2 The DDNS Screen ........................................................................................................................ 353 11.2.1 The Dynamic DNS Add/Edit Screen ................................................................................ 354
C ha pte r 12 NA T.... .... ... .... .... ... .... .... ... .... .... .... ... .... .... ... .... .... ... .... .... ... .... .... ... .... .... ... .... .... ... .... .... .... ... .... .... ... .... .... 3 5 8
12.1 Overview ..................................................................................................................................... 358 12.2 NAT Overview ............................................................................................................................. 358
12.2.1 What You Can Do in this Chapter ................................................................................... 358 12.2.2 What You Need to Know ................................................................................................. 359 12.3 The NAT Screen ........................................................................................................................... 360 12.3.1 The NAT Add/Edit Screen ................................................................................................. 361 12.4 NAT Technical Reference .......................................................................................................... 364 12.5 Virtual Server Load Balancing ................................................................................................... 366 12.5.1 Load Balancing Example 1 .............................................................................................. 366 12.5.2 Load Balancing Example 2 .............................................................................................. 367 12.5.3 Virtual Server Load Balancing Process ........................................................................... 367 12.5.4 Load Balancing Rules ....................................................................................................... 368 12.5.5 Virtual Server Load Balancing Algorithms ...................................................................... 369 12.6 The Virtual Server Load Balancer Screen ................................................................................. 370 12.6.1 Adding/Editing a Virtual Server Load Balancing Rule .................................................. 371
C ha pte r 13 Re dire c t Se rvic e ...............................................................................................................................375
13.1 Overview ..................................................................................................................................... 375 13.1.1 HTTP Redirect ..................................................................................................................... 375 13.1.2 SMTP Redirect .................................................................................................................... 375 13.1.3 What You Can Do in this Chapter ................................................................................... 376
ZyWALL USG FLEX Series User's Guide
12
Table of Contents
13.1.4 What You Need to Know ................................................................................................. 376 13.2 The Redirect Service Screen ..................................................................................................... 378
13.2.1 The Redirect Service Edit Screen ..................................................................................... 379
C ha pte r 14 ALG ....................................................................................................................................................381
14.1 ALG Overview ............................................................................................................................. 381 14.1.1 What You Need to Know ................................................................................................. 381 14.1.2 Before You Begin ............................................................................................................... 384
14.2 The ALG Screen .......................................................................................................................... 384 14.3 ALG Technical Reference ......................................................................................................... 386
C ha pte r 15 UPnP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 3 8 8
15.1 UPnP and NAT-PMP Overview ................................................................................................... 388 15.2 What You Need to Know ........................................................................................................... 388
15.2.1 NAT Traversal ..................................................................................................................... 388 15.2.2 Cautions with UPnP and NAT-PMP .................................................................................. 389 15.3 UPnP Screen ................................................................................................................................ 389 15.4 Technical Reference .................................................................................................................. 390 15.4.1 Turning on UPnP in Windows 7 Example ......................................................................... 390 15.4.2 Turn on UPnP in Windows 10 Example ............................................................................ 394 15.4.3 Auto-discover Your UPnP-enabled Network Device .................................................... 396 15.4.4 Web Configurator Easy Access in Windows 7 ............................................................... 399 15.4.5 Web Configurator Easy Access in Windows 10 ............................................................. 401
C ha pte r 16 IP/ MAC Binding ................................................................................................................................403
16.1 IP/MAC Binding Overview ......................................................................................................... 403 16.1.1 What You Can Do in this Chapter ................................................................................... 403 16.1.2 What You Need to Know ................................................................................................. 403
16.2 IP/MAC Binding Summary ......................................................................................................... 404 16.2.1 IP/MAC Binding Edit .......................................................................................................... 405 16.2.2 Static DHCP Edit ................................................................................................................ 406
16.3 IP/MAC Binding Exempt List ....................................................................................................... 407
C ha pte r 17 La ye r 2 Iso la tio n ...............................................................................................................................408
17.1 Overview ..................................................................................................................................... 408 17.1.1 What You Can Do in this Chapter ................................................................................... 408
17.2 Layer-2 Isolation General Screen ............................................................................................. 408 17.3 White List Screen ......................................................................................................................... 409
17.3.1 Add/Edit White List Rule ................................................................................................... 410
ZyWALL USG FLEX Series User's Guide
13
Table of Contents
C ha pte r 18 DNS Inb o und LB................................................................................................................................412
18.1 DNS Inbound Load Balancing Overview ................................................................................. 412 18.1.1 What You Can Do in this Chapter ................................................................................... 412
18.2 The DNS Inbound LB Screen ...................................................................................................... 413 18.2.1 The DNS Inbound LB Add/Edit Screen ............................................................................ 414 18.2.2 The DNS Inbound LB Add/Edit Member Screen ............................................................ 416
C ha pte r 19 IPSe c VPN .........................................................................................................................................418
19.1 Virtual Private Networks (VPN) Overview ................................................................................. 418 19.1.1 What You Can Do in this Chapter ................................................................................... 420 19.1.2 What You Need to Know ................................................................................................. 420 19.1.3 Before You Begin ............................................................................................................... 423
19.2 The VPN Connection Screen ..................................................................................................... 423 19.2.1 The VPN Connection Add/Edit Screen .......................................................................... 425
19.3 The VPN Gateway Screen ......................................................................................................... 432 19.3.1 The VPN Gateway Add/Edit Screen ............................................................................... 433
19.4 VPN Concentrator ..................................................................................................................... 440 19.4.1 VPN Concentrator Requirements and Suggestions ...................................................... 440 19.4.2 VPN Concentrator Screen ............................................................................................... 441 19.4.3 The VPN Concentrator Add/Edit Screen ........................................................................ 441
19.5 Zyxel Device IPSec VPN Client Configuration Provisioning .................................................... 442 19.6 IPSec VPN Background Information ......................................................................................... 444
C ha pte r 20 SSL VPN..............................................................................................................................................454
20.1 Overview ..................................................................................................................................... 454 20.1.1 What You Can Do in this Chapter ................................................................................... 454 20.1.2 What You Need to Know ................................................................................................. 454
20.2 The SSL Access Privilege Screen ................................................................................................ 455 20.2.1 The SSL Access Privilege Policy Add/Edit Screen ......................................................... 456
20.3 The SSL Global Setting Screen ................................................................................................... 458
C ha pte r 21 L2TP VPN............................................................................................................................................460
21.1 Overview ..................................................................................................................................... 460 21.1.1 What You Can Do in this Chapter ................................................................................... 460 21.1.2 What You Need to Know ................................................................................................. 460
21.2 L2TP VPN Screen ......................................................................................................................... 461 21.2.1 Example: L2TP and Zyxel Device Behind a NAT Router ................................................ 463
ZyWALL USG FLEX Series User's Guide
14
Table of Contents
C ha pte r 22 BWM (Ba ndwidth Ma na g e m e nt) .................................................................................................465
22.1 Overview ..................................................................................................................................... 465 22.1.1 What You Can Do in this Chapter ................................................................................... 465 22.1.2 What You Need to Know ................................................................................................ 465
22.2 The Bandwidth Management Configuration .......................................................................... 469 22.2.1 The Bandwidth Management Add/Edit Screen ............................................................ 472
C ha pte r 23 We b Authe ntic a tio n ........................................................................................................................481
23.1 Web Auth Overview ................................................................................................................... 481 23.1.1 What You Can Do in this Chapter ................................................................................... 481 23.1.2 What You Need to Know ................................................................................................. 482
23.2 Web Authentication General Screen ...................................................................................... 482 23.2.1 User-aware Access Control Example ............................................................................. 487 23.2.2 Authentication Type Screen ............................................................................................ 493 23.2.3 Custom Web Portal / User Agreement File Screen ....................................................... 497 23.2.4 Facebook Wi-Fi Screen ..................................................................................................... 498
23.3 SSO Overview .............................................................................................................................. 502 23.4 SSO - Zyxel Device Configuration ............................................................................................. 503
23.4.1 Configuration Overview ................................................................................................... 504 23.4.2 Configure the Zyxel Device to Communicate with SSO .............................................. 504 23.4.3 Enable Web Authentication ............................................................................................ 505 23.4.4 Create a Security Policy ................................................................................................... 506 23.4.5 Configure User Information .............................................................................................. 507 23.4.6 Configure an Authentication Method ........................................................................... 508 23.4.7 Configure Active Directory .............................................................................................. 509 23.5 SSO Agent Configuration .......................................................................................................... 510
C ha pte r 24 Ho tspo t..............................................................................................................................................513
24.1 Overview ..................................................................................................................................... 513 24.2 Billing Overview ........................................................................................................................... 513
24.2.1 What You Need to Know ................................................................................................. 513 24.3 The Billing > General Screen ...................................................................................................... 514 24.4 The Billing > Billing Profile Screen ............................................................................................... 516
24.4.1 The Account Generator Screen ...................................................................................... 517 24.4.2 The Account Redeem Screen ......................................................................................... 520 24.4.3 The Billing Profile Add/Edit Screen ................................................................................... 522 24.5 The Billing > Discount Screen ..................................................................................................... 523 24.5.1 The Discount Add/Edit Screen ......................................................................................... 525 24.6 The Billing > Payment Service Screen ....................................................................................... 525 24.6.1 The Payment Service > Desktop / Mobile View Screen ............................................... 527
ZyWALL USG FLEX Series User's Guide
15
Table of Contents
C ha pte r 25 Printe r Ma na g e r ...............................................................................................................................531
25.1 Printer Manager Overview ........................................................................................................ 531 25.1.1 What You Can Do in this Chapter ................................................................................... 531
25.2 The Printer Manager > General Screen ................................................................................... 531 25.2.1 Add Printer Rule ................................................................................................................. 534 25.2.2 Edit Printer Rule .................................................................................................................. 534 25.2.3 Discover Printer ................................................................................................................. 535 25.2.4 Edit Printer Manager (Discover Printer) .......................................................................... 537
25.3 The Printout Configuration Screen ............................................................................................ 538 25.4 Printer Reports Overview ........................................................................................................... 539
25.4.1 Key Combinations ............................................................................................................. 539 25.4.2 Daily Account Summary .................................................................................................. 539 25.4.3 Monthly Account Summary ............................................................................................. 540 25.4.4 Account Report Notes ..................................................................................................... 540 25.4.5 System Status ..................................................................................................................... 541
C ha pte r 26 Fre e Tim e ...........................................................................................................................................543
26.1 Free Time Overview ................................................................................................................... 543 26.1.1 What You Can Do in this Chapter ................................................................................... 543
26.2 The Free Time Screen ................................................................................................................. 543
C ha pte r 27 IPnP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 5 4 8
27.1 IPnP Overview ............................................................................................................................ 548 27.1.1 What You Can Do in this Chapter ................................................................................... 549 27.1.2 IPnP Screen ........................................................................................................................ 549
C ha pte r 28 Wa lle d G a rde n.................................................................................................................................551
28.1 Walled Garden Overview ........................................................................................................ 551 28.2 Walled Garden > General Screen ........................................................................................... 551 28.3 Walled Garden > URL Base Screen .......................................................................................... 552
28.3.1 Adding/Editing a Walled Garden URL ........................................................................... 553 28.4 Walled Garden > Domain/IP Base Screen .............................................................................. 554
28.4.1 Adding/Editing a Walled Garden Domain or IP ........................................................... 555 28.4.2 Walled Garden Login Example ....................................................................................... 555
C ha pte r 29 Adve rtise m e nt Sc re e n .....................................................................................................................557
29.1 Advertisement Overview ........................................................................................................... 557 29.1.1 Adding/Editing an Advertisement URL .......................................................................... 558
ZyWALL USG FLEX Series User's Guide
16
Table of Contents
C ha pte r 30 Se c urity Po lic y ..................................................................................................................................560
30.1 Overview ..................................................................................................................................... 560 30.2 One Security ................................................................................................................................ 561 30.3 What You Can Do in this Chapter ............................................................................................ 564
30.3.1 What You Need to Know ................................................................................................. 564 30.4 The Security Policy Screen ......................................................................................................... 566
30.4.1 Configuring the Security Policy Control Screen ............................................................ 567 30.4.2 The Security Policy Control Add/Edit Screen ................................................................. 571 30.5 Anomaly Detection and Prevention Overview ...................................................................... 572 30.5.1 The Anomaly Detection and Prevention General Screen ........................................... 573 30.5.2 Creating New ADP Profiles .............................................................................................. 574 30.5.3 Traffic Anomaly Profiles ................................................................................................... 575 30.5.4 Protocol Anomaly Profiles ................................................................................................ 578 30.6 The Session Control Screen ........................................................................................................ 581 30.6.1 The Session Control Add/Edit Screen .............................................................................. 582 30.7 Security Policy Example Applications ...................................................................................... 583
C ha pte r 31 Applic a tio n Pa tro l ............................................................................................................................586
31.1 Overview ..................................................................................................................................... 586 31.1.1 What You Can Do in this Chapter ................................................................................... 586 31.1.2 What You Need to Know ................................................................................................ 586
31.2 Application Patrol Profile ........................................................................................................... 587 31.2.1 Profile Action: Apply to a Security Policy ....................................................................... 588 31.2.2 Application Patrol Profile > Add/Edit - My Application ............................................... 591 31.2.3 Application Patrol Profile > Add/Edit - Query Result ..................................................... 592
C ha pte r 32 C o nte nt Filte r....................................................................................................................................595
32.1 Overview ..................................................................................................................................... 595 32.1.1 What You Can Do in this Chapter ................................................................................... 595 32.1.2 What You Need to Know ................................................................................................. 595 32.1.3 Before You Begin ............................................................................................................... 597
32.2 Content Filter Profile Screen ...................................................................................................... 597 32.2.1 Apply to a Security Policy ................................................................................................ 598 32.2.2 Content Filter Add Profile Category Service .................................................................. 601 32.2.3 Content Filter Add Filter Profile Custom Service ........................................................... 614
32.3 Content Filter Trusted Web Sites Screen ................................................................................. 616 32.4 Content Filter Forbidden Web Sites Screen ............................................................................ 617 32.5 Content Filter Technical Reference ......................................................................................... 618
ZyWALL USG FLEX Series User's Guide
17
Table of Contents
C ha pte r 33 Anti- Ma lwa re ....................................................................................................................................620
33.1 Overview ..................................................................................................................................... 620 33.1.1 What You Can Do in this Chapter ................................................................................... 624
33.2 Anti-Malware Screen ................................................................................................................. 625 33.3 The White List Screen .................................................................................................................. 628 33.4 The Black List Screen .................................................................................................................. 630 33.5 Anti-Malware Signature Searching ........................................................................................... 631 33.6 Anti-Malware Profile ................................................................................................................... 632
33.6.1 Add or Edit an Anti-Malware Profile ............................................................................... 633 33.6.2 Link a Profile ....................................................................................................................... 634 33.6.3 Anti-Malware Advance Screen ...................................................................................... 635 33.6.4 Remove Profiles ................................................................................................................. 637 33.7 Anti-Malware Technical Reference ......................................................................................... 638
C ha pte r 34 Re puta tio n Filte r ...............................................................................................................................640
34.1 Overview ..................................................................................................................................... 640 34.1.1 What You Need to Know ................................................................................................. 640 34.1.2 What You Can Do in this Chapter ................................................................................... 640
34.2 URL Threat Filter Screen .............................................................................................................. 640 34.2.1 URL Threat Filter White List Screen ................................................................................... 642 34.2.2 URL Threat Filter Black List Screen .................................................................................... 643
34.3 URL Threat Filter Profile ............................................................................................................... 644 34.3.1 Add or Edit a URL Threat Filter Profile .............................................................................. 645 34.3.2 Link a Profile ....................................................................................................................... 647 34.3.3 URL Threat Filter Advance Screen ................................................................................... 648 34.3.4 Remove Profiles ................................................................................................................. 650
C ha pte r 35 IDP .....................................................................................................................................................651
35.1 Overview ..................................................................................................................................... 651 35.1.1 What You Can Do in this Chapter ................................................................................... 651 35.1.2 What You Need To Know ................................................................................................. 651 35.1.3 Before You Begin ............................................................................................................... 651
35.2 The IDP Screen ............................................................................................................................ 652 35.2.1 Query Example .................................................................................................................. 656
35.3 IDP Custom Signatures .............................................................................................................. 657 35.3.1 Add / Edit Custom Signatures ......................................................................................... 658 35.3.2 Custom Signature Example ............................................................................................. 662 35.3.3 Applying Custom Signatures ............................................................................................ 664 35.3.4 Verifying Custom Signatures ............................................................................................ 665
35.4 The White List Screen ................................................................................................................. 665
ZyWALL USG FLEX Series User's Guide
18
Table of Contents
35.5 IDP Profile ..................................................................................................................................... 666 35.5.1 Add or Edit an IDP Profile ................................................................................................. 667 35.5.2 Link a Profile ....................................................................................................................... 669 35.5.3 The IDP Advance Screen ................................................................................................. 670 35.5.4 Remove Profiles ................................................................................................................. 672
35.6 IDP Technical Reference ........................................................................................................... 673
C ha pte r 36 Em a il Se c urity ...................................................................................................................................675
36.1 Overview ..................................................................................................................................... 675 36.1.1 What You Can Do in this Chapter ................................................................................... 675 36.1.2 What You Need to Know ................................................................................................. 675
36.2 Before You Begin ........................................................................................................................ 676 36.3 The Email Security Screen ......................................................................................................... 677 36.4 The Black List / White List Screen ............................................................................................... 679
36.4.1 The Black or White List Add/Edit Screen ......................................................................... 680 36.4.2 Regular Expressions in Black or White List Entries ........................................................... 682 36.5 Email Security Profile ................................................................................................................... 682 36.5.1 Add or Edit Email Security Profile ..................................................................................... 683 36.5.2 Link a Profile ....................................................................................................................... 685 36.5.3 The Email Security Advance Screen .............................................................................. 686 36.5.4 Remove Profiles ................................................................................................................. 689 36.6 Email Security Technical Reference ......................................................................................... 689
C ha pte r 37 SSL Inspe c tio n...................................................................................................................................693
37.1 Overview ..................................................................................................................................... 693 37.1.1 What You Can Do in this Chapter ................................................................................... 693 37.1.2 What You Need To Know ................................................................................................. 694 37.1.3 What You Can Do in this Chapter ................................................................................... 694 37.1.4 Before You Begin ............................................................................................................... 694
37.2 The SSL Inspection Profile Screen .............................................................................................. 694 37.2.1 Apply to a Security Policy ................................................................................................ 697 37.2.2 Add / Edit SSL Inspection Profiles .................................................................................... 700
37.3 Exclude List Screen .................................................................................................................... 701 37.4 Certificate Update Screen ....................................................................................................... 703 37.5 Install a CA Certificate in a Browser ......................................................................................... 704
C ha pte r 38 IP Exc e ptio n ......................................................................................................................................707
38.1 Overview ..................................................................................................................................... 707 38.2 The IP Exception Screen ............................................................................................................. 707
38.2.1 The IP Exception Add/Edit Screen ................................................................................. 708
ZyWALL USG FLEX Series User's Guide
19
Table of Contents
C ha pte r 39 O b je c t...............................................................................................................................................710
39.1 Zones Overview .......................................................................................................................... 710 39.1.1 What You Need to Know ................................................................................................. 710 39.1.2 The Zone Screen ................................................................................................................ 711
39.2 User/Group Overview ................................................................................................................ 713 39.2.1 What You Need To Know ................................................................................................. 713 39.2.2 User/Group User Summary Screen .................................................................................. 715 39.2.3 User Add/Edit General Screen ....................................................................................... 716 39.2.4 User Add/Edit Two-factor Authentication Screen ........................................................ 720 39.2.5 User/Group Group Summary Screen .............................................................................. 722 39.2.6 User/Group Setting Screen ............................................................................................. 724 39.2.7 User/Group MAC Address Summary Screen ................................................................ 729 39.2.8 User /Group Technical Reference .................................................................................. 731
39.3 AP Profile Overview .................................................................................................................... 731 39.3.1 Radio Screen ..................................................................................................................... 733 39.3.2 SSID Screen ....................................................................................................................... 740
39.4 MON Profile ................................................................................................................................ 757 39.4.1 Overview ............................................................................................................................ 757 39.4.2 Configuring MON Profile ................................................................................................. 758 39.4.3 Add/Edit MON Profile ....................................................................................................... 759 39.4.4 Technical Reference ........................................................................................................ 760
39.5 ZyMesh Overview ....................................................................................................................... 761 39.5.1 ZyMesh Profile .................................................................................................................... 763 39.5.2 Add/Edit ZyMesh Profile ................................................................................................... 764
39.6 Address/Geo IP Overview ......................................................................................................... 764 39.6.1 What You Need To Know ................................................................................................. 765 39.6.2 Address Summary Screen ................................................................................................ 765 39.6.3 Address Group Summary Screen .................................................................................... 769 39.6.4 Geo IP Summary Screen .................................................................................................. 771
39.7 Service Overview ........................................................................................................................ 774 39.7.1 What You Need to Know ................................................................................................. 774 39.7.2 The Service Summary Screen .......................................................................................... 775 39.7.3 The Service Group Summary Screen ............................................................................. 777
39.8 Schedule Overview ................................................................................................................... 779 39.8.1 What You Need to Know ................................................................................................. 779 39.8.2 The Schedule Screen ........................................................................................................ 780 39.8.3 The Schedule Group Screen ............................................................................................ 783
39.9 AAA Server Overview ............................................................................................................... 784 39.9.1 Directory Service (AD/LDAP) ........................................................................................... 785 39.9.2 RADIUS Server .................................................................................................................... 785 39.9.3 ASAS .................................................................................................................................... 785 39.9.4 What You Need To Know ................................................................................................. 786
ZyWALL USG FLEX Series User's Guide
20
Table of Contents
39.9.5 Active Directory or LDAP Server Summary ..................................................................... 787 39.9.6 RADIUS Server Summary ................................................................................................... 791 39.10 Auth. Method Overview ......................................................................................................... 794 39.10.1 Before You Begin ............................................................................................................. 794 39.10.2 Example: Selecting a VPN Authentication Method ................................................... 794 39.10.3 Authentication Method Objects ................................................................................... 795 39.10.4 Two-Factor Authentication ............................................................................................ 797 39.10.5 Two-Factor Authentication VPN Access ...................................................................... 799 39.10.6 Two-Factor Authentication Admin Access .................................................................. 801 39.11 Certificate Overview ................................................................................................................ 802 39.11.1 What You Need to Know ............................................................................................... 803 39.11.2 Verifying a Certificate .................................................................................................... 804 39.11.3 The My Certificates Screen ............................................................................................ 805 39.11.4 The Trusted Certificates Screen .................................................................................... 814 39.11.5 Certificates Technical Reference ................................................................................. 819 39.12 ISP Account Overview ............................................................................................................ 819 39.12.1 ISP Account Summary .................................................................................................... 819 39.13 DHCPv6 Overview .................................................................................................................... 822 39.13.1 The DHCPv6 Request Screen ......................................................................................... 822 39.13.2 The DHCPv6 Lease Screen ............................................................................................. 824
C ha pte r 40 De vic e HA .........................................................................................................................................826
40.1 Device HA Overview .................................................................................................................. 826 40.1.1 What You Can Do in These Screens ................................................................................ 826
40.2 Device HA Status ........................................................................................................................ 826 40.3 Device HA Pro ............................................................................................................................. 828
40.3.1 Deploying Device HA Pro ................................................................................................ 829 40.3.2 Configuring Device HA Pro .............................................................................................. 829 40.4 View Log ...................................................................................................................................... 831
C ha pte r 41 C lo ud C NM ......................................................................................................................................833
41.1 Cloud CNM Overview ................................................................................................................ 833 41.1.1 What You Can Do in this Chapter ................................................................................... 833
41.2 Cloud CNM SecuManager ....................................................................................................... 833 41.3 Cloud CNM SecuReporter ......................................................................................................... 836
C ha pte r 42 Syste m ...............................................................................................................................................841
42.1 Overview ..................................................................................................................................... 841 42.1.1 What You Can Do in this Chapter ................................................................................... 841
42.2 Host Name ................................................................................................................................... 842
ZyWALL USG FLEX Series User's Guide
21
Table of Contents
42.3 USB Storage ................................................................................................................................. 842 42.4 Date and Time ............................................................................................................................ 843
42.4.1 Pre-defined NTP Time Servers List ..................................................................................... 846 42.4.2 Time Server Synchronization ............................................................................................ 846 42.5 Console Port Speed ................................................................................................................... 847 42.6 DNS Overview ............................................................................................................................. 848 42.6.1 DNS Server Address Assignment ...................................................................................... 848 42.6.2 Configuring the DNS Screen ............................................................................................ 848 42.6.3 (IPv6) Address Record ...................................................................................................... 852 42.6.4 PTR Record ......................................................................................................................... 852 42.6.5 Adding an (IPv6) Address/PTR Record .......................................................................... 852 42.6.6 CNAME Record ................................................................................................................. 853 42.6.7 Adding a CNAME Record ................................................................................................ 853 42.6.8 Domain Zone Forwarder ................................................................................................. 854 42.6.9 Adding a Domain Zone Forwarder ................................................................................. 854 42.6.10 MX Record ...................................................................................................................... 855 42.6.11 Adding a MX Record ...................................................................................................... 855 42.6.12 Security Option Control .................................................................................................. 856 42.6.13 Editing a Security Option Control .................................................................................. 856 42.6.14 Adding a DNS Service Control Rule .............................................................................. 857 42.7 WWW Overview .......................................................................................................................... 858 42.7.1 Service Access Limitations ............................................................................................... 858 42.7.2 System Timeout .................................................................................................................. 858 42.7.3 HTTPS ................................................................................................................................... 858 42.7.4 Configuring WWW Service Control ................................................................................. 859 42.7.5 Service Control Rules ........................................................................................................ 862 42.7.6 Customizing the WWW Login Page ................................................................................ 863 42.7.7 HTTPS Example ................................................................................................................... 868 42.8 SSH ............................................................................................................................................. 875 42.8.1 SSH Implementation on the Zyxel Device ...................................................................... 876 42.8.2 Requirements for Using SSH .............................................................................................. 876 42.8.3 Configuring SSH ................................................................................................................. 876 42.8.4 Service Control Rules ........................................................................................................ 877 42.8.5 SSH Example ...................................................................................................................... 878 42.9 Telnet ........................................................................................................................................... 879 42.9.1 Configuring Telnet ............................................................................................................. 879 42.9.2 Service Control Rules ........................................................................................................ 881 42.10 FTP .............................................................................................................................................. 881 42.10.1 Configuring FTP ................................................................................................................ 881 42.10.2 Service Control Rules ...................................................................................................... 883 42.11 SNMP ......................................................................................................................................... 883 42.11.1 SNMPv3 and Security ...................................................................................................... 884 42.11.2 Supported MIBs ............................................................................................................... 885
ZyWALL USG FLEX Series User's Guide
22
Table of Contents
42.11.3 SNMP Traps ....................................................................................................................... 885 42.11.4 Configuring SNMP ........................................................................................................... 885 42.11.5 Add SNMPv3 User ............................................................................................................ 887 42.11.6 Service Control Rules ...................................................................................................... 888 42.12 Authentication Server .............................................................................................................. 889 42.12.1 Add/Edit Trusted RADIUS Client .................................................................................... 890 42.13 Notification > Mail Server ......................................................................................................... 891 42.14 Notification > SMS ..................................................................................................................... 892 42.15 Notification > Response Message ......................................................................................... 894 42.16 Language Screen ..................................................................................................................... 895 42.17 IPv6 Screen ................................................................................................................................ 896 42.18 Zyxel One Network (ZON) Utility ............................................................................................. 896 42.18.1 Requirements ................................................................................................................... 896 42.18.2 Run the ZON Utility ........................................................................................................... 897 42.18.3 Zyxel One Network (ZON) System Screen .................................................................... 901
C ha pte r 43 Lo g a nd Re po rt.................................................................................................................................902
43.1 Overview ..................................................................................................................................... 902 43.1.1 What You Can Do In this Chapter .................................................................................. 902
43.2 Email Daily Report ....................................................................................................................... 902 43.3 Log Setting Screens ................................................................................................................... 904
43.3.1 Log Setting Summary ........................................................................................................ 904 43.3.2 Edit System Log Settings .................................................................................................. 905 43.3.3 Edit Log on USB Storage Setting ..................................................................................... 909 43.3.4 Edit Remote Server Log Settings ..................................................................................... 910 43.3.5 Log Category Settings Screen ......................................................................................... 912
C ha pte r 44 File Ma na g e r ....................................................................................................................................915
44.1 Overview ..................................................................................................................................... 915 44.1.1 What You Can Do in this Chapter ................................................................................... 915 44.1.2 What you Need to Know .................................................................................................. 915
44.2 The Configuration Screen .......................................................................................................... 917 44.2.1 The Configuration Schedule Backup Screen ................................................................ 921
44.3 Firmware Management ........................................................................................................... 922 44.3.1 Cloud Helper ..................................................................................................................... 923 44.3.2 The Firmware Management Screen ............................................................................... 925 44.3.3 Firmware Upgrade via USB Stick ...................................................................................... 928
44.4 The Shell Script Screen .............................................................................................................. 928
C ha pte r 45 Dia g no stic s ......................................................................................................................................931
ZyWALL USG FLEX Series User's Guide
23
Table of Contents
45.1 Overview ..................................................................................................................................... 931 45.1.1 What You Can Do in this Chapter ................................................................................... 931
45.2 The Diagnostics Screens ............................................................................................................ 931 45.2.1 Scripts ................................................................................................................................. 931 45.2.2 The Diagnostics Controller Screen .................................................................................. 932 45.2.3 The Diagnostics AP Screen ............................................................................................... 934 45.2.4 The Diagnostics Files Screen ............................................................................................ 936
45.3 The Packet Capture Screen ...................................................................................................... 937 45.3.1 The Packet Capture on AP Screen ................................................................................. 940 45.3.2 The Packet Capture Files Screen .................................................................................... 943
45.4 The CPU / Memory Status Screen ............................................................................................. 944 45.5 The System Log Screen .............................................................................................................. 946 45.6 The Network Tool Screen ........................................................................................................... 946 45.7 The Routing Traces Screen ........................................................................................................ 949 45.8 The Wireless Frame Capture Screen ........................................................................................ 950
45.8.1 The Wireless Frame Capture Files Screen ...................................................................... 951
C ha pte r 46 Pa c ke t Flo w Explo re ........................................................................................................................952
46.1 Overview ..................................................................................................................................... 952 46.1.1 What You Can Do in this Chapter ................................................................................... 952
46.2 Routing Status ............................................................................................................................ 952 46.3 The SNAT Status Screen .............................................................................................................. 956
C ha pte r 47 Shutdo wn ..........................................................................................................................................959
47.1 Overview ..................................................................................................................................... 959 47.1.1 What You Need To Know ................................................................................................. 959
47.2 The Shutdown / Reboot Screen ................................................................................................ 959
Pa rt III: Appe ndic e s a nd Tro ub le sho o ting .................................................. 962
C ha pte r 48 Tro ub le sho o ting ................................................................................................................................963
48.1 Resetting the Zyxel Device ........................................................................................................ 976 48.2 Getting More Troubleshooting Help ......................................................................................... 976
Appendix A Customer Support ..................................................................................................... 977
Appendix B Product Features ........................................................................................................ 983
Appendix C Legal Information ...................................................................................................... 986
ZyWALL USG FLEX Series User's Guide
24
Table of Contents Inde x .................................................................................................................................................996
ZyWALL USG FLEX Series User's Guide
25
PA RT I
Use r's G uide
26
C HA PTER 1 Intro duc tio n
1.1 O ve rvie w
Zyxel Device refers to these models as outlined below.
· USG FLEX 100 · USG FLEX 100W · USG FLEX 200 · USG FLEX 500 · USG FLEX 700
1.1.1 Mo de l Fe a ture Diffe re nc e s
Note the following differences between the USG FLEX models:
Table 1 USG FLEX Model Feature Comparison
FEATURE/ MO DEL
USG FLEX 100
USG FLEX 100W
Microsoft Azure
YES
YES
Amazon VPC
CLI only
CLI only
Anomaly Detection & Prevention YES
YES
Email Security (Anti-Spam)
YES
YES
IDP
YES
YES
Anti-Malware
YES
YES
App Patrol
YES
YES
Web Filtering (Content Filtering) YES
YES
SecuReporter
YES
YES
Reputation Filter (IP and DNS)
NO
NO
URL Threat Filter
YES
YES
Sandboxing
NO
NO
IP Exception
YES
YES
AP Controller
YES
YES
Device HA Pro
NO
NO
Hotspot Management
NO
NO
LAG
NO
NO
Port Group
YES
YES
Port Role
YES
YES
SD-WAN Mode
NO
NO
USG FLEX 200 YES CLI only YES YES YES YES YES YES YES NO YES NO YES YES NO YES NO YES YES NO
USG FLEX 500 YES CLI only YES YES YES YES YES YES YES NO YES NO YES YES YES YES YES YES YES NO
USG FLEX 700 YES CLI only YES YES YES YES YES YES YES NO YES NO YES YES YES YES YES YES YES NO
ZyWALL USG FLEX Series User's Guide
27
Chapter 1 Introduction
Table 1 USG FLEX Model Feature Comparison (continued)
FEATURE/ MO DEL
USG FLEX 100
USG FLEX 100W
SSL Application
YES
YES
SSL encrypted traffic inspection YES
YES
Bundled UTM Feature License Validity Virtual Server Load Balancing
1 year YES
1 year YES
Built-in WiFi
NO
YES
USG FLEX 200 YES YES 1 year
YES
NO
USG FLEX 500 YES YES 1 year
YES
NO
USG FLEX 700 YES YES 1 year
YES
NO
For information on interface names by model, default port or interface name mapping, and default interface or zone mapping please see Section 3.3 on page 77.
See the product's datasheet for detailed information on a specific model.
1.2 Re g istra tio n a t m yZyxe l
myZyxel is Zyxel's online services center where you can register your Zyxel Device and manage subscription services available for your Zyxel Device (see C o nfig ura tio n > Lic e nsing > Re g istra tio n > Se rvic e for services available for your Zyxel Device).
· For Zyxel Devices that already have firmware version 4.25 or later, you have to register your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device).
· For Zyxel Devices upgrading to firmware version 4.25 or later, you may skip registering your Zyxel Device and activating the corresponding service at myZyxel (through your Zyxel Device). However, it is highly recommended to at least register your Zyxel Device. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications, is free when you register your Zyxel Device.
Note: You need to create a myZyxel account at http ://p o rta l.myZyxe l.c o m before you can register your device and activate the services at myZyxel.
You may need your Zyxel Device's serial number and LAN MAC address to register it at myZyxel. See the label at the back of the Zyxel Device's for details.
ZyWALL USG FLEX Series User's Guide
28
Fig ure 1 myZyxel Login
Chapter 1 Introduction
1.2.1 G ra c e Pe rio d
SecuReporter and service licenses have a 15-day grace period after a license expires. Services will continue to work in this period during which you will receive notifications to renew your licenses. New licenses are valid for 1 year from the date of purchase.
1.2.2 Applic a tio ns
These are some Zyxel Device application scenarios.
Se c urity Ro ute r
Security includes a Stateful Packet Inspection (SPI) firewall. Fig ure 2 Applications: Security Router Applications: Security Router
ZyWALL USG FLEX Series User's Guide
29
Chapter 1 Introduction
IPv6 Ro uting
The Zyxel Device supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The Zyxel Device can also route IPv6 packets through IPv4 networks using different tunneling methods. Fig ure 3 Applications: IPv6 Routing
VPN C o nne c tivity
Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. AS is an Authentication Server in the below figure. Fig ure 4 Applications: VPN Connectivity
SSL VPN Ne two rk Ac c e ss
SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Zyxel Device's web address and enters his user name and password to securely connect to the Zyxel Device's network. Here full tunnel mode creates a virtual connection for a remote user and gives him a private IP address in the same subnet as the local network so he can access network resources in the same way as if he were part of the internal network.
ZyWALL USG FLEX Series User's Guide
30
Chapter 1 Introduction Fig ure 5 SSL VPN With Full Tunnel Mode
LAN (192.168.1.X)
https://
Web Mail File Share Non-Web
Web-based Application Application Server
Use r- Awa re Ac c e ss C o ntro l
Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it. In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in, so and cannot access either the Internet or the file server.
Fig ure 6 Applications: User-Aware Access Control
Lo a d Ba la nc ing
Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them.
Fig ure 7 Applications: Multiple WAN Interfaces
ZyWALL USG FLEX Series User's Guide
31
Chapter 1 Introduction
1.3 Ma na g e m e nt O ve rvie w
You can manage the Zyxel Device in the following ways.
We b C o nfig ura to r
The Web Configurator allows easy Zyxel Device setup and management using an Internet browser. This User's Guide provides information about the Web Configurator. Fig ure 8 Managing the Zyxel Device: Web Configurator
C o m m a nd- Line Inte rfa c e (C LI)
The CLI allows you to use text-based commands to configure the Zyxel Device. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are:
Table 2 Console Port Default Settings
SETTING
V A LUE
Speed
115200 bps
Data Bits
8
Parity
None
Stop Bit
1
Flow Control
Off
FTP
Use File Transfer Protocol for firmware upgrades and configuration backup or restore.
SNMP
The device can be monitored and/or managed by an SNMP manager. See Section 42.11 on page 883.
ZyWALL USG FLEX Series User's Guide
32
Chapter 1 Introduction
C lo udC NM
Use the C lo udC NM screen (see Section 42.16 on page 895) to enable and configure management of the Zyxel Device by a Central Network Management system.
Ma na g e m e nt Authe ntic a tio n
Managers must be authenticated with a username and password, using one of: · Local Zyxel Device authentication · An external RADIUS server · An external LDAP server · Certificates
1.4 We b C o nfig ura to r
In order to use the Web Configurator, you must: · Use one of the following web browser versions or later:
· Microsoft Edge · Internet Explorer 10.x, 11.x · Chrome latest version (45 or above) · Firefox latest version (45 or above) · Safari latest version (9.0 or above) · Allow pop-up windows (blocked by default in some browsers) · Enable JavaScripts, Java permissions, and cookies The recommended screen resolution is 1024 x 768 pixels. Note: Screenshots and graphics in this book may differ slightly from your product due to
differences in product features or Web Configurator brand style. Most screen shots in this guide come from the USG110 and USG60W.
1.4.1 We b C o nfig ura to r Ac c e ss
1 Make sure your Zyxel Device hardware is properly connected. See the Quick Start Guide. 2 In your browser go to http://192.168.1.1. By default, the Zyxel Device automatically routes this request to
its HTTPS server, and it is recommended to keep this setting. The Lo g in screen appears.
ZyWALL USG FLEX Series User's Guide
33
Chapter 1 Introduction
3 Type the user name (default: "admin") and password (default: "1234"). 4 Click Lo g in. After you log in for the first time using the default user name and password, you must
change the default admin password in the Upda te Adm in Info screen. Enter a new password of from 1 to 64 characters. In C o nfig ura tio n > O b je c t > Use r/ G ro up > Se tting , you can enable Pa sswo rd C o m ple xity to require a new password to consist of at least 8 characters and at most 64, where at least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+. You can also require periodic changing of the password in that screen by configuring Pa sswo rd m ust c ha ng e d e ve ry (da ys). Make a note of your new password, enter it in the following screen, then click Apply. 5 A Te rm s o f Use screen displays. Read the statement, then click Ac kno wle dg e to proceed. Note: If you are using an Internet Explorer browser, the Te rm s o f Use will be downloaded
automatically.
ZyWALL USG FLEX Series User's Guide
34
Chapter 1 Introduction
6 The Ne two rk Risk Wa rning screen displays any unregistered or disabled security services. If your Zyxel Device is not registered, you will see a prompt to register it. Select how often to display the screen and click O K.
ZyWALL USG FLEX Series User's Guide
35
Chapter 1 Introduction
If you select Ne ve r and you later want to bring this screen back, use these commands (note the space before the underscore).
Router> enable Router# Router# configure terminal Router(config)# Router(config)# service-register _setremind after-10-days after-180-days after-30-days every-time never Router(config)# service-register _setremind every-time Router(config)#
See the Command Line Interface (CLI) Reference Guide (RG) for details on all supported commands. 7 Follow the directions in the Upda te Adm in Info screen. If you change the default password, the Lo g in
screen appears after you click Apply. If you click Ig no re , the Insta lla tio n Se tup Wiza rd opens if the ZyWALL is using its default configuration; otherwise the dashboard appears.
1.4.2 We b C o nfig ura to r Sc re e ns O ve rvie w
The Web Configurator screen is divided into these parts: · A title bar · B navigation panel · C main window
ZyWALL USG FLEX Series User's Guide
36
Chapter 1 Introduction Fig ure 9 Web Configurator Screen Overview
B
A
C
Title Ba r
Fig ure 10 Title Bar
The title bar icons in the upper right corner provide the following functions.
Table 3 Title Bar: Web Configurator Icons
LA BEL SecuReporter
DESC RIPTIO N Click this to open the SecuReporter portal page.
Web Console
This icon shows when the Zyxel Device is added to an organization.
Click this to open one or multiple console windows from which you can run command line interface (CLI) commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands.
CLI
Reference Site Map Forum Help About Logout
Logging in to the Zyxel Device with HTTPS, so you can open one or multiple console windows. Click this to open a popup window that displays the CLI commands sent by the Web Configurator to the Zyxel Device. Click this to check which configuration items reference an object. Click this to see an overview of links to the Web Configurator screens. Go to https://businessforum.zyxel.com for product discussions. Click this to open the help page for the current screen. Click this to display basic information about the Zyxel Device. Click this to log out of the Web Configurator.
ZyWALL USG FLEX Series User's Guide
37
Chapter 1 Introduction
Ab o ut
Click Abo ut to display basic information about the Zyxel Device. Fig ure 11 About
Table 4 About
LA BEL Current Version Released Date OK
DESC RIPTIO N This shows the firmware version of the Zyxel Device. This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. Click this to close the screen.
Site Ma p
Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen's link to go to that screen.
Fig ure 12 Site Map
We b C o nso le
Click We b C o nso le to open one or multiple console windows from which you can run CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands. Logging in to the Zyxel Device with HTTPS, so you can open one or multiple console windows.
ZyWALL USG FLEX Series User's Guide
38
Chapter 1 Introduction Fig ure 13 Web Console Window
Re fe re nc e
Click Re fe re nc e to open the Re fe re nc e screen. Select the type of object and the individual object and click Re fre sh to show which configuration settings reference the object. Fig ure 14 Reference
The fields vary with the type of object. This table describes labels that can appear in this screen.
Table 5 Reference
LA BEL
DESC RIPTIO N
Type
Select an object type to see the services.
Name
This identifies the object for which the configuration settings that use it are displayed. Click the object's name to display the object's configuration screen in the main window.
#
This field is a sequential value, and it is not associated with any entry.
Service
This is the type of setting that references the selected object. Click a service's name to display the service's configuration screen in the main window.
Priority
If it is applicable, this field lists the referencing configuration item's position in its list, otherwise N/ A displays.
Name
This field identifies the configuration item that references the object.
Description If the referencing configuration item has a description configured, it displays here.
ZyWALL USG FLEX Series User's Guide
39
Chapter 1 Introduction
Table 5 Reference (continued)
LA BEL
DESC RIPTIO N
Refresh
Click this to update the information in this screen.
Cancel
Click C a nc e l to close the screen.
C LI Me ssa g e s
Click C LI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and then click some menus in the Web Configurator to display the corresponding commands.
Fig ure 15 CLI Messages
1.4.3 Na vig a tio n Pa ne l
Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the Zyxel Device's navigation panel menus and their screens.
Fig ure 16 Navigation Panel
ZyWALL USG FLEX Series User's Guide
40
Chapter 1 Introduction
Da shb o a rd
The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See the Web Help for details on the dashboard.
Mo nito r Me nu
The monitor menu screens display status and statistics information.
Table 6 Monitor Menu Screens Summary
FO LDER O R LINK TAB
FUNC TIO N
System Status
Port Statistics
Port Statistics Displays packet statistics for each physical port.
Interface Status Interface Summary
Displays general interface information and packet statistics.
Traffic Statistics Traffic Statistics
Collect and display traffic statistics.
Session Monitor Session Monitor
Displays the status of all current sessions.
Login Users
Login Users Lists the users currently logged into the Zyxel Device.
Dynamic Guest Dynamic Guest
List the dynamic guest accounts in the Zyxel Device's local database. These are accounts that are created automatically and allowed to access the Zyxel Device's services for a certain period of time.
IGMP Statistics
IGMP Statistics
Collect and display IGMP statistics.
DDNS Status
DDNS Status Displays the status of the Zyxel Device's DDNS domain names.
IP/MAC Binding IP/MAC Binding
Lists the devices that have received an IP address from Zyxel Device interfaces using IP/MAC binding.
Cellular Status
Cellular Status
Displays details about the Zyxel Device's mobile broadband connection status.
UPnP Port Status Port Statistics Displays details about UPnP connections going through the Zyxel Device.
USB Storage
Storage
Displays details about USB device connected to the Zyxel Device.
Information
Ethernet Neighbor
Ethernet Neighbor
View and manage the Zyxel Device's neighboring devices via Smart Connect (Layer Link Discovery Protocol (LLDP)). Use the Zyxel One Network (ZON) utility to view and manage the Zyxel Device's neighboring devices via the Zyxel Discovery Protocol (ZDP).
FQDN Object
FQDN Object
Displays FQDN (Fully Qualified Domain Name) object cache lists used in DNS queries.
Wireless
AP Information AP List
Lists APs managed by the Zyxel Device.
Radio List
Lists wireless details of APs managed by the Zyxel Device.
Built-in AP
Displays associated wireless client usage and number. (For Zyxel Device model names containing `W'.)
Top N APs
Lists managed APs with the most wireless traffic usage and most associated wireless stations.
Single AP
Lists APs wireless traffic usage and associated wireless stations for a managed AP.
ZyWALL USG FLEX Series User's Guide
41
Chapter 1 Introduction
Table 6 Monitor Menu Screens Summary (continued)
FO LDER O R LINK TAB
FUNC TIO N
ZyMesh
ZyMesh Link Display statistics about ZyMesh wireless connections between managed APs. Info
SSID Info
SSID Info
Display information about the AP's wireless clients.
Station Info
Station List Lists wireless clients associated with the APs managed by the Zyxel Device.
Top N Stations
Lists wireless stations with the most wireless traffic usage.
Single Station
Lists wireless traffic usage for an associated wireless station.
Detected Device
Detected Device
Display information about suspected rogue APs.
Printer Status
Printer Status Display information about the connected statement printers.
VPN Monitor
IPSec
IPSec
Displays and manages the active IPSec SAs.
SSL
SSL
Lists users currently logged into the VPN SSL client portal. You can also log out
individual users and delete related session information.
L2TP over IPSec L2TP over IPSec
Displays details about current L2TP sessions.
Security Statistics
App Patrol
Summary
Displays application patrol statistics.
Content Filter Summary
Collect and display content filter statistics
Anti-Malware Summary
Collect and display statistics on the malware that the Zyxel Device has detected.
Reputation Filter Summary
Displays counts and URLs that are blocked by the Zyxel Device.
IDP
Summary
Collect and display statistics on the intrusions that the Zyxel Device has
detected.
Email Security Summary
Collect and display spam statistics.
Status
Displays how many mail sessions the ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics.
SSL Inspection Report
Collect and display SSL Inspection statistics.
Certificate Cache List
Displays traffic to destination servers using certificates.
Log
View Log
Lists log entries.
View AP Log Lists AP log entries.
Dynamic Users Log
Lists the Zyxel Device's dynamic guest account log messages.
C o nfig ura tio n Me nu
Use the configuration menu screens to configure the Zyxel Device's features.
Table 7 Configuration Menu Screens Summary
FO LDER O R LINK TAB
FUNC TIO N
Quick Setup
Quickly configure WAN interfaces or VPN connections.
Licensing
Registration
Registration
Register the device and activate trial services.
Service
View the licensed service status and upgrade licensed services.
ZyWALL USG FLEX Series User's Guide
42
Chapter 1 Introduction
Table 7 Configuration Menu Screens Summary (continued)
FO LDER O R LINK TAB
FUNC TIO N
Signature Update
Signature
Update signatures immediately or by a schedule.
Wireless
Built-in AP
General
Allow WiFi clients to access your Zyxel Device wirelessly to connect to the network.
Controller
Configuration
Configure manual or automatic controller registration.
AP Management
Mgnt AP List AP Policy
Edit or remove entries in the lists of APs managed by the Zyxel Device.
Configure the AP controller's IP address on the managed APs and determine the action the managed APs take if the current AP controller fails.
AP Group
Create groups of APs, define their radio, VLAN, port and load balancing settings.
Firmware
Update the firmware on APs connected to your Zyxel Device.
Rogue AP
Rogue/Friendly AP List
Configure how the Zyxel Device monitors rogue APs.
Auto Healing Auto Healing
Enable auto healing to extend the wireless service coverage area of the managed APs when one of the APs fails.
RTLS
Real Time Location Use the managed APs as part of an Ekahau RTLS to track the location
System
of Ekahau WiFi tags.
Network
Interface
Port Port Role/Port Configuration
Use this screen to set the Zyxel Device's flexible ports such as LAN, OPT, WLAN, or DMZ.
Ethernet
Manage Ethernet interfaces and virtual Ethernet interfaces.
PPP
Create and manage PPPoE and PPTP interfaces.
Cellular
Configure a cellular Internet connection for an installed mobile broadband card.
Tunnel
Configure tunneling between IPv4 and IPv6 networks.
VLAN
Create and manage VLAN interfaces and virtual VLAN interfaces.
Bridge
Create and manage bridges and virtual bridge interfaces.
VTI
Configure IP address assignment and interface parameters for VTI
(Virtual Tunnel Interface).
Trunk
Create and manage trunks (groups of interfaces) for load balancing.
Routing
Policy Route
Create and manage routing policies.
Static Route
Create and manage IP static routing information.
RIP
Configure device-level RIP settings.
OSPF
Configure device-level OSPF settings, including areas and virtual links.
BGP
Configure exchange of Border Gateway Protocol (BGP) information over an IPSec tunnel.
DDNS
DDNS
Define and manage the Zyxel Device's DDNS domain names.
NAT
NAT
Set up and manage port forwarding rules.
Redirect Service
Redirect Service
Set up and manage HTTP and SMTP redirection rules.
ALG
ALG
Configure SIP, H.323, and FTP pass-through settings.
UPnP
UPnP
Configure interfaces that allow UPnP and NAT-PMP connections.
ZyWALL USG FLEX Series User's Guide
43
Chapter 1 Introduction
Table 7 Configuration Menu Screens Summary (continued)
FO LDER O R LINK TAB
FUNC TIO N
IP/MAC Binding Summary Exempt List
Layer 2 Isolation General White List
Configure IP to MAC address bindings for devices connected to each supported interface.
Configure ranges of IP addresses to which the Zyxel Device does not apply IP/MAC binding.
Enable layer-2 isolation on the Zyxel Device and the internal interfaces.
Enable and configure the white list.
DNS Inbound LB DNS Load Balancing Configure DNS Load Balancing. VPN
IPSec VPN
VPN Connection
Configure IPSec tunnels.
VPN Gateway Concentrator
Configure IKE tunnels. Combine IPSec VPN connections into a single secure network
Configuration Provisioning
Set who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client.
SSL VPN L2TP VPN
Access Privilege Global Setting
L2TP VPN
Configure SSL VPN access rights for users and groups.
Configure the Zyxel Device's SSL VPN settings that apply to all connections.
Configure L2TP over IPSec tunnels.
BWM
Web Authentication
BWM
Enable and configure bandwidth management rules.
Web Authentication Define a web portal and exempt services from authentication.
General/ Authentication Type/Custom Web Portal File/ Custom User Agreement File/ Facebook WiFi SSO
Configure the Zyxel Device to work with a Single Sign On agent.
Hotspot Billing
General Billing Profile Discount
Configure the general billing settings, such as the accounting method.
Configure the billing profiles for the web-based account generator and each button on the connected statement printer.
Configure discount price plans.
Printer Manager
Free Time IPnP
Payment Service General
Printout Configuration Free Time
IPnP
Enable online payment service and configure the service pages.
Configure the printer list, enable printer management and customize the account printout.
Detect the connected statement printers, change their IP addresses and/or add them to the managed printer list.
Allow users to get a free account for Internet surfing during the specified time period.
Enable IPnP on the Zyxel Device and the internal interfaces.
Walled Garden Walled Garden
Create walled garden links that display in the login screen.
Advertisement
General/URL Base/ Domain/IP Base
Advertisement
Enable and set advertisement links.
Security Policy
ZyWALL USG FLEX Series User's Guide
44
Chapter 1 Introduction
Table 7 Configuration Menu Screens Summary (continued)
FO LDER O R LINK Policy Control ADP Session Control
Security Service AppPatrol Content Filter
Anti-Malware
Reputation Filter
IDP Email Security
SSL Inspection
IP Exception
TA B Policy
General Profile Session Control
FUNC TIO N Create and manage level-3 traffic rules and apply Security Service profiles. Display and manage ADP bindings. Create and manage ADP profiles. Limit the number of concurrent client NAT/security policy sessions.
Profile
Manage different types of traffic in this screen. Create App Patrol template(s) of settings to apply to a traffic flow using a security policy.
Profile
Create and manage the detailed filtering rules for content filtering profiles and then apply to a traffic flow using a security policy.
Trusted Web Sites
Create a list of allowed web sites that bypass content filtering policies.
Forbidden Web Sites Create a list of web sites to block regardless of content filtering policies.
Anti-Malware
Enable, specify actions to take when encountering malware or compressed files, and set up a black list to identify files with malware file patterns and a white list to identify files that should not be checked for malware.
Black/White List
Set up a black list to identify spam and a white list to identify legitimate email.
Signature
Search for particular signatures to get more information about them.
URL Threat Filter General/White List/ Black List
Enable URL filtering and specify what action the Zyxel Device takes when a access attempt to a blocked website is detected.
You can also set up a white list to identify which IPv4 addresses and/or URLs should be allowed, and a black list to identify which IPv4 addresses and/or URLs should be blocked.
IDP
Enable and configure IDP settings. Create, import, or export custom
signatures.
White List
Email Security
Turn email security on or off and manage email security policies. Create email security templates of settings to apply to a traffic flow using a security policy.
Black/White List
Set up a black list to identify spam and a white list to identify legitimate email.
Profile
Decrypt HTTPS traffic for Security Service inspection. Create SSL Inspection templates of settings to apply to a traffic flow using a security policy.
Exclude List
Configure services to be excluded from SSL Inspection.
Certificate Update Use this screen to update the latest certificates of servers using SSL connections to the Zyxel Device network.
IP Exception
Use this screen to view the IP exception list for the anti-malware and IDP (Intrusion, Detection, and Prevention) features.
Object Zone
Zone
The Zyxel Device will not intercept nor inspect the incoming packets that match the rules in the IP exception list for the anti-malware and/ or IDP (Intrusion, Detection, and Prevention) features.
Configure zone templates used to define various policies.
ZyWALL USG FLEX Series User's Guide
45
Chapter 1 Introduction
Table 7 Configuration Menu Screens Summary (continued)
FO LDER O R LINK TAB
FUNC TIO N
User/Group
User
Create and manage users.
Group
Create and manage groups of users.
Setting
Manage default settings for all users, general settings for user sessions, and rules to force user authentication.
MAC Address
Configure the MAC addresses of wireless clients for MAC authentication using the local user database.
AP Profile
Radio
Create templates of radio settings to apply to policies as an object.
SSID
Create templates of wireless settings to apply to radio profiles or
policies as an object.
MON Profile
MON Profile
Create and manage rogue AP monitoring files that can be associated with different APs.
ZyMesh Profile ZyMesh Profile
Create and manage ZyMesh files that can be associated with different APs.
Address/Geo IP Address
Create and manage host, range, and network (subnet) addresses.
Address Group
Create and manage groups of addresses to apply to policies as a single objects.
Geo IP
Update the database of country-to-IP address mappings and manually configure country-to-IP address mappings for geographic address objects that can be used in security policies.
Service
Service
Create and manage TCP and UDP services.
Service Group
Create and manage groups of services to apply to policies as a single object.
Schedule
Schedule
Create one-time and recurring schedules.
Schedule Group
Create and manage groups of schedules to apply to policies as a single object.
AAA Server
Active Directory
Configure the Active Directory settings.
LDAP
Configure the LDAP settings.
RADIUS
Configure the RADIUS settings.
Auth. Method
Authentication Method
Create and manage ways of authenticating users.
Two-factor Authentication
Configure SMS or email authentication to access a secured network behind the Zyxel Device via a VPN tunnel.
Certificate
My Certificates
Create and manage the Zyxel Device's certificates.
Trusted Certificates Import and manage certificates from trusted sources.
ISP Account
ISP Account
Create and manage ISP account information for PPPoE/PPTP interfaces.
DHCPv6
Request
Configure IPv6 DHCP request type and interface information.
Lease
Configure IPv6 DHCP lease type and interface information.
Device HA
Device HA Status
See the license status for Device HA Pro, and see the status of the active and passive devices.
Device HA Pro
Configure Device HA Pro global settings, monitored interfaces and synchronization settings.
View Log
See logs of the active and passive devices
ZyWALL USG FLEX Series User's Guide
46
Chapter 1 Introduction
Table 7 Configuration Menu Screens Summary (continued)
FO LDER O R LINK TAB
FUNC TIO N
Cloud CNM
SecuManager
Enable and configure management of the Zyxel Device by a Central Network Management system.
SecuReporter
Enable SecuReporter logging and access the SecuReporter security analytics portal that collects and analyzes logs from your Zyxel Device in order to identify anomalies, alert on potential internal or external threats, and report on network usage.
System
Host Name
Host Name
Configure the system and domain name for the Zyxel Device.
USB Storage
Settings
Configure the settings for the connected USB devices.
Date/Time
Date/Time
Configure the current date, time, and time zone in the Zyxel Device.
Console Speed Console Speed
Set the console speed.
DNS
DNS
Configure the DNS server and address records for the Zyxel Device.
WWW
Service Control
Configure HTTP, HTTPS, and general authentication.
Login Page
Configure how the login and access user screens look.
SSH
SSH
Configure SSH server and SSH service settings.
TELNET
TELNET
Configure telnet server settings for the Zyxel Device.
FTP
FTP
Configure FTP server settings.
SNMP
SNMP
Configure SNMP communities and services.
Auth. Server
Auth. Server
Configure the Zyxel Device to act as a RADIUS server.
Notification
Mail Server
Configure a mail server with authentication to send reports and password expiration notification emails.
SMS
Enable the SMS service to send dynamic guest account information in
text messages and authorization for VPN tunnel access to a secured
network.
Language
Language
Select the Web Configurator language.
IPv6
IPv6
Enable IPv6 globally on the Zyxel Device here.
ZON
ZON
Use the Zyxel One Network (ZON) utility to view and manage the Zyxel Device's neighboring devices via the Zyxel Discovery Protocol (ZDP).
Log & Report
Email Daily Report
Email Daily Report
Configure where and how to send daily reports and what reports to send.
Log Settings
Log Settings
Configure the system log, email logs, and remote syslog servers.
Ma inte na nc e Me nu
Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the Zyxel Device.
Table 8 Maintenance Menu Screens Summary
FO LDER O R LINK
TA B
FUNC TIO N
File Manager
Configuration File
Firmware Management
Manage and upload configuration files for the Zyxel Device.
View the current firmware version and upload firmware. Reboot with your choice of firmware.
Shell Script
Manage and run shell script files for the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
47
Chapter 1 Introduction
Table 8 Maintenance Menu Screens Summary (continued)
FO LDER O R LINK
TA B
Diagnostics Diagnostics
FUNC TIO N Collect diagnostic information.
Collect
Collect on AP
Packet Flow Explore
Shutdown
Files
Packet Capture Capture packets for analysis.
CPU/Memory Status
View CPU and memory usage statistics.
System Log
Connect a USB device to the Zyxel Device and archive the Zyxel Device system logs to it here.
Network Tool
Identify problems with the connections. You can use Ping or Traceroute to help you identify problems.
Routing Traces
Configure traceroute to identify where packets are dropped for troubleshooting.
Wireless Frame Capture
Capture wireless frames from APs for analysis.
Routing Status
Check how the Zyxel Device determines where to route a packet.
SNAT Status
View a clear picture on how the Zyxel Device converts a packet's source IP address and check the related settings.
Shutdown
Turn off the Zyxel Device.
1.4.4 Ta b le s a nd Lists
Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table's entries according to that column's criteria. Fig ure 17 Sorting Table Entries by a Column's Criteria
Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:
· Sort in ascending or descending (reverse) alphabetical order · Select which columns to display · Group entries by field
ZyWALL USG FLEX Series User's Guide
48
Chapter 1 Introduction · Show entries in groups · Filter by mathematical operators (<, >, or =) or searching for text Fig ure 18 Common Table Column Options
Select a column heading cell's right border and drag to re-size the column. Fig ure 19 Resizing a Table Column
Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column's title when you drag the column to a valid new location. Fig ure 20 Moving Columns
Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Fig ure 21 Navigating Pages of Table Entries The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Fig ure 22 Common Table Icons
ZyWALL USG FLEX Series User's Guide
49
Chapter 1 Introduction
Here are descriptions for the most common table icons.
Table 9 Common Table Icons
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry. For features where the entry's position in the numbered list is important (features where the Zyxel Device applies the table's entries in order like the security policy for example), you can select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's
settings. In some tables you can just click a table entry and edit it directly in the table. For those types
of tables small red triangles display for table entries with changes that you have not yet applied.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate To turn off an entry, select it and click Ina c tiva te .
Connect To connect an entry, select it and click C o nne c t.
Disconnect To disconnect an entry, select it and click Disc o nne c t.
References Select an entry and click Re fe re nc e s to check which settings use the entry.
Move
To change an entry's position in a numbered list, select it and click Mo ve to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one.
Wo rking with Lists
When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.
Fig ure 23 Working with Lists
ZyWALL USG FLEX Series User's Guide
50
C HA PTER 2 Initia l Se tup Wiza rd
2.1 Initia l Se tup Wiza rd Sc re e ns
When you log into the Web Configurator for the first time or when you reset the Zyxel Device to its default configuration, the Initia l Se tup Wiza rd screen displays. This wizard helps you configure Internet connection settings and activate subscription services. Note: For Zyxel Devices that already have firmware version 4.25 or later, you have to register
your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device). This chapter provides information on configuring the Web Configurator's Initia l Se tup Wiza rd. See the feature-specific chapters in this User's Guide for background information. · Click the double arrow in the upper right corner to display or hide the help. · Click Lo g o ut to exit the Initia l Se tup Wiza rd or click Ne xt to continue the wizard. Click Finish at the end of the wizard to complete the wizard. Fig ure 24 Initial Setup Wizard
2.1.1 Inte rne t Ac c e ss Se tup - WAN Inte rfa c e
Use this screen to set how many WAN interfaces to configure and the first WAN interface's type of encapsulation and method of IP address assignment.
ZyWALL USG FLEX Series User's Guide
51
Chapter 2 Initial Setup Wizard
The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field. Note: Enter the Internet access information exactly as your ISP gave it to you. Leave a field
blank if you don't have that information. · I ha ve two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure
just one. This option appears when you are configuring the first WAN interface. · Enc a psula tio n: Choose the Ethe rne t option when the WAN port is used as a regular Ethernet. Choose
PPPo E, PPTP or L2TP for a dial-up connection according to the information from your ISP. · WAN Inte rfa c e : This is the interface you are configuring for Internet access. · Zo ne : This is the security zone to which this interface and Internet connection belong. · IP Addre ss Assig nm e nt: Select Auto if your ISP did not assign you a fixed IP address.
Select Sta tic if the ISP assigned a fixed IP address. Fig ure 25 Internet Access
2.1.2 Inte rne t Ac c e ss: Ethe rne t
This screen is read-only if you set the previous screen's IP Addre ss Assig nm e nt field to Auto . If you set the previous screen's IP Addre ss Assig nm e nt field to Sta tic , use this screen to configure your IP address settings. · Enc a psula tio n: This displays the type of Internet connection you are configuring. · First WAN Inte rfa c e : This is the number of the interface that will connect with your ISP. · Zo ne : This is the security zone to which this interface and Internet connection will belong. · IP Addre ss: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Addre ss
Assig nm e nt in the previous screen. The following fields display if you selected static IP address assignment. · IP Sub ne t Ma sk: Enter the subnet mask for this WAN connection's IP address.
ZyWALL USG FLEX Series User's Guide
52
Chapter 2 Initial Setup Wizard
· G a te wa y IP Addre ss: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway).
· First / Se c o nd DNS Se rve r: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
2.1.2.1 Po ssib le Erro rs
· Check that your cable connection is coming from the correct interface you're using for the WAN connection on the Zyxel Device.
· Check that the interface is connected to the device you're using for Internet access such as a broadband router and that the router is turned on. The LED of the interface you're using for the WAN connection on the Zyxel Device should be orange.
· If your Zyxel Device was not able to obtain an IP address, check that your Internet access information uses DHCP as the WAN connection type. If it fails again, check with your Internet service provider or administrator for correct WAN settings.
· If your Zyxel Device was not able to use the IP address entered, check that you were given an IP address, subnet mask and gateway address as part of your Internet access information. Re-enter your IP address, subnet mask and gateway IP address exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
Fig ure 26 Internet Access: Ethernet Encapsulation
2.1.3 Inte rne t Ac c e ss: PPPo E
2.1.3.1 ISP Pa ra m e te rs
· Type the PPPoE Se rvic e Na m e from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long.
ZyWALL USG FLEX Series User's Guide
53
Chapter 2 Initial Setup Wizard
· Authe ntic a tio n Type - Select an authentication protocol for outgoing connection requests. Options are: · C ha p/ PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node. · C ha p - Your Zyxel Device accepts CHAP only. · PAP - Your Zyxel Device accepts PAP only. · MSC HAP - Your Zyxel Device accepts MSCHAP only. · MSC HAP- V2 - Your Zyxel Device accepts MSCHAP-V2 only.
· Type the Use r Na m e given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long.
· Type the Pa sswo rd associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank.
· Select Na ile d- Up if you do not want the connection to time out. Otherwise, type the Idle Tim e o ut in seconds that elapses before the router automatically disconnects from the PPPoE server.
2.1.3.2 WAN IP Addre ss Assig nm e nts
· WAN Inte rfa c e : This is the name of the interface that will connect with your ISP. · Zo ne : This is the security zone to which this interface and Internet connection will belong. · IP Addre ss: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Addre ss
Assig nm e nt in the previous screen. · First / Se c o nd DNS Se rve r: These fields display if you selected static IP address assignment. The Domain
Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
2.1.3.3 Po ssib le Erro rs
· Check that you're using the correct PPPoE Se rvic e Na m e and Authe ntic a tio n Type . · Make sure that your Internet access information uses PPPoE as the WAN connection type. Re-enter
your PPPoE user name and password exactly as given. If it fails again, check with your Internet service provider or administrator for correct WAN settings and user credentials. · If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
ZyWALL USG FLEX Series User's Guide
54
Chapter 2 Initial Setup Wizard
Fig ure 27 Internet Access: PPPoE Encapsulation
2.1.4 Inte rne t Ac c e ss: PPTP
2.1.4.1 ISP Pa ra m e te rs
· Authe ntic a tio n Type - Select an authentication protocol for outgoing calls. Options are: · C ha p/ PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node. · C ha p - Your Zyxel Device accepts CHAP only. · PAP - Your Zyxel Device accepts PAP only. · MSC HAP - Your Zyxel Device accepts MSCHAP only. · MSC HAP- V2 - Your Zyxel Device accepts MSCHAP-V2 only.
· Type the Use r Na m e given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long.
· Type the Pa sswo rd associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password in the next field to confirm it.
· Select Na ile d- Up if you do not want the connection to time out. Otherwise, type the Idle Tim e o ut in seconds that elapses before the router automatically disconnects from the PPTP server.
2.1.4.2 PPTP C o nfig ura tio n
· Ba se Inte rfa c e : This identifies the Ethernet interface you configure to connect with a modem or router. · Type a Ba se IP Addre ss (static) assigned to you by your ISP. · Type the IP Subne t Ma sk assigned to you by your ISP (if given). · G a te wa y IP Addre ss: Enter the IP address of the router through which this WAN connection will send
traffic (the default gateway). · Se rve r IP: Type the IP address of the PPTP server.
ZyWALL USG FLEX Series User's Guide
55
Chapter 2 Initial Setup Wizard
· Type a C o nne c tio n ID or connection name. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to 31 characters long.
2.1.4.3 WAN IP Addre ss Assig nm e nts
· First WAN Inte rfa c e : This is the connection type on the interface you are configuring to connect with your ISP.
· Zo ne This is the security zone to which this interface and Internet connection will belong. · IP Addre ss: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Addre ss
Assig nm e nt in the previous screen. · First / Se c o nd DNS Se rve r: These fields display if you selected static IP address assignment. The Domain
Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
2.1.4.4 Po ssib le Erro rs
· Check that you're using the correct PPPT Se rvic e IP, Ba se IP Addre ss, IP Sub ne t Ma sk, G a te wa y IP Addre ss, C o nne c tio n ID and Authe ntic a tio n Type .
· Make sure that your Internet access information uses PPTP as the WAN connection type. Re-enter your PPTP user name and password exactly as given. If it fails again, check with your Internet service provider or administrator for correct WAN settings and user credentials.
· If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
ZyWALL USG FLEX Series User's Guide
56
Chapter 2 Initial Setup Wizard Fig ure 28 Internet Access: PPTP Encapsulation
2.1.5 Inte rne t Ac c e ss: L2TP
2.1.5.1 ISP Pa ra m e te rs
· Authe ntic a tio n Type - Select an authentication protocol for outgoing connection requests. Options are: · C ha p/ PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node. · C ha p - Your Zyxel Device accepts CHAP only. · PAP - Your Zyxel Device accepts PAP only. · MSC HAP - Your Zyxel Device accepts MSCHAP only. · MSC HAP- V2 - Your Zyxel Device accepts MSCHAP-V2 only.
· Type the Use r Na m e given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long.
· Type the Pa sswo rd associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank.
· Select Na ile d- Up if you do not want the connection to time out. Otherwise, type the Idle Tim e o ut in seconds that elapses before the router automatically disconnects from the PPPoE server.
2.1.5.2 L2TP C o nfig ura tio n
· Ba se Inte rfa c e : This identifies the Ethernet interface you configure to connect with a modem or router. · Type a Ba se IP Addre ss (static) assigned to you by your ISP.
ZyWALL USG FLEX Series User's Guide
57
Chapter 2 Initial Setup Wizard
· IP Sub ne t Ma sk: Enter the subnet mask for this WAN connection's IP address. · G a te wa y IP Addre ss: Enter the IP address of the router through which this WAN connection will send
traffic (the default gateway). · Se rve r IP: Type the IP address of the L2TP server.
2.1.5.3 WAN IP Addre ss Assig nm e nts
· WAN Inte rfa c e : This is the name of the interface that will connect with your ISP. · Zo ne : This is the security zone to which this interface and Internet connection will belong. · IP Addre ss: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Addre ss
Assig nm e nt in the previous screen. · First / Se c o nd DNS Se rve r: These fields display if you selected static IP address assignment. The Domain
Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
2.1.5.4 Po ssib le Erro rs
· Check that you're using the correct L2PT Se rve r IP, Sub ne t Ma sk, G a te wa y IP Addre ss, IP Sub ne t Ma sk and Authe ntic a tio n Type .
· Make sure that your Internet access information uses L2TP as the WAN connection type. Re-enter your L2TP user name and password exactly as given. If it fails again, check with your Internet service provider or administrator for correct WAN settings and user credentials.
· If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
ZyWALL USG FLEX Series User's Guide
58
Chapter 2 Initial Setup Wizard Fig ure 29 Internet Access: L2TP Encapsulation
2.1.6 Inte rne t Ac c e ss Se tup - Se c o nd WAN Inte rfa c e
If you selected I ha ve two ISPs, after you configure the First WAN Inte rfa c e , you can configure the Se c o nd WAN Inte rfa c e . The screens for configuring the second WAN interface are similar to the first (see Section 2.1.1 on page 51).
ZyWALL USG FLEX Series User's Guide
59
Chapter 2 Initial Setup Wizard Fig ure 30 Internet Access: Step 3: Second WAN Interface
2.1.7 Inte rne t Ac c e ss: C o ng ra tula tio ns
You have set up your Zyxel Device to access the Internet. A screen displays with your settings. Click C o nne c tio n Te st to check that you can access the Internet. If you cannot, click Ba c k and confirm that you entered the settings correctly. If you have, check that you got the correct settings from your ISP or network administrator. Fig ure 31 Internet Access: Summary
ZyWALL USG FLEX Series User's Guide
60
Chapter 2 Initial Setup Wizard
2.1.8 Da te a nd Tim e Se tting s
It's important to have correct date and time values in the logs. The Zyxel Device can automatically update the time and date by detecting your time zone and whether Daylight Savings is in effect in that time zone. If your Zyxel Device cannot get the correct date and time, it may not able to connect to a time server. Check that the Zyxel Device has Internet access, then click Sync . No w. Fig ure 32 Date and Time Settings
2.1.9 Re g iste r De vic e
Click the Re g iste r button in this screen to register your device at portal.myzyxel.com. Note: The Zyxel Device must be connected to the Internet in order to register.
ZyWALL USG FLEX Series User's Guide
61
Chapter 2 Initial Setup Wizard Fig ure 33 Register Device
You may need the Zyxel Device's serial number and LAN MAC address to register it at myZyxel if you have not already done so. Refer to the label at the back of the Zyxel Device's for details. Fig ure 34 myZyxel Login
Click Re fre sh or use the C o nfig ura tio n > Lic e nsing > Re g istra tio n screen to update your Zyxel Device registration status.
ZyWALL USG FLEX Series User's Guide
62
Chapter 2 Initial Setup Wizard Fig ure 35 Registered Device
2.1.10 Ac tiva te Se rvic e
After you register your Zyxel Device, you can register for the services supported by your model. See Subscription Services Available on page 196 for more information on the subscription services for the two types of security packs. Here are the services available for the Zyxel Device. · Web Filtering (CF): access a database that can block websites by category. · IPS (IDP): use this feature to detect Intrusion Detection and Prevention attacks. · Application Patrol: use signatures for Application Patrol inspection to manage the use of various
applications on the network. · Anti-Malware: use signatures to detect malware patterns in files. · Email Security (Anti-Spam): use anti-spam signatures to mark or discard spam (unsolicited commercial
or junk email). · SecuReporter: collect and analyze logs from your Zyxel Device in order to identify anomalies, notify
you of potential internal or external threats, and report on network usage.
ZyWALL USG FLEX Series User's Guide
63
Chapter 2 Initial Setup Wizard Fig ure 36 USG FLEX 500 Activate Service
Click Re fre sh and wait a few moments for the registration information to update in this screen. If the page does not refresh, make sure the Internet connection is working and click Re fre sh again. To check your Internet connection, try to access the Internet from a computer connected to a LAN port on the Zyxel Device. If you cannot, then check your Internet access settings on the Zyxel Device.
2.1.11 Se rvic e Se tting s
You can enable or disable the following features in this screen. This screen varies depending on the security pack that you purchase. See Subscription Services Available on page 196 for more information on the subscription services for the two types of security packs. Note: Select the I ha ve re a d Se c uRe po rte r G DPR a nd a g re e po lic y check box to have
SecuReporter collect and analyze logs from this Zyxel Device. This check box won't appear again if you have already selected this before. · URLThre a t Filte r: Use this feature to detect and block access to specific URLs, by comparing URL addresses of sites that users attempt to access with a database of either permitted or blocked sites. · Anti- Ma lwa re : Use this feature to detect malware patterns in files. · IDP: Use this feature to detect Intrusion Detection and Prevention attacks. · C o nte nt Filte r: Use this feature to access a database that can block websites by category. · App Pa tro l: Use this feature to manage the use of various applications on the network. · Em a il Se c urity: Use this feature to mark or discard spam (unsolicited commercial or junk email). · Se c uRe po rte r: Use this feature to collect and analyze logs from your Zyxel Device in order to identify anomalies, notify you of potential internal or external threats, and report on network usage.
ZyWALL USG FLEX Series User's Guide
64
Chapter 2 Initial Setup Wizard
Fig ure 37 USG FLEX Service Settings
2.1.12 Se rvic e Se tting s: Se c uRe po rte r
Use this screen to add the Zyxel Device to a new or existing organization, and choose the level of data protection for traffic going through this Zyxel Device. · Se rve r Sta tus: This is the connection status between the Zyxel Device and the SecuReporter server. This
field shows C o nne c te d when the Zyxel Device can synchronize with the SecuReporter server. This field shows Tim e o ut when the Zyxel Device can't synchronize with the SecuReporter server. This field shows Fa il when the connection between the Zyxel Device and the SecuReporter server is down. · De vic e Na m e : Enter the name of the Zyxel Device. This Zyxel Device will be added to a new or existing organization. · O rg a niza tio n: This field appears if you haven't created an organization in the SecuReporter server. Type a name of up to 255 characters and description to create a new organization. · Se le c t fro m e xisting o rg a niza tio n: Select an existing organization from the drop-down list box to add the Zyxel Device to the selected organization. · C re a te ne w o rg a niza tio n: Type a name of up to 255 characters and description to create a new organization. · Pa rtia lly Ano nym o us: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be replaced with artificial identifiers in downloaded logs. · Fully Ano nym o us: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be replaced with anonymized information in downloaded logs. · No n- Ano nym o us: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be identifiable in downloaded logs.
ZyWALL USG FLEX Series User's Guide
65
Chapter 2 Initial Setup Wizard Fig ure 38 SecuReporter Settings
The following screen appears when the Zyxel Device is already added in an organization. Fig ure 39 SecuReporter Settings
2.1.13 Wire le ss Se tting s: Ma na g e m e nt Mo de
The Ma na g e m e nt Mo de screen appears for Zyxel Devices that have a built-in AP. Select Built- in AP if you want WiFi clients to access your Zyxel Device wirelessly. Select AP C o ntro lle r to allow the Zyxel Device to manage APs in the same network as the Zyxel Device. Both modes cannot work simultaneously. Click Ne xt to continue the wizard.
ZyWALL USG FLEX Series User's Guide
66
Chapter 2 Initial Setup Wizard Fig ure 40 Wireless Setup Wizard > Management Mode (Models with Built-in AP)
2.1.14 Wire le ss Se tting s: AP C o ntro lle r
The Zyxel Device can act as an AP Controller that can manage APs in the same network as the Zyxel Device. Select Ye s if you want your Zyxel Device to manage APs in your network; otherwise select No . Fig ure 41 Wireless Setup Wizard > Management Mode
2.1.15 Wire le ss Se tting s: SSID & Se c urity
Configure SSID and wireless security in this screen.
SSID Se tting
· SSID - Enter a descriptive name of up to 32 printable characters for the wireless LAN. · Se c urity Mo de - Select Pre - Sha re d Ke y to add security on this wireless network. Otherwise, select No ne
to allow any wireless client to associate this network without authentication. · Pre - Sha re d Ke y - Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters
(including spaces and symbols) or 64 hexadecimal characters. ZyWALL USG FLEX Series User's Guide
67
Chapter 2 Initial Setup Wizard · Hidde n SSID - Select this option if you want to hide the SSID in the outgoing beacon frame. A wireless
client then cannot obtain the SSID through scanning using a site survey tool. · Ena b le Intra - BSS Tra ffic Blo c king - Select this option if you want to prevent crossover traffic from within
the same SSID. Wireless clients can still access the wired network but cannot communicate with each other.
Fo r Zyxe l De vic e s with Built- in AP O nly
Bridg e d to : Zyxel Devices with W in the model name have a built-in AP. Select an interface to bridge with the built-in AP wireless network. Devices connected to this interface will then be in the same broadcast domain as devices in the AP wireless network. Fig ure 42 Wireless Settings: SSID & Security
2.1.16 Re m o te Ma na g e m e nt
Select this to allow access to the Zyxel Device using HTTP or HTTPS from the Internet.
ZyWALL USG FLEX Series User's Guide
68
Chapter 2 Initial Setup Wizard Fig ure 43 Remote Management
HTTPS is added to the De fa ult_Allo w_WAN_to _ZyWALLrule in O b je c t > Se rvic e > Se rvic e G ro up screen when you enable Re m o te Ma na g e m e nt. Fig ure 44 Object > Service > Service Group - HTTPS
ZyWALL USG FLEX Series User's Guide
69
C HA PTER 3 Ha rdwa re , Inte rfa c e s a nd
Zo ne s
3.1 Ha rdwa re O ve rvie w
This section describes the front and rear panels for each model.
The following table summarizes the port features of the Zyxel Device by model.
Table 10 USG FLEX Series Port Comparison Table
USG FLEX MO DELS
USG FLEX 100 USG FLEX 100W
USB 3.0 Ports
1
1
1 Gbps SFP interface
1
1
10/100/1000 Mbps
1
1
Ethernet WAN Ports
10/100/1000 Mbps
4
4
Ethernet Ports
Console Port
1 (RJ45)
1 (RJ45)
USG FLEX 200 2 1 2
4
1 (DB9)
USG FLEX 500 USG FLEX 700
2
2
1
2
7
12
1 (DB9)
1 (DB9)
For information on interface names by model, default port or interface name mapping, and default interface or zone mapping please see Section 3.3 on page 77.
3.1.1 Fro nt Pa ne ls
The LED indicators are located on the front panel. Fig ure 45 USG FLEX 100 Front Panel
Fig ure 46 USG FLEX 100W Front Panel
ZyWALL USG FLEX Series User's Guide
70
Chapter 3 Hardware, Interfaces and Zones Fig ure 47 USG FLEX 200 Front Panel
Fig ure 48 USG FLEX 500 Front Panel
Fig ure 49 USG FLEX 700 Front Panel
The following table describes the front panel LEDs.
Table 11 LED Descriptions
LED
C O LO R STATUS
PWR
Off
Green On
Red
On
SYS
Green
2.4G
Red Green
5G
Green
P1 (SFP) LINK
Yellow
Green
ACT
Green
Off On Blinking On Off On Blinking Off On Blinking
Off On Off On Off Blinking
DESC RIPTIO N The Zyxel Device is turned off. The Zyxel Device is turned on. There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device. If the LED turns red again, then please contact your vendor. The Zyxel Device is not ready or has failed. The Zyxel Device is ready and running. The Zyxel Device is booting. The Zyxel Device has an error or has failed. The 2.4G wireless interface is off. The 2.4G wireless interface is ready. The 2.4G wireless connection is active. The 5G wireless interface is off. The 5G wireless interface is ready. The 5G wireless connection is active.
There is no connection on this port. This port has a successful 1000 Mbps link. There is no connection on this port. This port has a successful 100 Mbps link. There is no traffic on this port. The Zyxel Device is sending or receiving packets on this port at 100/1000 Mbps.
ZyWALL USG FLEX Series User's Guide
71
Chapter 3 Hardware, Interfaces and Zones
Table 11 LED Descriptions (continued)
LED
C O LO R STATUS DESC RIPTIO N
P2, P3... (WAN/ LAN/ DMZ)
Yellow
Off On Blinking
There is no connection on this port. This port has a successful 1000 Mbps link. The Zyxel Device is sending or receiving packets on this port at 1000 Mbps.
Green Off
There is no connection on this port.
On
This port has a successful 10/100 Mbps link.
Blinking The Zyxel Device is sending or receiving packets on this port at 10/100 Mbps.
The following table describes the ports on the front panel.
Table 12 Front Panel Ports
LA BEL RESET
CONSOLE
DESC RIPTIO N
Press the button in for about 5 seconds (or until the SYS LED starts to blink), then release it to return the Zyxel Device to the factory defaults (password is 1234, LAN IP address 192.168.1.1 and so on).
You can use the console port to manage the Zyxel Device using CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for more information about the CLI.
When configuring using the console port, you need a computer equipped with communications software configured to the following parameters:
USB
P2-P7 ( USG FLEX 200)
· Speed 115200 bps · Data Bits 8 · Parity None · Stop Bit 1 · Flow Control Off
Connect a storage device for system logs (see Ma inte na nc e > Dia g no stic s > Syste m Lo g ) and storage (see C o nfig ura tio n > Syste m > USB Sto ra g e ).
These are 1G RJ-45 Ethernet ports.
P2-P8 ( USG FLEX 500)
P1-P12 (USG FLEX 700)
3.1.2 Re a r Pa ne ls
The connection ports are located on the rear panel. Fig ure 50 USG FLEX 100 Rear Panel
ZyWALL USG FLEX Series User's Guide
72
Chapter 3 Hardware, Interfaces and Zones Fig ure 51 USG FLEX 100W Rear Panel
Fig ure 52 USG FLEX 200 Rear Panel Fig ure 53 USG FLEX 500 Rear Panel
Fig ure 54 USG FLEX 700 Rear Panel
Note: Make sure you connect the Zyxel Device's power cord to a socket-outlet with an earthing connection or its equivalent.
The following table describes the items on the rear panel.
Table 13 Rear Panel Items
LA BEL Console
DESC RIPTIO N
You can use the console port to manage the Zyxel Device using CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for more information about the CLI.
When configuring using the console port, you need a computer equipped with communications software configured to the following parameters:
Power Lock Fan
· Speed 115200 bps · Data Bits 8 · Parity None · Stop Bit 1 · Flow Control Off
Use the included power cord to connect the power socket to a power outlet. Turn the power switch on if your Zyxel Device has a power switch.
Attach a lock-and-cable from the Kensington lock (the small, metal-reinforced, oval hole) to a permanent object, such as a pole, to secure the Zyxel Device in place.
The fans are for cooling the Zyxel Device. Make sure they are not obstructed to allow maximum ventilation.
Note: Use an 8-wire Ethernet cable to run your Gigabit Ethernet connection at 1000 Mbps. Using a 4-wire Ethernet cable limits your connection to 100 Mbps. Note that the connection speed also depends on what the Ethernet device at the other end can support.
ZyWALL USG FLEX Series User's Guide
73
Chapter 3 Hardware, Interfaces and Zones
3.2 Insta lla tio n Sc e na rio s
The Zyxel Device can be:
· Placed on a desktop. · Wall-mounted on a wall. · Rack-mounted on a standard EIA rack.
The following table summarizes the installation scenarios of the Zyxel Device by model.
Table 14 USG FLEX Series Installation Comparison Table
USG FLEX MO DELS
USG FLEX 100 USG FLEX 100W
Rubber feet for desktop
Yes
Yes
placement
Wall Mounting
Yes
Yes
Rack Mounting
No
No
USG FLEX 200 Yes
Yes No
USG FLEX 500 Yes
No Yes
USG FLEX 700 Yes
No Yes
WARNING ! Do NO Tb lo c k the ve ntila tio n ho le s o n the Zyxe l De vic e . Allo w 100 m m c le a ra nc e fo r the ve ntila tio n ho le s to pre ve nt yo ur Zyxe l De vic e fro m o ve rhe a ting . Do no t sto re thing s o n the Zyxe l De vic e . Do no t pla c e a Zyxe l De vic e o n a no the r hig h te m pe ra ture de vic e . O ve rhe a ting c o uld a ffe c t the pe rfo rm a nc e o f yo ur Zyxe l De vic e , o r e ve n da m a g e it.
3.2.1 De skto p Insta lla tio n Pro c e dure
1 Make sure the Zyxel Device is clean and dry.
2 Remove the adhesive backing from the rubber feet.
3 Attach the rubber feet to each corner on the bottom of the Zyxel Device. These rubber feet help protect the Zyxel Device from shock or vibration, and allow air circulation.
ZyWALL USG FLEX Series User's Guide
74
Chapter 3 Hardware, Interfaces and Zones Fig ure 55 Attaching Rubber Feet
4 Set the Zyxel Device on a smooth, level surface strong enough to support the weight of the Zyxel Device and the connected cables. Make sure there is a power outlet nearby. Note: Make sure to use the rubber feet when stacking the Zyxel Devices on a desk.
3.2.2 Ra c k- m o unting
Use the following steps to mount the Zyxel Device on an EIA standard size, 19-inch rack or in a wiring closet with other equipment using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make the rack unstable or top-heavy. Take all necessary precautions to anchor the rack securely before installing the unit. Use a #2 Phillips screwdriver to install the screws. Note: Failure to use the proper screws may damage the unit. 1 Align one bracket with the holes on one side of the Zyxel Device and secure it with the included bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion.
ZyWALL USG FLEX Series User's Guide
75
Chapter 3 Hardware, Interfaces and Zones Fig ure 56 Attach Brackets
3 After attaching both mounting brackets, position the Zyxel Device in the rack and match up the bracket holes with the rack holes. Secure the Zyxel Device to the rack with the rack-mounting screws. Fig ure 57 Mount on Rack
Note: Make sure there is at least 100 mm of clearance at the sides and 100 mm in the rear to allow air circulation and the attachment of cables and the power cord. When stacking in a rack, make sure there is at least 40 mm of clearance between Zyxel Devices.
3.2.3 Wa ll- m o unting
Do the following to attach your Zyxel Device to a wall.
The following table lists the distance "X" between mounting holes for each model:
Table 15 Distance "X" Between FLEX Mounting Holes
MO DEL NAME
DISTANC E "X"
USG FLEX 100
174 mm (6.85")
USG FLEX 100W
174 mm (6.85")
USG FLEX 200
206 mm (8.11")
1 Drill into a wall two holes 3 mm 4 mm (0.12" 0.16") wide, 20 mm 30 mm (0.79" 1.18") deep and a distance X (see the preceding table) apart. Place two screw anchors in the holes.
ZyWALL USG FLEX Series User's Guide
76
Chapter 3 Hardware, Interfaces and Zones Fig ure 58 Wall Mounting Screw Specifications
2 Screw two screws with 6 mm 8 mm (0.24" 0.31") wide heads into the screw anchors. Do not screw the screws all the way in to the wall; leave a small gap between the head of the screw and the wall. The gap must be big enough for the screw heads to slide into the screw slots and the connection cables to run down the back of the Zyxel Device. Note: Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the Zyxel Device with the connection cables.
3 Use the holes on the bottom of the Zyxel Device to hang the Zyxel Device on the screws. Fig ure 59 Wall Mounting
Note: Wall-mount the Zyxel Device horizontally. The Zyxel Device's side panels with ventilation slots should not be facing up or down as this position is less safe. Make sure there is 100 mm of clearance at the sides and 1 1.5 mm distance between the screw head and the wall to allow air circulation and the attachment of cables and the power cord.
3.3 De fa ult Zo ne s, Inte rfa c e s, a nd Po rts
The default configurations for zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use "the WAN interface" rather than "wan1" or "wan2", "ge2" or" ge3".
ZyWALL USG FLEX Series User's Guide
77
Chapter 3 Hardware, Interfaces and Zones
An OPT (optional) Ethernet port can be configured as an additional WAN port, LAN, WLAN, or DMZ port.
The following table shows the default physical port and interface mapping for each model at the time of writing.
Table 16 Default Physical Port Interface Mapping
PORT / INTERFACE
P1
P2
P3
P4
P5
P6
P7
P8
P9
P10 P11 P12 P13 P14
· USG FLEX
sfp
wan lan1 lan1 lan1 opt
100
· USG FLEX
sfp
wan lan1 lan1 lan1 opt
100W
· USG FLEX
sfp
wan wan lan1 lan1 lan1 lan1
200
· USG FLEX 500
ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8
· USG FLEX 700
ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 ge9 ge10 ge11 ge12 ge13 ge14
The following table shows the default interface and zone mapping for each model at the time of writing.
Table 17 Default Zone Interface Mapping
ZO NE / INTERFAC E
SFP
WAN
· USG FLEX 100
sfp_ppp
WAN1_PPP
· USG FLEX 100W
sfp_ppp
WAN1_PPP
LA N1
LAN1 LAN1
LA N2
LAN2 LAN2
DMZ
DMZ DMZ
O PT
opt_ppp opt_ppp
Table 18 Default Zone Interface Mapping
ZO NE / INTERFAC E
WAN
LA N1
· USG FLEX 200
WAN1 WAN1_PPP WAN2 WAN2_PPP
LAN1
LA N2
LAN2
DMZ
DMZ
O PT
SFP SFP_PPP
NO DEFAULT ZO NE
GE7 GE7_PPP GE8 GE8_PPP
Table 19 Default Zone Interface Mapping
ZO NE / INTERFAC E
WAN
LA N
· USG FLEX 500 · USG FLEX 700
GE2
GE4
GE2_PPP
GE5
GE3
GE3_PPP
GE1
GE3
GE1_ppp
GE4
GE2
GE2_ppp
DMZ
GE6
O PT
GE1 GE1_PPP
GE5
GE13
GE13_ppp
GE14
GE14_ppp
NO DEFAULTZO NE
GE7 GE7_PPP GE8 GE8_PPP GE6GE12 GE6_pppGE12_ppp
3.4 Sto pping the Zyxe l De vic e
Always use Ma inte na nc e > Shutdo wn > Shutdo wn or the shutdown command before you turn off the Zyxel Device or remove the power. Not doing so can cause the firmware to become corrupt.
ZyWALL USG FLEX Series User's Guide
78
C HA PTER 4 Q uic k Se tup Wiza rds
4.1 Q uic k Se tup O ve rvie w
The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User's Guide for background information. In the Web Configurator, click Q uic k Se tup to open the first Q uic k Se tup screen. Fig ure 60 USG FLEX Quick Setup
· WAN Inte rfa c e
Click this link to open a wizard to set up a WAN (Internet) connection. This wizard creates matching ISP account settings in the Zyxel Device if you use PPPoE or PPTP. See Section 4.2 on page 80.
· VPN Se tup
Use VPN Se tup to configure a VPN (Virtual Private Network) rule for a secure connection to another computer or network. Use VPN Se tting s fo r C o nfig ura tio n Pro visio ning to set up a VPN rule that can be retrieved with the Zyxel Device IPSec VPN Client. You only need to enter a user name, password and the IP address of the Zyxel Device in the IPSec VPN Client to get all VPN settings automatically from the Zyxel Device. See Section 4.3 on page 86. Use VPN Se tting s fo r L2TP VPN Se tting s to configure the L2TP VPN for clients.
ZyWALL USG FLEX Series User's Guide
79
Chapter 4 Quick Setup Wizards
· Wiza rd He lp
If the help does not automatically display when you run the wizard, click the arrow to display it.
4.2 WAN Inte rfa c e Q uic k Se tup
Click WAN Inte rfa c e in the main Q uic k Se tup screen to open the WAN Inte rfa c e Q uic k Se tup Wiza rd We lc o m e screen. Use these screens to configure an interface to connect to the Internet. Click Ne xt. Fig ure 61 WAN Interface Quick Setup Wizard
4.2.1 C ho o se a n Ethe rne t Inte rfa c e
Select a WAN interface (names vary by model) that you want to configure for a WAN connection and click Ne xt.
ZyWALL USG FLEX Series User's Guide
80
Chapter 4 Quick Setup Wizards Fig ure 62 Choose an Ethernet Interface
4.2.2 Se le c t WAN Type
WAN Type Se le c tio n: Select the type of encapsulation this connection is to use. Choose Ethe rne t when the WAN port is used as a regular Ethernet. Otherwise, choose PPPo E, PPTP or L2TP for a dial-up connection according to the information from your ISP. Fig ure 63 WAN Interface Setup: Step 2
The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don't have that information. Note: Enter the Internet access information exactly as your ISP gave it to you.
4.2.3 C o nfig ure WAN IP Se tting s
Use this screen to select whether the interface should use a fixed or dynamic IP address.
ZyWALL USG FLEX Series User's Guide
81
Chapter 4 Quick Setup Wizards Fig ure 64 WAN Interface Setup: Step 2 Ethernet Dynamic IP
Fig ure 65 WAN Interface Setup: Step 2 Ethernet Static IP
· WAN Inte rfa c e : This is the interface you are configuring for Internet access. · Zo ne : This is the security zone to which this interface and Internet connection belong. · IP Addre ss Assig nm e nt: Select Auto If your ISP did not assign you a fixed IP address.
Select Sta tic if you have a fixed IP address and enter the IP address, subnet mask, gateway IP address (optional) and DNS server IP address(es).
4.2.4 ISP a nd WAN a nd ISP C o nne c tio n Se tting s
Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you select Ethe rne t and set the IP Addre ss Assig nm e nt to Auto . If you set the IP Addre ss Assig nm e nt to Sta tic and/or select PPTP or PPPo E, enter the Internet access information exactly as your ISP gave it to you. Note: Enter the Internet access information exactly as your ISP gave it to you.
ZyWALL USG FLEX Series User's Guide
82
Chapter 4 Quick Setup Wizards Fig ure 66 WAN and ISP Connection Settings: (PPTP)
Fig ure 67 WAN and ISP Connection Settings: (PPPoE)
ZyWALL USG FLEX Series User's Guide
83
Chapter 4 Quick Setup Wizards
Fig ure 68 WAN and ISP Connection Settings: (L2TP)
ISP Pa ra m e te r: This section appears if the interface uses a PPPoE or PPTP Internet connection. · Enc a psula tio n: This displays the type of Internet connection you are configuring. · Se rvic e Na m e : Type the PPPoE service name if you were given one by your ISP. · Authe ntic a tio n Type : Use the drop-down list box to select an authentication protocol for outgoing
calls. Options are: · C HAP/ PAP - Your Zyxel Device accepts either CHAP or PAP when requested by this remote node. · C HAP - Your Zyxel Device accepts CHAP only. · PAP - Your Zyxel Device accepts PAP only. · MSC HAP - Your Zyxel Device accepts MSCHAP only. · MSC HAP- V2 - Your Zyxel Device accepts MSCHAP-V2 only. · Use r Na m e : Type the user name given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long. · Pa sswo rd: Type the password associated with the user name above. Use up to 64 ASCII characters except the [] and ?. This field can be blank. · Re type to C o nfirm : Type your password again for confirmation. · Na ile d- Up: Select Na ile d- Up if you do not want the connection to time out. · Idle Time o ut: Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. 0 means no timeout. · PPTP C o nfig ura tio n: This section only appears if the interface uses a PPTP Internet connection. · Ba se Inte rfa c e : This displays the identity of the Ethernet interface you configure to connect with a modem or router. · Ba se IP Addre ss: Type the (static) IP address assigned to you by your ISP.
ZyWALL USG FLEX Series User's Guide
84
Chapter 4 Quick Setup Wizards
· IP Sub ne t Ma sk: Type the subnet mask assigned to you by your ISP (if given). · G a te wa y IP Addre ss: For PPTP or L2TP, type the gateway IP address if you were given one by your ISP. · Se rve r IP: Type the IP address of the PPTP server. · C o nne c tio n ID: Enter the connection ID or connection name in this field. It must follow the "c:id" and
"n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_: characters, and it can be up to 31 characters long.
IP Addre ss Assig nm e nt
· WAN Inte rfa c e : This displays the identity of the interface you configure to connect with your ISP. · Zo ne : This field displays to which security zone this interface and Internet connection will belong. · IP Addre ss: This field is read-only when the WAN interface uses a dynamic IP address. If your WAN
interface uses a static IP address, enter it in this field. · IP Subne t Ma sk: If your WAN interface uses Ethernet encapsulation with a static IP address, enter the
subnet mask in this field. · G a te wa y IP Addre ss: Type the IP address of the Ethernet device connected to this WAN port. · First DNS Se rve r / Se c o nd DNS Se rve r: These fields only display for an interface with a static IP address.
Enter the DNS server IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
4.2.5 Q uic k Se tup Inte rfa c e Wiza rd: Sum m a ry
This screen displays an example WAN interface's settings. Fig ure 69 Interface Wizard: Summary WAN
· Enc a psula tio n: This displays what encapsulation this interface uses to connect to the Internet. ZyWALL USG FLEX Series User's Guide
85
Chapter 4 Quick Setup Wizards
· Se rvic e Na m e : This field only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account.
· Se rve r IP: This field only appears for a PPTP interface. It displays the IP address of the PPTP server. · Use r Na m e : This is the user name given to you by your ISP. · Na ile d- Up: If No displays the connection will not time out. Ye s means the Zyxel Device uses the idle
timeout. · Idle Tim e o ut: This is how many seconds the connection can be idle before the router automatically
disconnects from the PPPoE server. 0 means no timeout. · C o nne c tio n ID: If you specified a connection ID, it displays here. · WAN Inte rfa c e : This identifies the interface you configure to connect with your ISP. · Zo ne : This field displays to which security zone this interface and Internet connection will belong. · IP Addre ss Assig nm e nt: This field displays whether the WAN IP address is static or dynamic (Auto ). · IP Addre ss: This field displays the current IP address of the Zyxel Device WAN interface selected in this
wizard. · IP Subne t Ma sk: This field displays the subnet mask of the Zyxel Device WAN interface selected in this
wizard. · G a te wa y IP Addre ss: This field displays the IP address of the Ethernet device connected to this WAN
port. · First DNS Se rve r / Se c o nd DNS Se rve r: If the IP Addre ss Assig nm e nt is Sta tic , these fields display the DNS
server IP address(es).
4.3 VPN Se tup Wiza rd
Click VPN Se tup in the main Q uic k Se tup screen to open the VPN Setup Wizard We lc o m e screen. Fig ure 70 VPN Setup Wizard
4.3.1 We lc o m e
Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the C o nfig ura tio n > VPN > IPSe c VPN > VPN G a te wa y screen and the Phase 2 rule settings appear in the C o nfig ura tio n > VPN > IPSe c VPN > VPN C o nne c tio n screen. · VPN Se tting s configures a VPN tunnel for a secure connection to another computer or network.
ZyWALL USG FLEX Series User's Guide
86
Chapter 4 Quick Setup Wizards · VPN Se tting s fo r C o nfig ura tio n Pro visio ning sets up a VPN rule the Zyxel Device IPSec VPN Client can
retrieve. Just enter a user name, password and the IP address of the Zyxel Device in the IPSec VPN Client to get the VPN settings automatically from the Zyxel Device. · VPN Se tting s fo r L2TP VPN Se tting s sets up a L2TP VPN rule that the Zyxel Device IPSec L2TP VPN client can retrieve. Fig ure 71 VPN Setup Wizard Welcome
4.3.2 VPN Se tup Wiza rd: Wiza rd Type
Choose Expre ss to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD-based Zyxel Device using a pre-shared key. Choose Adva nc e d to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. Fig ure 72 VPN Setup Wizard: Wizard Type
ZyWALL USG FLEX Series User's Guide
87
Chapter 4 Quick Setup Wizards
4.3.3 VPN Expre ss Wiza rd - Sc e na rio
Click the Expre ss radio button as shown in Figure 72 on page 87 to display the following screen. Fig ure 73 VPN Express Wizard: Scenario
IKE (Inte rne t Ke y Exc ha ng e ) Ve rsio n: IKEv1 a nd IKEv2
IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a DiffieHellman key exchange to set up a shared session secret from which encryption keys are derived. IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
Sc e na rio
Rule Na m e : Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select. · Site - to - site - The remote IPSec device has a static IP address or a domain name. This Zyxel Device can
initiate the VPN tunnel. · Site - to - site with Dyna m ic Pe e r - The remote IPSec device has a dynamic IP address. Only the remote
IPSec device can initiate the VPN tunnel. · Re m o te Ac c e ss (Se rve r Ro le ) - Allow incoming connections from IPSec VPN clients. The clients have
dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.
ZyWALL USG FLEX Series User's Guide
88
Chapter 4 Quick Setup Wizards
· Re m o te Ac c e ss (C lie nt Ro le ) - Connect to an IPSec server. This Zyxel Device is the client (dial-in user) and can initiate the VPN tunnel.
4.3.4 VPN Expre ss Wiza rd - C o nfig ura tio n
Fig ure 74 VPN Express Wizard: Configuration
· My Addre ss (inte rfa c e ): Select an interface from the drop-down list box to use on your Zyxel Device. · Se c ure G a te wa y: Any displays in this field if it is not configurable for the chosen scenario. Otherwise,
enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. · Pre - Sha re d Ke y: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal ("0-9", "A-F") characters. Proceed a hexadecimal key with "0x". You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends. · Lo c a l Po lic y (IP/ Ma sk): Type the IP address of a computer on your network that can use the tunnel. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device. · Re m o te Po lic y (IP/ Ma sk): Any displays in this field if it is not configurable for the chosen scenario. Otherwise, type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device.
4.3.5 VPN Expre ss Wiza rd - Sum m a ry
This screen provides a read-only summary of the VPN tunnel's configuration and commands that you can copy and paste into another ZLD-based Zyxel Device's command line interface to configure it.
ZyWALL USG FLEX Series User's Guide
89
Chapter 4 Quick Setup Wizards Fig ure 75 VPN Express Wizard: Summary
· Rule Na m e : Identifies the VPN gateway policy. · Se c ure G a te wa y: IP address or domain name of the remote IPSec device. If this field displays Any,
only the remote IPSec device can initiate the VPN connection. · Pre - Sha re d Ke y: VPN tunnel password. It identifies a communicating party during a phase 1 IKE
negotiation. · Lo c a l Po lic y: IP address and subnet mask of the computers on the network behind your Zyxel Device
that can use the tunnel. · Re m o te Po lic y: IP address and subnet mask of the computers on the network behind the remote
IPSec device that can use the tunnel. If this field displays Any, only the remote IPSec device can initiate the VPN connection. · Copy and paste the C o nfig ura tio n fo r Se c ure G a te wa y commands into another ZLD-based Zyxel Device's command line interface to configure it to serve as the other end of this VPN tunnel. You can also use a text editor to save these commands as a shell script file with a ".zysh" filename extension. Use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list.
4.3.6 VPN Expre ss Wiza rd - Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSe c VPN > VPN G a te wa y screen and the Phase 2 rule settings appear in the VPN > IPSe c VPN > VPN C o nne c tio n screen.
ZyWALL USG FLEX Series User's Guide
90
Chapter 4 Quick Setup Wizards Fig ure 76 VPN Express Wizard: Finish
Click C lo se to exit the wizard.
4.3.7 VPN Adva nc e d Wiza rd - Sc e na rio
Click the Adva nc e d radio button as shown in Figure 72 on page 87 to display the following screen. Fig ure 77 VPN Advanced Wizard: Scenario
ZyWALL USG FLEX Series User's Guide
91
Chapter 4 Quick Setup Wizards
IKE (Inte rne t Ke y Exc ha ng e ) Ve rsio n: IKEv1 a nd IKEv2
IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a DiffieHellman key exchange to set up a shared session secret from which encryption keys are derived. IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
Sc e na rio
Rule Na m e : Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select. · Site - to - site - The remote IPSec device has a static IP address or a domain name. This Zyxel Device can
initiate the VPN tunnel. · Site - to - site with Dyna m ic Pe e r - The remote IPSec device has a dynamic IP address. Only the remote
IPSec device can initiate the VPN tunnel. · Re m o te Ac c e ss (Se rve r Ro le ) - Allow incoming connections from IPSec VPN clients. The clients have
dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. · Re m o te Ac c e ss (C lie nt Ro le ) - Connect to an IPSec server. This Zyxel Device is the client (dial-in user)
and can initiate the VPN tunnel.
4.3.8 VPN Adva nc e d Wiza rd - Pha se 1 Se tting s
There are two phases to every IKE (Internet Key Exchange) negotiation phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).
ZyWALL USG FLEX Series User's Guide
92
Chapter 4 Quick Setup Wizards
Fig ure 78 VPN Advanced Wizard: Phase 1 Settings
· Se c ure G a te wa y: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec device has a dynamic WAN IP address.
· My Addre ss (inte rfa c e ): Select an interface from the drop-down list box to use on your Zyxel Device. · Ne g o tia tio n Mo de : This displays Ma in or Ag g re ssive :
· Ma in encrypts the ZyWALL/USG's and remote IPSec router's identities but takes more time to establish the IKE SA.
· Ag g re ssive is faster but does not encrypt the identities. The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode. · Enc ryptio n Alg o rithm : 3DES and AES use encryption. The longer the key, the higher the security (this
may affect throughput). Both sender and receiver must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key, and AES256 uses a 256-bit key. · Authe ntic a tio n Alg o rithm : MD5 gives minimal security and SHA512 gives the highest security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The stronger the algorithm the slower it is. · Ke y G ro up: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number. · SA Life Tim e : Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. · NATTra ve rsa l: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices).
ZyWALL USG FLEX Series User's Guide
93
Chapter 4 Quick Setup Wizards
Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens for more information.
· De a d Pe e r De te c tio n (DPD) has the Zyxel Device make sure the remote IPSec device is there before transmitting data through the IKE SA. If there has been no traffic for at least 15 seconds, the Zyxel Device sends a message to the remote IPSec device. If it responds, the Zyxel Device transmits the data. If it does not respond, the Zyxel Device shuts down the IKE SA.
· Authe ntic a tio n Me tho d: Select Pre - Sha re d Ke y to use a password or C e rtific a te to use one of the Zyxel Device's certificates.
4.3.9 VPN Adva nc e d Wiza rd - Pha se 2
Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Fig ure 79 VPN Advanced Wizard: Phase 2 Settings
· Ac tive Pro to c o l: ESP is compatible with NAT, AH is not. · Enc a psula tio n: Tunne l is compatible with NAT, Tra nspo rt is not. · Enc ryptio n Alg o rithm : 3DES and AES use encryption. The longer the AES key, the higher the security
(this may affect throughput). Null uses no encryption. · Authe ntic a tio n Alg o rithm : MD5 gives minimal security and SHA512 gives the highest security. MD5
(Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The stronger the algorithm the slower it is. · SA Life Tim e : Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. · Pe rfe c t Fo rwa rd Se c re c y (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure, yet slower). · Lo c a l Po lic y (IP/ Ma sk): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
ZyWALL USG FLEX Series User's Guide
94
Chapter 4 Quick Setup Wizards · Re m o te Po lic y (IP/ Ma sk): Type the IP address of a computer behind the remote IPSec device. You
can also specify a subnet. This must match the local IP address configured on the remote IPSec device. · Na ile d- Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the Zyxel Device automatically renegotiate the IPSec SA when the SA life time expires.
4.3.10 VPN Adva nc e d Wiza rd - Sum m a ry
This is a read-only summary of the VPN tunnel settings. Fig ure 80 VPN Advanced Wizard: Summary
· Rule Na m e : Identifies the VPN connection (and the VPN gateway). · Se c ure G a te wa y: IP address or domain name of the remote IPSec device. · Pre - Sha re d Ke y: VPN tunnel password. · C e rtific a te : The certificate the Zyxel Device uses to identify itself when setting up the VPN tunnel. · Lo c a l Po lic y: IP address and subnet mask of the computers on the network behind your Zyxel Device
that can use the tunnel. · Re m o te Po lic y: IP address and subnet mask of the computers on the network behind the remote
IPSec device that can use the tunnel. ZyWALL USG FLEX Series User's Guide
95
Chapter 4 Quick Setup Wizards
Phase 1
· Ne g o tia tio n Mo de : This displays Ma in or Ag g re ssive : · Ma in encrypts the ZyWALL/USG's and remote IPSec router's identities but takes more time to establish the IKE SA. · Ag g re ssive is faster but does not encrypt the identities.
The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
· Enc ryptio n Alg o rithm : This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly). · DES uses a 56-bit key. · 3DES uses a 168-bit key. · AES128 uses a 128-bit key. · AES192 uses a 192-bit key. · AES256 uses a 256-bit key.
· Authe ntic a tio n Alg o rithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is. · MD5 gives minimal security. · SHA1 gives higher security. · SHA256 gives the highest security.
· Ke y G ro up: This displays the Diffie-Hellman (DH) key group used. DH5 is more secure than DH1 or DH2 (although it may affect throughput). · DH1 uses a 768 bit random number. · DH2 uses a 1024 bit (1Kb) random number. · DH5 uses a 1536 bit random number.
Phase 2
· Ac tive Pro to c o l: This displays ESP (compatible with NAT) or AH. · Enc a psula tio n: This displays Tunne l (compatible with NAT) or Tra nspo rt. · Enc ryptio n Alg o rithm : This displays the encryption method used. The longer the key, the higher the
security, the lower the throughput (possibly). · DES uses a 56-bit key. · 3DES uses a 168-bit key. · AES128 uses a 128-bit key. · AES192 uses a 192-bit key. · AES256 uses a 256-bit key. · Null uses no encryption. · Authe ntic a tio n Alg o rithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is. · MD5 gives minimal security. · SHA1 gives higher security. · SHA256 gives the highest security.
ZyWALL USG FLEX Series User's Guide
96
Chapter 4 Quick Setup Wizards Copy and paste the C o nfig ura tio n fo r Re m o te G a te wa y commands into another ZLD-based Zyxel Device's command line interface. Click Sa ve to save the VPN rule.
4.3.11 VPN Adva nc e d Wiza rd - Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSe c VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSe c VPN > VPN C o nne c tio n screen. Fig ure 81 VPN Wizard: Finish
Click C lo se to exit the wizard.
ZyWALL USG FLEX Series User's Guide
97
Chapter 4 Quick Setup Wizards
4.4 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Wiza rd: Wiza rd Type
Use VPN Se tting s fo r C o nfig ura tio n Pro visio ning to set up a VPN rule that can be retrieved with the Zyxel Device IPSec VPN Client. VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must no t contain the following settings: · AH active protocol · NULLencryption · SHA512 authentication · A subnet or range remote policy Choose Expre ss to create a VPN rule with the default phase 1 and phase 2 settings and to use a preshared key. Choose Adva nc e d to change the default settings and/or use certificates instead of a pre-shared key in the VPN rule. Fig ure 82 VPN Settings for Configuration Provisioning Express Wizard: Wizard Type
4.4.1 C o nfig ura tio n Pro visio ning Expre ss Wiza rd - VPN Se tting s
Click the Expre ss radio button as shown in the previous screen to display the following screen.
ZyWALL USG FLEX Series User's Guide
98
Chapter 4 Quick Setup Wizards Fig ure 83 VPN for Configuration Provisioning Express Wizard: Settings Scenario
· IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a DiffieHellman key exchange to set up a shared session secret from which encryption keys are derived.
· IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
· Rule Na m e : Type the name used to identify this VPN connection (and VPN gateway). You may use 131 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
· Applic a tio n Sc e na rio : Only the Re m o te Ac c e ss (Se rve r Ro le ) is allowed in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
4.4.2 C o nfig ura tio n Pro visio ning VPN Expre ss Wiza rd - C o nfig ura tio n
Click Ne xt to continue the wizard.
ZyWALL USG FLEX Series User's Guide
99
Chapter 4 Quick Setup Wizards Fig ure 84 VPN for Configuration Provisioning Express Wizard: Configuration
· My Addre ss (inte rfa c e ): Select an interface from the drop-down list box to use on your Zyxel Device. · Se c ure G a te wa y: Any displays in this field because it is not configurable in this wizard. It allows
incoming connections from the Zyxel Device IPSec VPN Client. · Pre - Sha re d Ke y: Type the password. Both ends of the VPN tunnel must use the same password. Use 8
to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal ("0-9", "A-F") characters. Proceed a hexadecimal key with "0x". You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends. · Lo c a l Po lic y (IP/ Ma sk): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device. · Re m o te Po lic y (IP/ Ma sk): Any displays in this field because it is not configurable in this wizard.
4.4.3 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Expre ss Wiza rd - Sum m a ry
This screen has a read-only summary of the VPN tunnel's configuration and commands you can copy and paste into another ZLD-based Zyxel Device's command line interface to configure it.
ZyWALL USG FLEX Series User's Guide
100
Chapter 4 Quick Setup Wizards Fig ure 85 VPN for Configuration Provisioning Express Wizard: Summary
· Rule Na m e : Identifies the VPN gateway policy. · Se c ure G a te wa y: Any displays in this field because it is not configurable in this wizard. It allows
incoming connections from the Zyxel Device IPSec VPN Client. · Pre - Sha re d Ke y: VPN tunnel password. It identifies a communicating party during a phase 1 IKE
negotiation. · Lo c a l Po lic y: (Static) IP address and subnet mask of the computers on the network behind your Zyxel
Device that can be accessed using the tunnel. · Re m o te Po lic y: Any displays in this field because it is not configurable in this wizard. · The C o nfig ura tio n fo r Se c ure G a te wa y displays the configuration that the Zyxel Device IPSec VPN
Client will get from the Zyxel Device. · Click Sa ve to save the VPN rule.
4.4.4 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Expre ss Wiza rd - Finish
The rule is now configured on the Zyxel Device. The Phase 1 rule settings appear in the C o nfig ura tio n > VPN > IPSe c VPN > VPN G a te wa y screen and the Phase 2 rule settings appear in the C o nfig ura tio n > VPN > IPSe c VPN > VPN C o nne c tio n screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
101
Chapter 4 Quick Setup Wizards Fig ure 86 VPN for Configuration Provisioning Express Wizard: Finish
Click C lo se to exit the wizard.
4.4.5 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Adva nc e d Wiza rd Sc e na rio
Click the Adva nc e d radio button as shown in Figure 82 on page 98 to display the following screen. Fig ure 87 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings
ZyWALL USG FLEX Series User's Guide
102
Chapter 4 Quick Setup Wizards
· IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a DiffieHellman key exchange to set up a shared session secret from which encryption keys are derived.
· IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
· Rule Na m e : Type the name used to identify this VPN connection (and VPN gateway). You may use 131 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
· Applic a tio n Sc e na rio : Only the Re m o te Ac c e ss (Se rve r Ro le ) is allowed in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Click Ne xt to continue the wizard.
4.4.6 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Adva nc e d Wiza rd - Pha se 1 Se tting s
There are two phases to every IKE (Internet Key Exchange) negotiation phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). Fig ure 88 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings
· Se c ure G a te wa y: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
· My Addre ss (inte rfa c e ): Select an interface from the drop-down list box to use on your Zyxel Device. · Ne g o tia tio n Mo de : This displays Ma in or Ag g re ssive :
· Ma in encrypts the ZyWALL/USG's and remote IPSec router's identities but takes more time to establish the IKE SA.
· Ag g re ssive is faster but does not encrypt the identities. The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
ZyWALL USG FLEX Series User's Guide
103
Chapter 4 Quick Setup Wizards
· Enc ryptio n Alg o rithm : 3DES and AES use encryption. The longer the key, the higher the security (this may affect throughput). Both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key.
· Authe ntic a tio n Alg o rithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it is.
· Ke y G ro up: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.
· SA Life Tim e : Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
· Authe ntic a tio n Me tho d: Select Pre - Sha re d Ke y to use a password or C e rtific a te to use one of the Zyxel Device's certificates.
4.4.7 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Adva nc e d Wiza rd - Pha se 2
Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Fig ure 89 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings
· Ac tive Pro to c o l: ESP is compatible with NAT. AH is not available in this wizard. · Enc a psula tio n: Tunne l is compatible with NAT, Tra nspo rt is not. · Enc ryptio n Alg o rithm : 3DES and AES use encryption. The longer the AES key, the higher the security
(this may affect throughput). Null uses no encryption. · Authe ntic a tio n Alg o rithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it is.
ZyWALL USG FLEX Series User's Guide
104
Chapter 4 Quick Setup Wizards · SA Life Tim e : Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases
security, but renegotiation temporarily disconnects the VPN tunnel. · Pe rfe c t Fo rwa rd Se c re c y (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1,
DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure, yet slower). · Lo c a l Po lic y (IP/ Ma sk): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device. · Re m o te Po lic y (IP/ Ma sk): Any displays in this field because it is not configurable in this wizard. · Na ile d- Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the Zyxel Device automatically renegotiate the IPSec SA when the SA life time expires.
4.4.8 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Adva nc e d Wiza rd Sum m a ry
This is a read-only summary of the VPN tunnel settings.
ZyWALL USG FLEX Series User's Guide
105
Chapter 4 Quick Setup Wizards Fig ure 90 VPN for Configuration Provisioning Advanced Wizard: Summary
Summary · Rule Na m e : Identifies the VPN connection (and the VPN gateway). · Se c ure G a te wa y: Any displays in this field because it is not configurable in this wizard. It allows
incoming connections from the Zyxel Device IPSec VPN Client. · Pre - Sha re d Ke y: VPN tunnel password. · Lo c a l Po lic y: IP address and subnet mask of the computers on the network behind your Zyxel Device
that can use the tunnel. · Re m o te Po lic y: Any displays in this field because it is not configurable in this wizard. Phase 1 · Ne g o tia tio n Mo de : This displays Ma in or Ag g re ssive :
· Ma in encrypts the ZyWALL/USG's and remote IPSec router's identities but takes more time to establish the IKE SA. ZyWALL USG FLEX Series User's Guide
106
Chapter 4 Quick Setup Wizards
· Ag g re ssive is faster but does not encrypt the identities.
The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
· Enc ryptio n Alg o rithm : This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly). · DES uses a 56-bit key. · 3DES uses a 168-bit key. · AES128 uses a 128-bit key. · AES192 uses a 192-bit key. · AES256 uses a 256-bit key.
· Authe ntic a tio n Alg o rithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is. · MD5 gives minimal security. · SHA1 gives higher security. · SHA256 gives the highest security.
· Ke y G ro up: This displays the Diffie-Hellman (DH) key group used. DH5 is more secure than DH1 or DH2 (although it may affect throughput). · DH1 uses a 768 bit random number. · DH2 uses a 1024 bit (1Kb) random number. · DH5 uses a 1536 bit random number.
Phase 2
· Ac tive Pro to c o l: This displays ESP (compatible with NAT) or AH. · Enc a psula tio n: This displays Tunne l (compatible with NAT) or Tra nspo rt. · Enc ryptio n Alg o rithm : This displays the encryption method used. The longer the key, the higher the
security, the lower the throughput (possibly). · DES uses a 56-bit key. · 3DES uses a 168-bit key. · AES128 uses a 128-bit key. · AES192 uses a 192-bit key. · AES256 uses a 256-bit key. · Null uses no encryption. · Authe ntic a tio n Alg o rithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is. · MD5 gives minimal security. · SHA1 gives higher security. · SHA256 gives the highest security.
The C o nfig ura tio n fo r Se c ure G a te wa y displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device.
Click Sa ve to save the VPN rule.
ZyWALL USG FLEX Series User's Guide
107
Chapter 4 Quick Setup Wizards
4.4.9 VPN Se tting s fo r C o nfig ura tio n Pro visio ning Adva nc e d Wiza rd - Finish
The rule is now configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSe c VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSe c VPN > VPN C o nne c tio n screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device. Fig ure 91 VPN for Configuration Provisioning Advanced Wizard: Finish
Click C lo se to exit the wizard.
4.5 VPN Se tting s fo r L2TP VPN Se tting s Wiza rd
Use VPN Se tting s fo r L2TP VPN Se tting s to set up an L2TP VPN rule. Click C o nfig ura tio n > Q uic k Se tup > VPN Se tup and select VPN Se tting s fo r L2TP VPN Se tting s to see the following screen.
ZyWALL USG FLEX Series User's Guide
108
Chapter 4 Quick Setup Wizards Fig ure 92 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings
Click Ne xt to continue the wizard.
4.5.1 L2TP VPN Se tting s
Fig ure 93 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings
· Rule Na m e : Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
· My Addre ss (inte rfa c e ): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. ZyWALL USG FLEX Series User's Guide
109
Chapter 4 Quick Setup Wizards
· Pre - Sha re d Ke y: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal ("0-9", "A-F") characters. Proceed a hexadecimal key with "0x". You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends.
· Click Ne xt to continue the wizard.
4.5.2 L2TP VPN Se tting s
Fig ure 94 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings
· IP Addre ss Po o l: Select RANG E or SUBNETfrom the pull down menu. This IP address pool is used to assign to the L2TP VPN clients.
· Sta rting IP Addre ss: Enter the starting IP address in the field. · End IP Addre ss: Enter the ending IP address in the field. · Ne two rk: Enter the IPv4 IP address in this field if you selected SUBNET. · Ne tm a sk: Enter the associated subnet mask of the subnet in this field. · First DNS Se rve r (O ptio na l): Enter the first DNS server IP address in the field. Leave the field as 0.0.0.0 if
you do not want to configure DNS servers. If you do not configure a DNS server you must know the IP address of a machine in order to access it. · Se c o nd DNS Se rve r (O ptio na l): Enter the second DNS server IP address in the field. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server you must know the IP address of a machine in order to access it. · Allo w L2TP tra ffic Thro ug h WAN: Select this check box to allow traffic from L2TP clients to go to the Internet. Click Ne xt to continue the wizard. Note: DNS (Domain Name System) is for mapping a domain name to its corresponding IP
address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
4.5.3 VPN Se tting s fo r L2TP VPN Se tting Wiza rd - Sum m a ry
This is a read-only summary of the L2TP VPN settings.
ZyWALL USG FLEX Series User's Guide
110
Chapter 4 Quick Setup Wizards Fig ure 95 VPN Settings for L2TP VPN Settings Advanced Settings Wizard: Summary
· Rule Na m e : Identifies the L2TP VPN connection (and the L2TP VPN gateway). · Se c ure G a te wa y: Any displays in this field because it is not configurable in this wizard. It allows
incoming connections from the L2TP VPN Client. · Pre - Sha re d Ke y: L2TP VPN tunnel password. · My Addre ss (Inte rfa c e ): This displays the interface to use on your Zyxel Device for the L2TP tunnel. · IP Addre ss Po o l: This displays the IP address pool used to assign to the L2TP VPN clients. Click Sa ve to complete the L2TP VPN Setting and the following screen will show.
ZyWALL USG FLEX Series User's Guide
111
Chapter 4 Quick Setup Wizards
4.5.4 VPN Se tting s fo r L2TP VPN Se tting Wiza rd - C o m ple te d
Fig ure 96 VPN Settings for L2TP VPN Settings Wizard: Finish
Te rule is now configured on the Zyxel Device. The L2TP VPN rule settings appear in the C o nfig ura tio n > VPN > L2TP VPN screen and also in the C o nfig ura tio n > VPN > IPSe c VPN > VPN C o nne c tio n and VPN G a te wa y screen.
ZyWALL USG FLEX Series User's Guide
112
C HA PTER 5 Da shb o a rd
5.1 O ve rvie w
Use the Da shbo a rd screens to check status information about the Zyxel Device.
5.1.1 Wha t Yo u C a n Do in this C ha pte r
Use the main Da shbo a rd screen to see the Zyxel Device's general device information, system status, and system resource usage. You can also display other status screens for more information. Use the Da shb o a rd screens to view the following. · Device Information Screen on page 115 · System Status Screen on page 116 · Tx/Rx Statistics on page 116 · The Latest Logs Screen on page 117 · System Resources Screen on page 117 · DHCP Table Screen on page 118 · Number of Login Users Screen on page 119 · Current Login User on page 120 · VPN Status on page 120 · SSL VPN Status on page 121 · The Advanced Threat Protection Screen on page 121
5.2 The G e ne ra l Sc re e n
The Da shb o a rd screen displays when you log into the Zyxel Device or click Da shb o a rd in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Click on the icon to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. The following screen is an example of a Brand 2.0 web configurator web style.
ZyWALL USG FLEX Series User's Guide
113
Chapter 5 Dashboard Fig ure 97 Dashboard USG FLEX
The following table describes the labels in this screen.
Table 20 Dashboard
LA BEL
DESC RIPTIO N
Refresh Now
Click this to update the widget's information immediately.
Virtual Device
Rear Panel
Click this to view details about the Zyxel Device's rear panel. Hover your cursor over a connected interface or slot to display status details.
Front Panel
Click this to view details about the status of the Zyxel Device's front panel LEDs and connections. See Section 3.1.1 on page 70 for LED descriptions. An unconnected interface or slot appears grayed out.
The following front and rear panel labels display when you hover your cursor over a connected interface or slot.
Name
This field displays the name of each interface.
ZyWALL USG FLEX Series User's Guide
114
Chapter 5 Dashboard
Table 20 Dashboard (continued)
LA BEL Status
DESC RIPTIO N
This field displays the current status of each interface or device installed in a slot. The possible values depend on what type of interface it is.
Ina c tive - The Ethernet interface is disabled.
Do wn - The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected.
Spe e d / Duple x - The Ethernet interface is enabled and connected. This field displays the port speed and duplex setting (Full or Ha lf).
The status for a WLAN card is no ne .
For cellular (mobile broadband) interfaces, see Section 9.6 on page 265 for the status that can appear.
For the auxiliary interface:
Ina c tive - The auxiliary interface is disabled.
C o nne c te d - The auxiliary interface is enabled and connected.
Zone IP Address/ Mask
Disc o nne c te d - The auxiliary interface is not connected.
This field displays the zone to which the interface is currently assigned.
This field displays the current IP address and subnet mask assigned to the interface. If the interface is a member of an active virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup).
5.2.1 De vic e Info rm a tio n Sc re e n
The De vic e Info rm a tio n screen displays Zyxel Device's system and model name, serial number, MAC address and firmware version shown in the below screen.
Fig ure 98 Dashboard > Device Information (Example)
This table describes the fields in the above screen.
Table 21 Dashboard > Device Information
LA BEL
DESC RIPTIO N
System Name
This field displays the name used to identify the Zyxel Device on any network. Click the link and open the Ho st Na m e screen where you can edit and make changes to the system and domain name.
Serial Number
This field displays the serial number of this Zyxel Device. The serial number is used for device tracking and control.
ZyWALL USG FLEX Series User's Guide
115
Chapter 5 Dashboard
Table 21 Dashboard > Device Information
LA BEL
DESC RIPTIO N
MAC Address Range
This field displays the MAC addresses used by the Zyxel Device. Each physical port has one MAC address. The first MAC address is assigned to physical port 1, the second MAC address is assigned to physical port 2, and so on.
Firmware Version
This field displays the version number and date of the firmware the Zyxel Device is currently running. Click the link to open the Firm wa re Pa c ka g e screen where you can upload firmware.
5.2.2 Syste m Sta tus Sc re e n
Fig ure 99 Dashboard > System Status (Example)
This table describes the fields in the above screen.
Table 22 Dashboard > System Status
LA BEL Boot Status
DESC RIPTIO N This field displays details about the Zyxel Device's startup state.
O K - The Zyxel Device started up successfully.
Firm wa re upda te O K - A firmware update was successful.
Pro b le m a tic c o nfig ura tio n a fte r firm wa re upda te - The application of the configuration failed after a firmware upgrade.
Syste m de fa ult c o nfig ura tio n - The Zyxel Device successfully applied the system default configuration. This occurs when the Zyxel Device starts for the first time or you intentionally reset the Zyxel Device to the system default settings.
Fa llb a c k to la stg o o d c o nfig ura tio n - The Zyxel Device was unable to apply the startup-config.conf configuration file and fell back to the lastgood.conf configuration file.
Fa llb a c k to syste m de fa ult c o nfig ura tio n - The Zyxel Device was unable to apply the lastgood.conf configuration file and fell back to the system default configuration file (system-default.conf).
System Uptime Current Date/Time
Bo o ting in pro g re ss - The Zyxel Device is still applying the system configuration.
This field displays how long the Zyxel Device has been running since it last restarted or was turned on.
This field displays the current date and time in the Zyxel Device. The format is yyyymm-dd hh:mm:ss. Click on the link to see the Da te / Tim e screen where you can make edits and changes to the date, time and time zone information.
5.2.3 Tx/ Rx Sta tistic s
This screen displays a line graph of packet statistics for each physical port. ZyWALL USG FLEX Series User's Guide
116
Chapter 5 Dashboard Fig ure 100 Dashboard > Tx/Rx Statistics
This table describes the fields in the above screen.
Table 23 Dashboard > The Lastest Logs
LA BEL
DESC RIPTIO N
Mbps
The y-axis represents the speed of transmission or reception.
Time
The x-axis shows the time period over which the transmission or reception occurred.
5.2.4 The La te st Lo g s Sc re e n
Fig ure 101 Dashboard > The Lastest Logs
This table describes the fields in the above screen.
Table 24 Dashboard > The Lastest Logs
LA BEL
DESC RIPTIO N
#
This is the entry's rank in the list of alert logs.
Time
This field displays the date and time the log was created.
Priority
This field displays the severity of the log.
Category
This field displays the type of log generated.
Message
This field displays the actual log message.
Source
This field displays the source address (if any) in the packet that generated the log.
Destination
This field displays the destination address (if any) in the packet that generated the log.
5.2.5 Syste m Re so urc e s Sc re e n
Click the bar to see a graphic on that resource.
ZyWALL USG FLEX Series User's Guide
117
Chapter 5 Dashboard Fig ure 102 Dashboard > System Resources
This table describes the fields in the above screen.
Table 25 Dashboard > System Resources
LA BEL
DESC RIPTIO N
CPU Usage
This field displays what percentage of the Zyxel Device's processing capability is currently being used. Hover your cursor over this field to display the Sho w C PU Usa g e icon that takes you to a chart of the Zyxel Device's recent CPU usage.
Memory Usage
This field displays what percentage of the Zyxel Device's RAM is currently being used. Hover your cursor over this field to display the Sho w Me m o ry Usa g e icon that takes you to a chart of the Zyxel Device's recent memory usage.
Flash Usage
This field displays what percentage of the Zyxel Device's onboard flash memory is currently being used.
USB Storage Usage
This field shows how much storage in the USB device connected to the Zyxel Device is in use.
Active Sessions
This field shows how many sessions, established and non-established, that pass through/from/to/within the ZyWALL. Hover your cursor over this field to display icons. Click the De ta il icon to go to the Se ssio n Mo nito r screen to see details about the active sessions. Click the Sho w Ac tive Se ssio ns icon to display a chart of Zyxel Device's recent session usage.
5.2.6 DHC P Ta b le Sc re e n
Click on the number to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. The following screen will show.
ZyWALL USG FLEX Series User's Guide
118
Chapter 5 Dashboard Fig ure 103 Dashboard > DHCP Table
This table describes the fields in the above screen.
Table 26 Dashboard > DHCP Table
LA BEL
DESC RIPTIO N
Refresh Interval Refresh Now # Interface IP Address
Host Name
MAC Address
Expiration Time Description Reserve
Select how often you want this window to be updated automatically.
Click this to update the information in the window right away.
This field is a sequential value, and it is not associated with a specific entry.
This field identifies the interface that assigned an IP address to a DHCP client.
This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address. Click the column's heading cell to sort the table entries by IP address. Click the heading cell again to reverse the sort order.
This field displays the name used to identify this device on the network (the computer name). The Zyxel Device learns these from the DHCP client requests. "None" shows here for a static DHCP entry.
This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved. Click the column's heading cell to sort the table entries by MAC address. Click the heading cell again to reverse the sort order.
This is the period of time DHCP-assigned addresses is used.
For a static DHCP entry, the host name or the description you configured shows here. This field is blank for dynamic DHCP entries.
If this field is selected, this entry is a static DHCP entry. The IP address is reserved for the MAC address.
If this field is clear, this entry is a dynamic DHCP entry. The IP address is assigned to a DHCP client.
To create a static DHCP entry using an existing dynamic DHCP entry, select this field, and then click Apply.
To remove a static DHCP entry, clear this field, and then click Apply.
5.2.7 Num b e r o f Lo g in Use rs Sc re e n
Click the Number of Login Users link to see the following screen.
ZyWALL USG FLEX Series User's Guide
119
Chapter 5 Dashboard Fig ure 104 Dashboard > Number of Login Users
This table describes the fields in the above screen.
Table 27 Dashboard > Number of Login Users
LA BEL
DESC RIPTIO N
# User ID Reauth/Lease Time
Session Timeout
This field is a sequential value and is not associated with any entry.
This field displays the user name of each user who is currently logged in to the Zyxel Device.
This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user.
This field displays the total account of time the account (authenticated by an external server) can use to log into the UAG or access the Internet through the Zyxel Device.
Type IP address User Info
This shows unlimited for an administrator account.
This field displays the way the user logged in to the Zyxel Device.
This field displays the IP address of the computer used to log in to the Zyxel Device.
This field displays the types of user accounts the Zyxel Device uses. If the user type is e xt- use r (external user), this field will show its external-group information when you move your mouse over it.
Force Logout
If the external user matches two external-group objects, both external-group object names will be shown.
Click this icon to end a user's session.
5.2.8 C urre nt Lo g in Use r
This field displays the user name used to log in to the current session, the amount of reauthentication time remaining, and the amount of lease time remaining.
Fig ure 105 Dashboard > Current Login User
5.2.9 VPN Sta tus
Click on the link to look at the VPN tunnels that are currently established. Fig ure 106 Dashboard > VPN Status
ZyWALL USG FLEX Series User's Guide
120
Chapter 5 Dashboard
This table describes the fields in the above screen.
Table 28 Dashboard > VPN Status
LA BEL
DESC RIPTIO N
#
This field is a sequential value and is not associated with any entry.
Name
This field displays the name of the VPN tunnel.
Encapsulation
This field displays the type of encapsulation the VPN tunnel uses.
Algorithm
This field displays the hash algorithm that the VPN tunnel uses to authenticate packet data.
Refresh Interval
Select how often you want this window to be updated automatically.
Refresh Now
Click this to update the information in the window right away.
5.2.10 SSL VPN Sta tus
The first number is the actual number of VPN tunnels up and the second number is the maximum number of SSL VPN tunnels allowed.
Fig ure 107 Dashboard > SSL VPN Status
5.3 The Adva nc e d Thre a t Pro te c tio n Sc re e n
Use the Adva nc e d Thre a t Pro te c tio n screen to check security status information about the Zyxel Device. Fig ure 108 Dashboard > Advanced Threat Protection - USG FLEX Series
This screen gives the following information:
ZyWALL USG FLEX Series User's Guide
121
Chapter 5 Dashboard · The amount of scanned traffic · The number of scanned connections for URL Threat filtering · The number of scanned files for anti-malware · The number of scanned connections for IDP · The number of scanned emails for email security · The number of the scanned sites for content filtering · Top 5 applications that are used the most · Top 5 URLs that are detected the most · Reputation filter reports · URL Threat filter reports · Threat statistics Click the Re fre sh icon to update the information in the window right away.
ZyWALL USG FLEX Series User's Guide
122
PA RT II
Te c hnic a l Re fe re nc e
123
C HA PTER 6
Mo nito r
6.1 O ve rvie w
Use the Mo nito r screens to check status and statistics information.
6.1.1 Wha t Yo u C a n Do in this C ha pte r
Use the Mo nito r screens for the following.
· Use the Syste m Sta tus > Po rt Sta tistic s screen (see Section 6.2 on page 126) to look at packet statistics for each physical port.
· Use the Syste m Sta tus > Po rt Sta tistic s > G ra ph Vie w screen (see Section 6.2 on page 126) to look at a line graph of packet statistics for each physical port.
· Use the Syste m Sta tus > Inte rfa c e Sta tus screen (Section 6.3 on page 128) to see all of the Zyxel Device's interfaces and their packet statistics.
· Use the Syste m Sta tus > Tra ffic Sta tistic s screen (see Section 6.4 on page 132) to start or stop data collection and view statistics.
· Use the Syste m Sta tus > Se ssio n Mo nito r screen (see Section 6.5 on page 135) to view sessions by user or service.
· Use the Syste m Sta tus > Lo g in Use rs screen (Section 6.6 on page 137) to look at a list of the users currently logged into the Zyxel Device.
· Use the Syste m Sta tus > Dyna m ic G ue st screen (Section 6.7 on page 138) to look at a list of the automatically created users allowed to access the Zyxel Device's service.
· Use the Syste m Sta tus > IG MP Sta tistic s screen (see Section 6.8 on page 139) to view multicasting details.
· Use the Syste m Sta tus > DDNS Sta tus screen (see Section 6.9 on page 140) to view the status of the Zyxel Device's DDNS domain names.
· Use the Syste m Sta tus > IP/ MAC Binding screen (Section 6.10 on page 141) to view a list of devices that have received an IP address from Zyxel Device interfaces with IP/MAC binding enabled.
· Use the Syste m Sta tus > C e llula r Sta tus screen (Section 6.11 on page 142) to check your mobile broadband connection status.
· Use the Syste m Sta tus > UPnP Po rt Sta tus screen (see Section 6.12 on page 145) to look at a list of the NAT port mapping rules that UPnP creates on the Zyxel Device.
· Use the Syste m Sta tus > USB Sto ra g e screen (Section 6.13 on page 146) to view information about a connected USB storage device.
· Use the Syste m Sta tus > Ethe rne t Ne ig hb o r screen (Section 6.14 on page 147) to view and manage the Zyxel Device's neighboring devices via Layer Link Discovery Protocol (LLDP).
· Use the Syste m Sta tus > FQ DN O b je c t screen (Section 6.15 on page 148) to display fully qualified domain name (FQDN) object cache lists used in DNS queries.
· Use the Syste m Sta tus > Virtua l Se rve r LB screen (Section 6.16 on page 150) to display distribution of incoming connection requests to a virtual server between multiple real (physical) servers.
ZyWALL USG FLEX Series User's Guide
124
Chapter 6 Monitor
· Use the Wire le ss > AP Info rm a tio n > AP List screen (Section 6.17 on page 151) to display which APs are currently connected to the Zyxel Device.
· Use the Wire le ss > AP Info rm a tio n > Ra dio List screen (Section 6.18 on page 161) to display statistics about the wireless radio transmitters in each of the APs connected to the Zyxel Device.
· Use the Wire le ss > AP Info rm a tio n > To p N APs screen (Section 6.19 on page 165) to view managed APs with the most wireless traffic usage and most associated wireless stations.
· Use the Wire le ss > AP Info rm a tio n > Sing le AP screen (Section 6.20 on page 166) to view APs wireless traffic usage and associated wireless stations for a managed AP.
· Use the Wire le ss > ZyMe sh screen (Section 6.21 on page 167) to display statistics about the ZyMesh wireless connections between the managed APs.
· Use the Wire le ss > SSID Info screen (Section 6.22 on page 168) to display the number of wireless clients that are currently connected to an SSID and the SSID's security mode.
· Use the Wire le ss > Sta tio n Info > Sta tio n List screen (Section 6.23 on page 169) to view information on connected wireless stations.
· Use the Wire le ss > Sta tio n Info > To p N Sta tio ns screen (Section 6.24 on page 170) to view wireless stations with the most wireless traffic usage.
· Use the Wire le ss > Sta tio n Info > Sing le Sta tio n screen (Section 6.25 on page 171) to view wireless traffic usage for an associated wireless station.
· Use the Wire le ss > De te c te d De vic e screen (Section 6.26 on page 172) to view information about suspected rogue APs.
· Use the Printe r Sta tus screen (see Section 6.27 on page 173) to view information about the connected statement printers.
· Use the VPN Mo nito r > IPSe c screen (Section 6.28 on page 174) to display and manage active IPSec SAs.
· Use the VPN Mo nito r > SSLscreen (see Section 6.29 on page 175) to list the users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information.
· Use the VPN Mo nito r > L2TP o ve r IPSe c screen (see Section 6.30 on page 176) to display and manage the Zyxel Device's connected L2TP VPN sessions.
· Use the Se c urity Sta tistic s > C o nte nt Filte r screen (Section 6.32 on page 178) to start or stop data collection and view content filter statistics.
· Use the Se c urity Sta tistic s > App Pa tro l screen (see Section 6.31 on page 177) to start or stop data collection and view application statistics
· Use the Se c urity Sta tistic s > Anti- Ma lwa re screen (see Section 6.33 on page 179) to start or stop data collection and view malware statistics.
· Use the Se c urity Sta tistic s > Re puta tio n Filte r screen (see Section 6.34 on page 182) to view statistics of IP reputation and URL Threat filtering.
· Use the Se c urity Sta tistic s > IDP screen (Section 6.35 on page 183) to start or stop data collection and view IDP statistics.
· Use the Se c urity Sta tistic s > Em a il Se c urity > Sum m a ry screen (Section 6.36 on page 185) to start or stop data collection and view spam statistics.
· Use the Se c urity Sta tistic s > Em a il Se c urity > Sta tus screen (Section 6.36.2 on page 187) to see how many mail sessions the Zyxel Device is currently checking and DNSBL statistics.
· Use the Se c urity Sta tistic s > SSLInspe c tio n screen (Section 6.37 on page 188) to see a report on SSL Inspection and a certificate cache list.
· Use the Lo g > Vie w Lo g screen (see Section 6.38.1 on page 191) to view the Zyxel Device's current log messages. You can change the way the log is displayed, you can email the log, and you can also clear the log in this screen.
ZyWALL USG FLEX Series User's Guide
125
Chapter 6 Monitor
· Use the Lo g > Vie w AP Lo g screen (see Section 6.38.2 on page 192) to view the Zyxel Device's current wireless AP log messages.
· Use the Lo g > Dyna m ic Use rs Lo g screen (see Section 6.38.3 on page 194) to view the Zyxel Device's dynamic guest account log messages.
6.2 The Po rt Sta tistic s Sc re e n
Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Mo nito r > Syste m Sta tus > Po rt Sta tistic s. Fig ure 109 Monitor > System Status > Port Statistics
The following table describes the labels in this screen.
Table 29 Monitor > System Status > Port Statistics
LA BEL
DESC RIPTIO N
Poll Interval
Enter how often you want this window to be updated automatically, and click Se t Inte rva l.
Set Interval
Click this to set the Po ll Inte rva l the screen uses.
Stop
Click this to stop the window from updating automatically. You can start it again by setting the Po ll Inte rva l and clicking Se t Inte rva l.
Switch to Graphic Click this to display the port statistics as a line graph. View
#
This field is a sequential value, and it is not associated with a specific port.
Port
This field displays the physical port number.
Status
This field displays the current status of the physical port.
Do wn - The physical port is not connected.
TxPkts RxPkts Collisions
Spe e d / Duple x - The physical port is connected. This field displays the port speed and duplex setting (Full or Ha lf).
This field displays the number of packets transmitted from the Zyxel Device on the physical port since it was last connected.
This field displays the number of packets received by the Zyxel Device on the physical port since it was last connected.
This field displays the number of collisions on the physical port since it was last connected.
ZyWALL USG FLEX Series User's Guide
126
Chapter 6 Monitor
Table 29 Monitor > System Status > Port Statistics (continued)
LA BEL
DESC RIPTIO N
Tx B/s
This field displays the transmission speed, in bytes per second, on the physical port in the onesecond interval before the screen updated.
Rx B/s
This field displays the reception speed, in bytes per second, on the physical port in the onesecond interval before the screen updated.
Up Time
This field displays how long the physical port has been connected.
System Up Time
This field displays how long the Zyxel Device has been running since it last restarted or was turned on.
6.2.1 The Po rt Sta tistic s G ra ph Sc re e n
Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Po rt Sta tistic s on the Sta tus screen and then the Switc h to G ra phic Vie w Butto n.
Fig ure 110 Monitor > System Status > Port Statistics > Switch to Graphic View
The following table describes the labels in this screen.
Table 30 Monitor > System Status > Port Statistics > Switch to Graphic View
LA BEL
DESC RIPTIO N
Refresh Interval Enter how often you want this window to be automatically updated.
Refresh Now
Click this to update the information in the window right away.
Port Selection
Select the number of the physical port for which you want to display graphics.
Switch to Grid View
Click this to display the port statistics as a table.
bps
The y-axis represents the speed of transmission or reception.
time
The x-axis shows the time period over which the transmission or reception occurred
ZyWALL USG FLEX Series User's Guide
127
Chapter 6 Monitor
Table 30 Monitor > System Status > Port Statistics > Switch to Graphic View (continued)
LA BEL
DESC RIPTIO N
TX
This line represents traffic transmitted from the Zyxel Device on the physical port since it was last
connected.
RX
This line represents the traffic received by the Zyxel Device on the physical port since it was last
connected.
Last Update
This field displays the date and time the information in the window was last updated.
6.3 Inte rfa c e Sta tus Sc re e n
This screen lists all of the Zyxel Device's interfaces and gives packet statistics for them. Click Mo nito r > Syste m Sta tus > Inte rfa c e Sum m a ry to access this screen.
ZyWALL USG FLEX Series User's Guide
128
Chapter 6 Monitor Fig ure 111 Monitor > System Status > Interface Summary
Each field is described in the following table.
Table 31 Monitor > System Status > Interface Summary
LA BEL Interface Status
DESC RIPTIO N
If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text.
Name
This field displays the name of each interface. If there is an Expa nd icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface.
Port/Binding
This field displays the physical port number.
ZyWALL USG FLEX Series User's Guide
129
Chapter 6 Monitor
Table 31 Monitor > System Status > Interface Summary
LA BEL Status
DESC RIPTIO N
This field displays the current status of each interface. The possible values depend on what type of interface it is.
For Ethernet interfaces:
· Ina c tive - The Ethernet interface is disabled. · Do wn - The Ethernet interface does not have any physical ports associated with it or the
Ethernet interface is enabled but not connected. · Spe e d / Duple x - The Ethernet interface is enabled and connected. This field displays the
port speed and duplex setting (Full or Ha lf).
For cellular (mobile broadband) interfaces, see Section 6.13 on page 146 the Web Help for the status that can appear.
For the auxiliary interface:
· Ina c tive - The auxiliary interface is disabled. · C o nne c te d - The auxiliary interface is enabled and connected. · Disc o nne c te d - The auxiliary interface is not connected.
For virtual interfaces, this field always displays Up. If the virtual interface is disabled, it does not appear in the list.
For VLAN and bridge interfaces, this field always displays Up. If the VLAN or bridge interface is disabled, it does not appear in the list.
For PPP interfaces:
· C o nne c te d - The PPP interface is connected. · Disc o nne c te d - The PPP interface is not connected.
If the PPP interface is disabled, it does not appear in the list.
For WLAN interfaces:
Zone IP Addr/Netmask
· Up - The WLAN interface is enabled. · Do wn - The WLAN interface is disabled.
This field displays the zone to which the interface is assigned.
This field displays the current IP address and subnet mask assigned to the interface. If the IP address and subnet mask are 0.0.0.0, the interface is disabled or did not receive an IP address and subnet mask via DHCP.
IP Assignment
If this interface is a member of an active virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup).
This field displays how the interface gets its IP address.
· Sta tic - This interface has a static IP address. · DHC P C lie nt - This interface gets its IP address from a DHCP server.
Services
This field lists which services the interface provides to the network. Examples include DHC P re la y, DHC P se rve r, DDNS, RIP, and O SPF. This field displays n/ a if the interface does not provide any services to the network.
Action
Use this field to get or to update the IP address for the interface. Click Re ne w to send a new DHCP request to a DHCP server. Click C o nne c t to try to connect a PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/ a .
Tunnel Interface Status
This displays the details of the Zyxel Device's configured tunnel interfaces.
Name
This field displays the name of the interface.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
ZyWALL USG FLEX Series User's Guide
130
Chapter 6 Monitor
Table 31 Monitor > System Status > Interface Summary
LA BEL
DESC RIPTIO N
Zone
This field displays the zone to which the interface is assigned.
IP Address
This is the IP address of the interface. If the interface is active (and connected), the Zyxel Device tunnels local traffic sent to this IP address to the Re m o te G a te wa y Addre ss.
My Address
This is the interface or IP address uses to identify itself to the remote gateway. The Zyxel Device uses this as the source for the packets it tunnels to the remote gateway.
Remote Gateway Address
This is the IP address or domain name of the remote gateway to which this interface tunnels traffic.
Mode
This field displays the tunnel mode that you are using.
IPv6 Interface Status
If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text.
Name
This field displays the name of each interface. If there is an Expa nd icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface.
Port
This field displays the physical port number.
Status
This field displays the current status of each interface. The possible values depend on what type of interface it is.
For Ethernet interfaces:
· Ina c tive - The Ethernet interface is disabled. · Do wn - The Ethernet interface does not have any physical ports associated with it or the
Ethernet interface is enabled but not connected. · Spe e d / Duple x - The Ethernet interface is enabled and connected. This field displays the
port speed and duplex setting (Full or Ha lf).
For cellular (mobile broadband) interfaces, see Section 6.13 on page 146 the Web Help for the status that can appear.
For the auxiliary interface:
· Ina c tive - The auxiliary interface is disabled. · C o nne c te d - The auxiliary interface is enabled and connected. · Disc o nne c te d - The auxiliary interface is not connected.
For virtual interfaces, this field always displays Up. If the virtual interface is disabled, it does not appear in the list.
For VLAN and bridge interfaces, this field always displays Up. If the VLAN or bridge interface is disabled, it does not appear in the list.
For PPP interfaces:
· C o nne c te d - The PPP interface is connected. · Disc o nne c te d - The PPP interface is not connected.
If the PPP interface is disabled, it does not appear in the list.
For WLAN interfaces:
Zone IP Address
· Up - The WLAN interface is enabled. · Do wn - The WLAN interface is disabled.
This field displays the zone to which the interface is assigned.
This field displays the current IPv6 address assigned to the interface. If the IPv6 address is ::, the interface is disabled or did not receive an IPv6 address via DHCP.
If this interface is a member of an active virtual router, this field displays the IPv6 address it is currently using. This is either the static IPv6 address of the interface (if it is the master) or the management IPv6 address (if it is a backup).
ZyWALL USG FLEX Series User's Guide
131
Chapter 6 Monitor
Table 31 Monitor > System Status > Interface Summary
LA BEL
DESC RIPTIO N
Services
This field lists which services the interface provides to the network. Examples include DHC P re la y, DHC P se rve r, DDNS, RIP, and O SPF. This field displays n/ a if the interface does not provide any services to the network.
Action
Use this field to get or to update the IP address for the interface. Click Re ne w to send a new DHCP request to a DHCP server. Click C o nne c t to try to connect a PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/ a .
Interface Statistics
This table provides packet statistics for each interface.
Refresh
Click this button to update the information on the screen.
Name
This field displays the name of each interface. If there is a Expa nd icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface.
Status
This field displays the current status of the interface.
TxPkts RxPkts Tx B/s Rx B/s
· Do wn - The interface is not connected. · Spe e d / Duple x - The interface is connected. This field displays the port speed and duplex
setting (Full or Ha lf).
This field displays C o nne c te d and the accumulated connection time (hh:mm:ss) when the PPP interface is connected.
This field displays the number of packets transmitted from the Zyxel Device on the interface since it was last connected.
This field displays the number of packets received by the Zyxel Device on the interface since it was last connected.
This field displays the transmission speed, in bytes per second, on the interface in the onesecond interval before the screen updated.
This field displays the reception speed, in bytes per second, on the interface in the one-second interval before the screen updated.
6.4 The Tra ffic Sta tistic s Sc re e n
Click Mo nito r > Syste m Sta tus > Tra ffic Sta tistic s to display the Tra ffic Sta tistic s screen. This screen provides basic information about the following for example:
· Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the Zyxel Device counts HTTP GET packets. Please see Table 32 on page 133 for more information.
· Most-used protocols or service ports and the amount of traffic on each one · LAN IP with heaviest traffic and how much traffic has been sent to and from each one
You use the Tra ffic Sta tistic s screen to tell the Zyxel Device when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually on the Tra ffic Sta tistic s screen.
ZyWALL USG FLEX Series User's Guide
132
Chapter 6 Monitor Fig ure 112 Monitor > System Status > Traffic Statistics
There is a limit on the number of records shown in the report. Please see Table 33 on page 134 for more information. The following table describes the labels in this screen.
Table 32 Monitor > System Status > Traffic Statistics
LA BEL Data Collection Collect Statistics
Apply Reset Statistics Interface
Sort By
DESC RIPTIO N
Select this to have the Zyxel Device collect data for the report. If the Zyxel Device has already been collecting data, the collection period displays to the right. The progress is not tracked here real-time, but you can click the Re fre sh button to update it. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge and PPPoE/PPTP interfaces. Select the type of report to display. Choices are:
Refresh Flush Data
# Direction
· Ho st IP Addre ss/ Use r - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one.
· Se rvic e / Po rt - displays the most-used protocols or service ports and the amount of traffic for each one.
· We b Site Hits - displays the most-visited Web sites and how many times each one has been visited.
· C o untry - displays the countries with the most traffic and the amount of traffic for each one.
Each type of report has different information in the report (below).
Click this button to update the report display.
Click this button to discard all of the screen's statistics and update the report display.
These fields are available when the Tra ffic Type is Ho st IP Addre ss/ Use r.
This field is the rank of each record. The IP addresses and users are sorted by the amount of traffic.
This field indicates whether the IP address or user is sending or receiving traffic.
IP Address/ User Amount
· Ing re ss- traffic is coming from the IP address or user to the Zyxel Device. · Eg re ss - traffic is going from the Zyxel Device to the IP address or user.
This field displays the IP address or user in this record. The maximum number of IP addresses or users in this report is indicated in Table 33 on page 134.
This field displays how much traffic was sent or received from the indicated IP address or user. If the Dire c tio n is Ing re ss, a red bar is displayed; if the Dire c tio n is Eg re ss, a blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes or Gbytes, depending on the amount of traffic for the particular IP address or user. The count starts over at zero if the number of bytes passes the byte count limit. See Table 33 on page 134.
ZyWALL USG FLEX Series User's Guide
133
Chapter 6 Monitor
Table 32 Monitor > System Status > Traffic Statistics (continued)
LA BEL
# Service/Port Protocol Direction
DESC RIPTIO N
These fields are available when the Tra ffic Type is Se rvic e / Po rt.
This field is the rank of each record. The protocols and service ports are sorted by the amount of traffic.
This field displays the service and port in this record. The maximum number of services and service ports in this report is indicated in Table 33 on page 134.
This field indicates what protocol the service was using.
This field indicates whether the indicated protocol or service port is sending or receiving traffic.
Amount
# Web Site Hits
# Direction
· Ing re ss - traffic is coming into the Zyxel Devicethrough the interface · Eg re ss - traffic is going out from the Zyxel Device through the interface
This field displays how much traffic was sent or received from the indicated service / port. If the Dire c tio n is Ing re ss, a red bar is displayed; if the Dire c tio n is Eg re ss, a blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes, Gbytes, or Tbytes, depending on the amount of traffic for the particular protocol or service port. The count starts over at zero if the number of bytes passes the byte count limit. See Table 33 on page 134.
These fields are available when the Tra ffic Type is We b Site Hits.
This field is the rank of each record. The domain names are sorted by the number of hits.
This field displays the domain names most often visited. The Zyxel Device counts each page viewed on a Web site as another hit. The maximum number of domain names in this report is indicated in Table 33 on page 134.
This field displays how many hits the Web site received. The Zyxel Device counts hits by counting HTTP GET packets. Many Web sites have HTTP GET references to other Web sites, and the Zyxel Device counts these as hits too. The count starts over at zero if the number of hits passes the hit count limit. See Table 33 on page 134.
These fields are available when the Tra ffic Type is C o untry.
This field is the rank of each record. The country name is sorted by the amount of traffic.
This field indicates whether the indicated protocol or service port is sending or receiving traffic.
Country Name Country Amount
· Ing re ss - traffic is coming into the Zyxel Devicethrough the interface · Eg re ss - traffic is going out from the Zyxel Device through the interface
This field displays the name of the country.
This field displays the country code.
This field displays how much traffic was sent or received from the indicated country. If the Dire c tio n is Ing re ss, a red bar is displayed; if the Dire c tio n is Eg re ss, a blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes, Gbytes, or Tbytes, depending on the amount of traffic for the particular protocol or service port. The count starts over at zero if the number of bytes passes the byte count limit. See Table 33 on page 134.
· Ing re ss - traffic is coming into the Zyxel Device from the country. · Eg re ss - traffic is going from the Zyxel Device to the country.
The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit.
Table 33 Maximum Values for Reports
LA BEL
DESC RIPTIO N
Maximum Number of Records Byte Count Limit Hit Count Limit
20 264 bytes; this is just less than 17 million terabytes. 264 hits; this is over 1.8 x 1019 hits.
ZyWALL USG FLEX Series User's Guide
134
Chapter 6 Monitor
6.5 The Se ssio n Mo nito r Sc re e n
The Se ssio n Mo nito r screen displays all established sessions that pass through the Zyxel Device for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed.
· User who started the session · Protocol or service port used · Source address · Destination address · Number of bytes received (so far) · Number of bytes transmitted (so far) · Duration (so far)
You can look at all established sessions that passed through the Zyxel Device by user, service, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user.
Click Mo nito r > Syste m Sta tus > Se ssio n Mo nito r to display the following screen.
Fig ure 113 Monitor > System Status > Session Monitor
The following table describes the labels in this screen.
Table 34 Monitor > System Status > Session Monitor
LA BEL View
DESC RIPTIO N
Select how you want the established sessions that passed through the Zyxel Device to be displayed. Choices are:
Refresh
· se ssio ns b y use rs - display all active sessions grouped by user · se ssio ns b y se rvic e s - display all active sessions grouped by service or protocol · se ssio ns b y so urc e IP - display all active sessions grouped by source IP address · se ssio n b y so urc e re g io n - display all active sessions grouped by where the traffic is coming
from by country · se ssio ns b y de stina tio n IP - display all active sessions grouped by destination IP address · se ssio ns b y de stina tio n re g io n - display all active sessions grouped by where the traffic is
going to by country · a ll se ssio ns - filter the active sessions by the Use r, Se rvic e , So urc e Addre ss, and De stina tio n
Addre ss, and display each session individually (sorted by user).
Click this button to update the information on the screen. The screen also refreshes automatically when you open and close the screen.
ZyWALL USG FLEX Series User's Guide
135
Chapter 6 Monitor
Table 34 Monitor > System Status > Session Monitor (continued)
LA BEL
User
Service
Source Address Source Country Destination Address Destination Country Search Clear Clear All # User
DESC RIPTIO N
The Use r, Se rvic e , So urc e Addre ss, De stina tio n Addre ss, So urc e C o untry and De stina tio n C o untry fields display if you view all sessions. Select your desired filter criteria and click the Refresh button to filter the list of sessions.
This field displays when Vie w is set to a ll se ssio ns. Type the user whose sessions you want to view. It is not possible to type part of the user name or use wildcards in this field; you must enter the whole user name.
This field displays when Vie w is set to a ll se ssio ns. Select the service or service group whose sessions you want to view. The Zyxel Device identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined.
This field displays when Vie w is set to a ll se ssio ns. Type the source IP address whose sessions you want to view. You cannot include the source port.
This field displays when Vie w is set to a ll se ssio ns. Select the country where the traffic is coming from.
This field displays when Vie w is set to a ll se ssio ns. Type the destination IP address whose sessions you want to view. You cannot include the destination port.
This field displays when Vie w is set to a ll se ssio ns. Select the country where the traffic is going to.
Click this to display all sessions in the table below according to the criteria you defined above.
Administrators can use these buttons to forcibly terminate selected TCP/UDP connections. Select one or multiple connections and then click C le a r; click C le a r All to terminate all connections displayed. Cleared sessions display on the Lo g > Vie w Lo g screen.
This field is the rank of each record. The names are sorted by the name of user in active session. You can use the pull down menu on the right to choose sorting method.
This field displays the user in each active session.
Service
If you are looking at the se ssio ns b y use rs (or a ll se ssio ns) report, click + or - to display or hide details about a user's sessions.
This field displays the protocol used in each active session.
Source
If you are looking at the se ssio ns b y se rvic e s report, click + or - to display or hide details about a protocol's sessions.
This field displays the source IP address and port in each active session.
Source Country Destination
If you are looking at the se ssio ns b y so urc e IP report, click + or - to display or hide details about a source IP address's sessions. This field displays the source country in each active session.
This field displays the destination IP address and port in each active session.
Destination Country Rx Tx Duration
If you are looking at the se ssio ns b y de stina tio n IP report, click + or - to display or hide details about a destination IP address's sessions. This field displays the destination country in each active session.
This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. This field displays the length of the active session in seconds.
ZyWALL USG FLEX Series User's Guide
136
Chapter 6 Monitor
6.6 The Lo g in Use rs Sc re e n
Use this screen to look at a list of the users currently logged into the Zyxel Device. To access this screen, click Mo nito r > Syste m Sta tus > Lo g in Use rs. Fig ure 114 Monitor > System Status > Login Users
The following table describes the labels in this screen.
Table 35 Monitor > System Status > Login Users
LA BEL Force Logout # User ID
Reauth/Lease Time
Session Timeout
DESC RIPTIO N
Select a user ID and click this icon to end a user's session.
This field is a sequential value and is not associated with any entry.
This field displays the user name of each user who is currently logged in to the Zyxel Device.
This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user.
This field displays the total account of time the account (authenticated by an external server) can use to log into the Zyxel Device or access the Internet through the Zyxel Device.
Type IP Address Country
This shows unlim ite d for an administrator account. This field displays the way the user logged in to the Zyxel Device. This field displays the IP address of the computer used to log in to the Zyxel Device. The Internet Assigned Numbers Authority (IANA) has reserved the following blocks of Priva te IP addresses specifically for private networks:
MAC User Info
· 10.0.0.0-10.255.255.255 · 172.16.0.0-172.31.255.255 · 192.168.0.0-192.168.255.255 · 224.0.0.0-239.255.255.255
This field displays the MAC address of the computer used to log in to the Zyxel Device.
This field displays the types of user accounts the Zyxel Device uses. If the user type is e xtuse r (external user), this field will show its external-group information when you move your mouse over it.
If the external user matches two external-group objects, both external-group object names will be shown.
ZyWALL USG FLEX Series User's Guide
137
Chapter 6 Monitor
Table 35 Monitor > System Status > Login Users (continued)
LA BEL Acct. Status
DESC RIPTIO N
For a captive portal login, this field displays the accounting status of the account used to log into the Zyxel Device.
Ac c o unting - o n means accounting is being performed for the user login.
Ac c o unting - o ff means accounting has stopped for this user login.
RADIUS Profile Name Refresh
A "-" displays if accounting is not enabled for this login.
This field displays the name of the RADIUS profile used to authenticate the login through the captive portal. N/ A displays for logins that do not use the captive portal and RADIUS server authentication.
Click this button to update the information on the screen.
6.7 Dyna m ic G ue st
A dynamic guest account has a dynamically-created user name and password that allows a guest user to access the Internet or the Zyxel Device's services in a specified period of time. Multiple dynamic guest accounts can be automatically generated at one time for guest users by using the web configurator and the guest-manager account. Guest users can log in with the dynamic accounts when connecting to an SSID for a specified time unit. Use this screen to look at a list of dynamic guest user accounts on the Zyxel Device's local database. To access this screen, click Mo nito r > Syste m Sta tus > Dyna m ic G ue st.
Fig ure 115 Monitor > System Status > Dynamic Guest
The following table describes the labels in this screen.
Table 36 Monitor > System Status > Dynamic Guest
LA BEL
DESC RIPTIO N
Dynamic Guest List
Remove
Select an entry and click this button to remove it from the list.
# Status Username Create Time Remaining Time
Time Period
Note: If you delete a valid user account which is in use, the Zyxel Device ends the user session.
This field is a sequential value and is not associated with any entry. This field displays whether the dynamic user account is active or not. This field displays the user name of the dynamic user account. This field displays when the dynamic user account was created. This field displays the amount of Internet access time remaining for each dynamic user account. This field displays the duration of Internet access for the dynamic user account.
ZyWALL USG FLEX Series User's Guide
138
Chapter 6 Monitor
Table 36 Monitor > System Status > Dynamic Guest (continued)
LA BEL
DESC RIPTIO N
Expiration Time
This field displays the date and time the Internet access becomes invalid. Once the time allocated to a dynamic account is used up or a dynamic account remains unused after the expiration time, the account is deleted from the account list.
Quota (T/U/D)
This field displays how much data in both directions (Total) or upstream data (Upload) and downstream data (Download) can be transmitted through the WAN interface before the Internet access expires.
Remaining Quota This field displays how much more data can be transmitted through the WAN interface before the Internet access expires.
Bandwidth (U/D) This field displays the maximum upstream (Upload) and downstream (Download) bandwidth allowed for the dynamic user account in kilobits per second.
Charge
This field displays access price per time unit.
Payment Info
This field displays the method of payment for each account.
Real Name
This field displays the user's name of the account.
Email
This field displays the email address of the account.
Phone Number This displays the user's phone number.
User Role
This field displays the role of the account.
The following table describes the icons in this screen.
Table 37 Monitor > System Status > Dynamic Guest Icons
LA BEL
DESC RIPTIO N
This guest account is un-used.
This guest account is in use and online.
This guest account has been used but is offline now.
This guest account expired.
This guest account has been deleted.
6.8 IG MP Sta tistic s
The Internet Group Management Protocol (IGMP) Statistics is used by Zyxel Device IP hosts to inform adjacent router about multicast group memberships. It can also be used for one-to-many networking applications such as online streaming video and gaming, distribution of company newsletters, updating address book of mobile computer users in the field allowing more efficient use of resources when supporting these types of applications. Click Mo nito r > Syste m Sta tus > IG MP Sta tistic s to open the following screen.
ZyWALL USG FLEX Series User's Guide
139
Chapter 6 Monitor Fig ure 116 Monitor > System Status > IGMP Statistics
The following table describes the labels in this screen.
Table 38 Monitor > System Status > IGMP Statistics
LA BEL
DESC RIPTIO N
#
This field is a sequential value, and it is not associated with a specific I GMP Statistics.
Group
This field displays the group of devices in the IGMP.
Source IP
This field displays the host source IP information of the IGMP.
Incoming Interface
This field displays the incoming interface that's connected on the IGMP.
Packet Count
This field displays the packet size of the data being transferred.
Bytes
This field displays the size of the data being transferred in Byes.
Outgoing Interface
This field displays the outgoing interface that's connected on the IGMP.
Refresh
Click this button to update the information on the screen.
6.9 The DDNS Sta tus Sc re e n
The DDNS Sta tus screen shows the status of the Zyxel Device's DDNS domain names. Click Mo nito r > Syste m Sta tus > DDNS Sta tus to open the following screen.
Fig ure 117 Monitor > System Status > DDNS Status
ZyWALL USG FLEX Series User's Guide
140
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 39 Monitor > System Status > DDNS Status
LA BEL
DESC RIPTIO N
Update
Click this to have the Zyxel Device update the profile to the DDNS server. The Zyxel Device attempts to resolve the IP address for the domain name.
#
This field is a sequential value, and it is not associated with a specific DDNS server.
Profile Name
This field displays the descriptive profile name for this entry.
Domain Name
This field displays each domain name the Zyxel Device can route.
Effective IP
This is the (resolved) IP address of the domain name.
Last Update
This shows whether the last attempt to resolve the IP address for the domain name was successful or not. Upda ting means the Zyxel Device is currently attempting to resolve the IP address for the domain name.
Last Update Time
This shows when the last attempt to resolve the IP address for the domain name occurred (in year-month-day hour:minute:second format).
Refresh
Click this button to update the information on the screen.
6.10 IP/ MAC Binding
Click Mo nito r > Syste m Sta tus > IP/ MAC Binding to open the IP/ MAC Binding screen. This screen lists the devices that have received an IP address from Zyxel Device interfaces with IP/MAC binding enabled and have ever established a session with the Zyxel Device. Devices that have never established a session with the Zyxel Device do not display in the list.
Fig ure 118 Monitor > System Status > IP/MAC Binding
The following table describes the labels in this screen.
Table 40 Monitor > System Status > IP/MAC Binding
LA BEL
DESC RIPTIO N
Interface
Select a Zyxel Device interface that has IP/MAC binding enabled to show to which devices it has assigned an IP address.
#
This field is a sequential value, and it is not associated with a specific IP/MAC binding
entry.
IP Address
This is the IP address that the Zyxel Device assigned to a device.
Host Name
This field displays the name used to identify this device on the network (the computer name). The Zyxel Device learns these from the DHCP client requests.
ZyWALL USG FLEX Series User's Guide
141
Chapter 6 Monitor
Table 40 Monitor > System Status > IP/MAC Binding (continued)
LA BEL
DESC RIPTIO N
MAC Address
This field displays the MAC address to which the IP address is currently assigned.
Last Access
This is when the device last established a session with the Zyxel Device through this interface.
Description
This field displays the description of the IP/MAC binding.
Refresh
Click this button to update the information on the screen.
6.11 C e llula r Sta tus Sc re e n
This screen displays your mobile broadband connection status. Click Mo nito r > Syste m Sta tus > C e llula r Sta tus to display this screen.
Fig ure 119 Monitor > System Status > Cellular Status
The following table describes the labels in this screen.
Table 41 Monitor > System Status > Cellular Status
LA BEL
DESC RIPTIO N
Refresh
Click this button to update the information on the screen.
More Information
Click this to display more information on your mobile broadband, such as the signal strength, IMEA/ESN and IMSI. This is only available when the mobile broadband device attached and activated on your Zyxel Device. Refer to Section 6.11.1 on page 144.
#
This field is a sequential value, and it is not associated with any interface.
Extension Slot
This field displays where the entry's cellular card is located.
Connected Device
This field displays the model name of the cellular card.
ZyWALL USG FLEX Series User's Guide
142
Chapter 6 Monitor
Table 41 Monitor > System Status > Cellular Status (continued)
LA BEL
DESC RIPTIO N
Status
· No de vic e - no mobile broadband device is connected to the Zyxel Device. · No Se rvic e - no mobile broadband network is available in the area; you cannot
connect to the Internet. · Lim ite d Se rvic e - returned by the service provider in cases where the SIM card is
expired, the user failed to pay for the service and so on; you cannot connect to the Internet. · De vic e de te c te d - displays when you connect a mobile broadband device. · De vic e e rro r - a mobile broadband device is connected but there is an error. · Pro b e de vic e fa il - the Zyxel Device's test of the mobile broadband device failed. · Pro b e de vic e o k - the Zyxel Device's test of the mobile broadband device succeeded. · Init de vic e fa il - the Zyxel Device was not able to initialize the mobile broadband device. · Init de vic e o k - the Zyxel Device initialized the mobile broadband card. · C he c k lo c k fa il - the Zyxel Device's check of whether or not the mobile broadband device is locked failed. · De vic e lo c ke d - the mobile broadband device is locked. · SIM e rro r - there is a SIM card error on the mobile broadband device. · SIM lo c ke d- PUK - the PUK is locked on the mobile broadband device's SIM card. · SIM lo c ke d- PIN - the PIN is locked on the mobile broadband device's SIM card. · Unlo c k PUK fa il - Your attempt to unlock a WCDMA mobile broadband device's PUK failed because you entered an incorrect PUK. · Unlo c k PIN fa il - Your attempt to unlock a WCDMA mobile broadband device's PIN failed because you entered an incorrect PIN. · Unlo c k de vic e fa il - Your attempt to unlock a CDMA2000 mobile broadband device failed because you entered an incorrect device code. · De vic e unlo c ke d - You entered the correct device code and unlocked a CDMA2000 mobile broadband device. · G e t de v- info fa il - The Zyxel Device cannot get cellular device information. · G e t de v- info o k - The Zyxel Device succeeded in retrieving mobile broadband device information. · Se a rc hing ne two rk - The mobile broadband device is searching for a network. · G e t sig na l fa il - The mobile broadband device cannot get a signal from a network. · Ne two rk fo und - The mobile broadband device found a network. · Apply c o nfig - The Zyxel Device is applying your configuration to the mobile broadband device. · Ina c tive - The mobile broadband interface is disabled. · Ac tive - The mobile broadband interface is enabled. · Inc o rre c t de vic e - The connected mobile broadband device is not compatible with the Zyxel Device. · C o rre c t de vic e - The Zyxel Device detected a compatible mobile broadband device. · Se t b a nd fa il - Applying your band selection was not successful. · Se t b a nd o k - The Zyxel Device successfully applied your band selection. · Se t pro file fa il - Applying your ISP settings was not successful. · Se t pro file o k - The Zyxel Device successfully applied your ISP settings. · PPP fa il - The Zyxel Device failed to create a PPP connection for the cellular interface. · Ne e d a uth- pa sswo rd - You need to enter the password for the mobile broadband card on the cellular edit screen. · De vic e re a dy - The Zyxel Device successfully applied all of your configuration and you can use the mobile broadband connection.
Service Provider
This displays the name of your network service provider. This shows Lim ite d Se rvic e if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired.
ZyWALL USG FLEX Series User's Guide
143
Chapter 6 Monitor
Table 41 Monitor > System Status > Cellular Status (continued)
LA BEL
DESC RIPTIO N
Cellular System
This field displays what type of cellular network the mobile broadband connection is using. The network type varies depending on the mobile broadband card you inserted and could be UMTS, UMTS/ HSDPA, G PRS or EDG E when you insert a GSM mobile broadband card, or 1xRTT, EVDO Re v.0 or EVDO Re v.A when you insert a CDMA mobile broadband card.
Signal Quality
This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your Zyxel Device and the service provider's base station.
6.11.1 Mo re Info rm a tio n
This screen displays more information on your mobile broadband, such as the signal strength, IMEA/ESN and IMSI that helps identify your mobile broadband device and SIM card. Click Mo nito r > Syste m Sta tus > C e llula r Sta tus > Mo re Info rm a tio n to display this screen.
Note: This screen is only available when the mobile broadband device is attached to and activated on the Zyxel Device.
Fig ure 120 Monitor > System Status > Cellular Status > More Information
The following table describes the labels in this screen.
Table 42 Monitor > System Status > Cellular Status > More Information
LA BEL
DESC RIPTIO N
Extension Slot
This field displays where the entry's cellular card is located.
Service Provider
This displays the name of your network service provider. This shows Lim ite d Se rvic e if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired.
ZyWALL USG FLEX Series User's Guide
144
Chapter 6 Monitor
Table 42 Monitor > System Status > Cellular Status > More Information (continued)
LA BEL Cellular System
Signal Strength Signal Quality
Device Manufacturer Device Model Device Firmware Device IMEI/ESN
DESC RIPTIO N
This field displays what type of cellular network the mobile broadband connection is using. The network type varies depending on the mobile broadband card you inserted and could be UMTS, UMTS/ HSDPA, G PRS or EDG E when you insert a GSM mobile broadband card, or 1xRTT, EVDO Re v.0 or EVDO Re v.A when you insert a CDMA mobile broadband card.
This is the Sig na l Q ua lity measured in dBm.
This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your Zyxel Device and the service provider's base station.
This shows the name of the company that produced the mobile broadband device.
This field displays the model name of the cellular card.
This shows the software version of the mobile broadband device.
IMEI (International Mobile Equipment Identity) is a 15-digit code in decimal format that identifies the mobile broadband device.
SIM Card IMSI
ESN (Electronic Serial Number) is an 8-digit code in hexadecimal format that identifies the mobile broadband device.
IMSI (International Mobile Subscriber Identity) is a 15-digit code that identifies the SIM card.
6.12 The UPnP Po rt Sta tus Sc re e n
Use this screen to look at the NAT port mapping rules that UPnP creates on the Zyxel Device. To access this screen, click Mo nito r > Syste m Sta tus > UPnP Po rt Sta tus.
Fig ure 121 Monitor > System Status > UPnP Port Status
The following table describes the labels in this screen.
Table 43 Monitor > System Status > UPnP Port Status
LA BEL
DESC RIPTIO N
Remove
Select an entry and click this button to remove it from the list.
#
This is the index number of the UPnP-created NAT mapping rule entry.
ZyWALL USG FLEX Series User's Guide
145
Chapter 6 Monitor
Table 43 Monitor > System Status > UPnP Port Status (continued)
LA BEL Remote Host
DESC RIPTIO N
This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wild-card, the field may be blank.
When the field is blank, the Zyxel Device forwards all traffic sent to the Exte rna l Po rt on the WAN interface to the Inte rna l C lie nt on the Inte rna l Po rt.
When this field displays an external IP address, the NAT rule has the Zyxel Device forward inbound packets to the Inte rna l C lie nt from that IP address only.
External Port
This field displays the port number that the Zyxel Device "listens" non the WAN port) for connection requests destined for the NAT rule's Inte rna l Po rt and Inte rna l C lie nt. The Zyxel Device forwards incoming packets (from the WAN) with this port number to the Inte rna l C lie nt on the Inte rna l Po rt (on the LAN). If the field displays "0", the Zyxel Device ignores the Inte rna l Po rt value and forwards requests on all external port numbers (that are otherwise unmapped) to the Inte rna l C lie nt.
Protocol
This field displays the protocol of the NAT mapping rule (TCP or UDP).
Internal Port
This field displays the port number on the Inte rna l C lie nt to which the Zyxel Device should forward incoming connection requests.
Internal Client
This field displays the DNS host name or IP address of a client on the LAN. Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255.255.255.255 for UDP mappings.
Internal Client Type This field displays the type of the client application on the LAN.
Description
This field displays a text explanation of the NAT mapping rule.
Delete All
Click this to remove all mapping rules from the NAT table.
Refresh
Click this button to update the information on the screen.
6.13 USB Sto ra g e Sc re e n
This screen displays information about a connected USB storage device. Click Mo nito r > Syste m Sta tus > USB Sto ra g e to display this screen.
Fig ure 122 Monitor > System Status > USB Storage
The following table describes the labels in this screen.
Table 44 Monitor > System Status > USB Storage
LA BEL
DESC RIPTIO N
Device description
This is a basic description of the type of USB device.
Usage
This field displays how much of the USB storage device's capacity is currently being used out of its total capacity and what percentage that makes.
ZyWALL USG FLEX Series User's Guide
146
Chapter 6 Monitor
Table 44 Monitor > System Status > USB Storage (continued)
LA BEL Filesystem
Speed Status
DESC RIPTIO N
This field displays what file system the USB storage device is formatted with. This field displays Unkno wn if the file system of the USB storage device is not supported by the Zyxel Device, such as NTFS.
This field displays the connection speed the USB storage device supports.
Re a dy - you can have the Zyxel Device use the USB storage device.
Click Re m o ve No w to stop the Zyxel Device from using the USB storage device so you can remove it.
Unuse d - the connected USB storage device was manually unmounted by using the Re m o ve No w button or for some reason the Zyxel Device cannot mount it.
Click Use It to have the Zyxel Device mount a connected USB storage device. This button is grayed out if the file system is not supported (unknown) by the Zyxel Device.
Detail
no ne - no USB storage device is connected.
This field displays any other information the Zyxel Device retrieves from the USB storage device.
· De a c tiva te d - the use of a USB storage device is disabled (turned off) on the Zyxel Device.
· O uto fSpa c e - the available disk space is less than the disk space full threshold. · Mo unting - the Zyxel Device is mounting the USB storage device. · Re m o ving - the Zyxel Device is unmounting the USB storage device. · no ne - the USB device is operating normally or not connected.
6.14 Ethe rne t Ne ig hb o r Sc re e n
The Ethernet Neighbor screen allows you to view the Zyxel Device's neighboring devices in one place.
It uses Smart Connect, that is Link Layer Discovery Protocol (LLDP) for discovering and configuring LLDPaware devices in the same broadcast domain as the Zyxel Device that you're logged into using the web configurator.
LLDP is a layer-2 protocol that allows a network device to advertise its identity and capabilities on the local network. It also allows the device to maintain and store information from adjacent devices which are directly connected to the network device. This helps you discover network changes and perform necessary network reconfiguration and management.
Note: Enable Smart Connect on the Syste m > ZO N screen.
See also Syste m > ZO N for more information on the Zyxel One Network (ZON) utility that uses the Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices on the same network as the computer on which the ZON utility is installed.
Click Mo nito r > Syste m Sta tus > Ethe rne t Ne ig hb o r to see the following screen
ZyWALL USG FLEX Series User's Guide
147
Chapter 6 Monitor Fig ure 123 Monitor > System Status > Ethernet Neighbor
The following table describes the fields on the previous screen.
Table 45 Monitor > System Status > Ethernet Neighbor
LA BEL Local Port (Description)
DESC RIPTIO N
This field displays the port of the Zyxel Device, on which the neighboring device is discovered.
Model Name System Name Firmware Version Port (Description)
For Zyxel Devices that support Po rt Ro le , if ports 3 to 5 are grouped together and there is a connection to P5 only, the Zyxel Device will display P3 as the interface port number (even though there is no connection to that port).
This field displays the model name of the discovered device.
This field displays the system name of the discovered device.
This field displays the firmware version of the discovered device.
This field displays the first internal port on the discovered device. Internal is an interface type displayed on the Ne two rk > Inte rfa c e > Ethe rne t > Edit screen. For example, if P1 and P2 are WAN, P3 to P5 are LAN, and P6 is DMZ, then Zyxel Device will display P3 as the first internal interface port number.
IP Address MAC Address Refresh
For Zyxel Devices that support Po rt Ro le , if ports 3 to 5 are grouped together and there is a connection to P5 only, the Zyxel Device will display P3 as the first internal interface port number (even though there is no connection to that port).
This field displays the IP address of the discovered device.
This field displays the MAC address of the discovered device.
Click this button to update the information on the screen.
6.15 FQ DN O b je c t Sc re e n
Click Mo nito r > Syste m Sta tus > FQ DN O b je c t to open the FQ DN O bje c t screen. View FQDN-to-IP address mappings cached in this screen. An FQDN is resolved to its IP address using the DNS server configured on the Zyxel Device. If the Zyxel Device receives a DNS query for an FQDN and the Zyxel Device has an FQDN cache entry, the Zyxel Device can map the IP address in a DNS response without having to query a DNS name server. The Zyxel Device updates FQDN-to-IP address mappings when the TTL (Time To Live) setting expires.
You can configure FQDN objects in C o nfig ura tio n > O b je c t > Addre ss/ G e o IP > Addre ss or C o nfig ura tio n > O b je c t > Addre ss/ G e o IP > Addre ss G ro up.
ZyWALL USG FLEX Series User's Guide
148
Chapter 6 Monitor
FQDN can be used in Security Policy, Policy Route, BWM and Web Authentication profiles as source and destination criteria. FQDN with a wildcard (for example, *.zyxel.com) can be used in these profiles as destination criteria only.
Suppose you want to block certain users from going to a website with a dynamically updated IP address using DDNS. Create an FQDN object for the website in O b je c t > Addre ss, and then create a Security Policy in Se c urity Po lic y > Po lic y C o ntro l > Add. Use the FQDN object to identify the website as a destination, and configure specific users to block. When a user tries to connect to the forbidden website, the Zyxel Device first checks the IP address - website mapping in response to the DNS query and then finds the FQDN object match. The Security Policy that has this FQDN object match can then block the configured users from accessing the website.
Fig ure 124 Monitor > System Status > FQDN Object
The following table describes the fields on the previous screen.
Table 46 Monitor > System Status > FQDN Object
LA BEL
DESC RIPTIO N
IPv4 FQDN Object Cache List
You must first configure IPv4 FQDN objects in C o nfig ura tio n > O b je c t > Addre ss/ G e o IP in the IPv4 Addre ss C o nfig ura tio n field.
FQDN Object
Select a previously created object from the drop-down list box to display related FQDN object caches used in DNS queries.
#
This is the index number of the FQDN entry.
Name
This field displays the name of the selected FQDN object used in DNS queries.
FQDN
This field displays a host's fully qualified domain name.
IP Address
This field displays the mapping of the FQDN to an IP address. This is the IP address of a host.
TTL
This field displays the number of seconds the Zyxel Device holds IP address - FQDN
object mapping in its cache. The mapping is updated when the TTL (Time To Live)
setting expires.
IPv6 FQDN Object Cache List
You must first configure IPv6 FQDN objects in C o nfig ura tio n > O b je c t > Addre ss/ G e o IP in the IPv6 Addre ss C o nfig ura tio n field.
ZyWALL USG FLEX Series User's Guide
149
Chapter 6 Monitor
Table 46 Monitor > System Status > FQDN Object
LA BEL
DESC RIPTIO N
FQDN Object
Select an object from the drop-down list box to display related IPv6 FQDN object caches used in DNS queries.
#
This is the index number of the IPv6 FQDN entry.
Name
This field displays the name of the selected IPv6 FQDN object used in DNS queries.
FQDN
This field displays a host's fully qualified domain name.
IP Address
This field displays the mapping of the FQDN to an IPv6 address. This is the IPv6 address of a host.
TTL
This field displays the number of seconds the Zyxel Device holds IP address - FQDN
object mapping in its cache. The mapping is updated when the TTL (Time To Live)
setting expires.
Refresh
Click this button to update the information on the screen.
6.16 Virtua l Se rve r Lo a d Ba la nc ing
Virtual server load balancing allows you to distribute incoming connection requests to a virtual server between multiple real (physical) servers. This helps reduce each server's workload and to decrease virtual server response times.
Use this screen to view traffic statistics between a client and a real server. You can then assess if loading among real servers is balanced. If not, you may need to change the loading algorithm.
Please see Section 12.5 on page 366 for more information on virtual load balancing server.
Click Mo nito r > Virtua l Se rve r LB to see the following screen
Fig ure 125 Monitor > Virtual Server LB
ZyWALL USG FLEX Series User's Guide
150
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 47 Monitor > Virtual Server LB
LA BEL View
DESC RIPTIO N Select how to view the virtual server load balancing traffic.
· Tra ffic / C o nne c tio ns By Pa c ke ts: This will display this number of connections and the number of bytes to/from a specific server.
· Tra ffic / C o nne c tio ns By Ra te s: This will display this number of connections per second and the number of bytes per second to/from a specific server.
#
This is the index number of a table entry.
Server IP
This field displays the IP address of the real server to which the virtual server load balancing traffic is coming from/going to.
Server Port
This field displays the port number on the real server that identifies the service the client requested.
Status
This field displays the result of the health check. If the health check fails, it will display O ff- line , if the health check is OK, it displays O n- line .
The following fields display when you choose Tra ffic / C o nne c tio ns By Pa c ke ts
Active Connection This field displays the number of active connections between the real server and clients for the specified service.
Inactive Connection
This field displays the number of once active, but now idle connections between the real server and clients for the specified service.
Incoming Packets
This field displays the number of packets going to the real server from clients for the specified service.
Outgoing Packets
This field displays the number of packets coming from the real server to clients for the specified service.
Incoming Bytes
This field displays the number of bytes going to the real server from clients for the specified service.
Outgoing Bytes
This field displays the number of bytes coming from the real server to clients for the specified service.
The following fields display when you choose Tra ffic / C o nne c tio ns By Ra te s
Connections/s
This field displays the number of connections per second between the real server and clients for the specified service.
Incoming Packets/s This field displays the number of packets per second going to the real server from clients for the specified service.
Outgoing Packets/s This field displays the number of packets per second coming from the real server to clients for the specified service.
Incoming Bytes/s
This field displays the number of bytes per second going to the real server from clients for the specified service.
Outgoing Bytes/s
This field displays the number of bytes per second coming from the real server to clients for the specified service.
Refresh
Click this button to update the information on the screen.
6.17 AP Info rm a tio n: AP List
The AP Info rm a tio n menu contains AP List, Ra dio List, To p N APs and Sing le AP screens. Click Mo nito r > Wire le ss > AP Info rm a tio n to display the AP List screen.
ZyWALL USG FLEX Series User's Guide
151
Chapter 6 Monitor Fig ure 126 Monitor > Wireless > AP Information > AP List
The following table describes the labels in this screen.
Table 48 Monitor > Wireless > AP Information > AP List
LA BEL Filter
AP List
DESC RIPTIO N
Click Sho w Adva nc e d Se tting s to reveal Filte r fields where you can display managed APs by status, keyword or those managed by the Nebula portal.
Select the type of APs you want to display.
Select All to show all kinds of APs that are currently or used to be connected to the Zyxel Device.
Status
Select Ne b ula Fle xPRO to show the APs that can work in Nebula cloud management mode. Select the status of APs you want to display.
You can display APs managed by the Zyxel Device according to the following:
Keyword Search
· O nline All: APs that are online now + APs with configuration conflict + APs with nonsupported features + APs that are now updating firmware
· O nline : APs that are online now · C o nflic t: APs with configurations in conflict with the Zyxel Device (see Mo re De ta ils) · No n Suppo rt: APs with features not supported by the Zyxel Device (see Mo re De ta ils) · Upda ting : APs that are have updated firmware and rebooted · O ffline All: Offline + Offline for Firmware Update · O ffline : The CAPWAP server did not receive keep-alive packets from these APs in the
last 2 minutes (Offline All - Offline for Firmware Update) · O ffline fo r Firm wa re Upda te : APs that were rebooted before updating firmware · Un- Mg m t: APs that are not managed by the Zyxel Device
Enter a keyword to display the APs that include it in their AP information, such as model number, firmware version, MAC address and so on. This field is case-sensitive.
Click this to update the list of APs based on the search criteria.
Reset
Enable Column Freeze Edit the selected rule
Add to Mgmt AP List
Your search criteria is retained when navigating between screens. Click this to return the search criteria to the factory defaults and display all currently or previously connected APs without a filter. Select this to lock the index columns in place while scrolling to the right.
Select an AP and click this to change the selected AP's properties, such as its group, radio, VLAN and port settings. Select an AP and click this to add the selected AP to the managed AP list.
Reboot device
Select one or multiple APs and click this button to force the AP(s) to restart.
ZyWALL USG FLEX Series User's Guide
152
Chapter 6 Monitor
Table 48 Monitor > Wireless > AP Information > AP List (continued)
LA BEL
DESC RIPTIO N
Remove the selected rule
Select one or multiple APs and click this button to remove the AP(s) from the manged AP list.
DCS Now
Note: If on the C o nfig ura tio n > Wire le ss > C o ntro lle r screen you set the Re g istra tio n Type to Alwa ys Ac c e pt, then as soon as you remove an AP from this list it reconnects.
Select one or multiple APs and click this button to use DCS (Dynamic Channel Selection) to allow the AP to automatically find a less-used channel in an environment where there are many APs and there may be interference.
Note: You should have enabled DCS in the applied AP radio profile before the APs can use DCS.
Note: DCS is not supported on the radio which is working in repeater AP mode.
More Information
Select an AP and click this to view a daily station count about the selected AP. The count records station activity on the AP over a consecutive 24 hour period.
Radio Information
Select an online AP and click this button to go to the Mo nito r > Wire le ss > AP Info rm a tio n > Ra dio List screen to view detailed information about the AP's radios.
Query Controller Log Select one or multiple APs and click this button to go to the Mo nito r > Lo g > Vie w Lo g screen to view the selected AP's current log messages.
Nebula
Select an AP and click this to open a screen where you can set whether the AP's IP address and VLAN settings will be changed when it goes into Nebula cloud management mode. .
Upgrade Firmware Now Suppression On Suppression Off Locator On # Status
Description CPU Usage
Note: The AP will be set to Nebula cloud management mode and removed from the managed AP list right after you click O K.
Select one or more APs and click this button to update the APs' firmware version.
Select an AP and click this button to enable the AP's LED suppression mode. All the LEDs of the AP will turn off after the AP is ready. This button is not available if the selected AP doesn't support suppression mode.
Select an AP and click this button to disable the AP's LED suppression mode. The AP LEDs stay lit after the AP is ready. This button is not available if the selected AP doesn't support suppression mode.
Select an AP and click this button to run the locator feature. The AP's Locator LED will start to blink for 10 minutes by default. It will show the actual location of the AP between several devices on the network.
This field is a sequential value, and it is not associated with any entry.
This field displays the status of AP.
· O nline All: APs that are online now + APs with configuration conflict + APs with nonsupported features + APs that are now updating firmware
· O nline : APs that are online now · C o nflic t: APs with configurations in conflict with the Zyxel Device (see Mo re De ta ils) · No n Suppo rt: APs with features not supported by the Zyxel Device (see Mo re De ta ils) · Upda ting : APs that are have updated firmware and rebooted · O ffline All: Offline + Offline for Firmware Update · O ffline : The CAPWAP server did not receive keep-alive packets from these APs in the
last 2 minutes (Offline All - Offline for Firmware Update) · O ffline fo r Firm wa re Upda te : APs that were rebooted before updating firmware · Un- Mg m t: APs that are not managed by the Zyxel Device
This field displays the AP's description, which you can configure by selecting the AP's entry and clicking the Edit button.
This field displays the CPU Usage of the AP.
ZyWALL USG FLEX Series User's Guide
153
Chapter 6 Monitor
Table 48 Monitor > Wireless > AP Information > AP List (continued)
LA BEL IP Address MAC Address Station 2.4G Station 5G Recent Online Time
Power
DESC RIPTIO N This field displays the IP address of the AP. This field displays the MAC address of the AP. This field displays the number of 2.4G wireless clients connected to the AP. This field displays the number of 5G wireless clients connected to the AP. This displays the most recent time the AP came on-line. N/ A displays if the AP has not come on-line since the Zyxel Device last started up. This field displays the AP's power status.
Full - the AP receives power using a power adapter and/or through a PoE switch/injector using IEEE 802.3at PoE plus. The PoE device that supports IEEE 802.3at PoE Plus can supply power of up to 30W per Ethernet port.
Lim ite d - the AP receives power through a PoE switch/injector using IEEE 802.3af PoE even when it is also connected to a power source using a power adaptor. The PoE device that supports IEEE 802.3af PoE can supply power of up to 15.4W per Ethernet port.
When the AP is in limited power mode, the AP throughput decreases and has just one transmitting radio chain.
Type
It always shows Full if the AP does not support power detection. This indicates whether the AP is on the managed AP list (Mg m t) or not (Un- Mg m t).
Model
R1 Mode/ Profile/ ZyMesh Profile
R2 Mode/ Profile/ ZyMesh Profile
Version Group Mgnt. VLAN ID (AC/ AP)
Last Off-line Time LED Status
This displays Lim ite d when the AP is configured by conflicted or unsupported setting(s).
This field displays the AP's hardware model information. It displays N/ A (not applicable) only when the AP disconnects from the Zyxel Device and the information is unavailable as a result.
This field displays the operating mode (AP, MO N, ro o ta p, or re pe a te r), AP radio profile name and ZyMesh profile name for Radio1. It displays- for the ZyMesh profile for a radio not using a ZyMesh profile.
This field displays the operating mode (AP, MO N, ro o ta p, or re pe a te r), AP radio profile name and ZyMesh profile name for Radio2. It displays- for the ZyMesh profile for a radio not using a ZyMesh profile.
This field displays the AP's current firmware version.
This displays the name of the AP group to which the AP belongs.
This displays the Access Controller (the Zyxel Device) and runtime management VLAN ID setting for the AP. VLAN C o nflic t displays if the AP's management VLAN ID does not match the Mg m nt. VLAN ID(AC ). This field displays n/ a if the Zyxel Device cannot get VLAN information from the AP.
This field displays the date and time that the AP was last logged out.
This field displays the AP LED status.
N/ A displays if the AP does not support LED suppression mode and/or have a locator LED to show the actual location of the AP.
A gray LED icon signifies that the AP LED suppression mode is enabled. All the LEDs of the AP will turn off after the AP is ready.
A green LED icon signifies that the AP LED suppression mode is disabled and the AP LEDs stay lit after the AP is ready.
A sun icon signifies that the AP's locator LED is blinking.
Ethernet Uplink
A circle signifies that the AP's locator LED is extinguished. This field displays the AP's uplink port speed and duplex mode (Full or Ha lf).
ZyWALL USG FLEX Series User's Guide
154
Chapter 6 Monitor
Table 48 Monitor > Wireless > AP Information > AP List (continued)
LA BEL Bluetooth
DESC RIPTIO N
This field displays the AP's Bluetooth Low Energy (BLE) capability. Bluetooth Low Energy, which is also known as Bluetooth Smart, transmits less data over a shorter distance and consumes less power than classic Bluetooth. APs communicate with other BLE enabled devices using advertisements.
N/ A displays if the AP does not support BLE.
Una va ila b le displays if the AP supports Bluetooth, but there is no BLE USB dongle connected to the USB port of the AP. Some APs, such as the WAC5302D-S, need to have a supported BLE USB dongle attached to act as a beacon to broadcast packets.
Ava ila b le displays if the AP supports Bluetooth, detects a BLE device and advertising is inactive.
Location Roaming Group Load Balancing Group
S/N System Name Apply Refresh
Adve rtising displays if the AP supports Bluetooth, detects a BLE device and advertising is activated, which means the BLE device can broadcasts packets to every device around it.
This field displays the AP's location you configured.
This field displays the name of roaming group to which the AP belongs.
This field displays the AP's load balance status when load balancing is enabled on the Zyxel Device. Otherwise, it shows nothing when load balancing is disabled or the radio is in monitor mode.
This field displays the serial number of the AP.
This field displays the system name to identify the AP on a network.
Click Apply to save your changes back to the Zyxel Device.
Click Re fre sh to update the AP list.
The following table describes the icons in this screen.
Table 49 Monitor > Wireless > AP Information > AP List Icons
LA BEL
DESC RIPTIO N
This AP is not on the management list.
This AP is on the management list and online.
This AP is in the process of having its firmware updated.
This AP is on the management list but offline.
This indicates one of the following cases:
· This AP has a runtime management VLAN ID setting that conflicts with the VLAN ID setting on the Access Controller (the Zyxel Device).
· A setting the Zyxel Device assigns to this AP does not match the AP's capability.
6.17.1 AP List: Mo re Info rm a tio n
Use this screen to look at station statistics for the connected AP. To access this screen, select an entry and click the Mo re Info rm a tio n button on the AP List screen. Use this screen to look at configuration
ZyWALL USG FLEX Series User's Guide
155
Chapter 6 Monitor
information, port status and station statistics for the connected AP. To access this screen, select an entry and click the Mo re Info rm a tio n button on the AP List screen. Fig ure 127 Monitor > Wireless > AP Information > AP List > More Information
The following table describes the labels in this screen.
Table 50 Monitor > Wireless > AP Information > AP List > More Information
LA BEL
DESC RIPTIO N
Configuration Status
This displays whether or not any of the AP's configuration is in conflict with the Zyxel Device's settings for the AP.
Conflict
If any of the AP's configuration conflicts with the ZyWALL's settings for the AP, this field displays which configuration conflicts. It displays n/ a if none of the AP's configuration conflicts with the ZyWALL's settings for the AP.
Non Support
If any of the AP's configuration conflicts with the Zyxel Device's settings for the AP, this field displays which configuration conflicts. It displays n/ a if none of the AP's configuration conflicts with the Zyxel Device's settings for the AP.
ZyWALL USG FLEX Series User's Guide
156
Chapter 6 Monitor
Table 50 Monitor > Wireless > AP Information > AP List > More Information (continued)
LA BEL Port Status
Port Status
DESC RIPTIO N
This shows the name of the physical Ethernet port on the Zyxel Device. This field displays the current status of each physical port on the AP.
Do wn - The port is not connected.
PVID
Spe e d / Duple x - The port is connected. This field displays the port speed and duplex setting (Full or Ha lf).
This shows the port's PVID.
Up Time Tx Bcast Rx Bcast VLAN Configuration Name Status VID Member Ethernet Neighbor Local Port (Description)
Model Name System Name Firmware Version Port (Description)
A PVID (Port VLAN ID) is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines. This field displays how long the physical port has been connected. This field displays the number of broadcast packets transmitted on the port. This field displays the number of broadcast packets received on the port.
This shows the name of the VLAN. This displays whether or not the VLAN is activated. This shows the VLAN ID number. This field displays the Ethernet port(s) that is a member of this VLAN.
This field displays the port of the Zyxel Device, on which the neighboring device is discovered. For Zyxel Devices that support Po rt Ro le , if ports 3 to 5 are grouped together and there is a connection to P5 only, the Zyxel Device will display P3 as the interface port number (even though there is no connection to that port). This field displays the model name of the discovered device. This field displays the system name of the discovered device. This field displays the firmware version of the discovered device.
This field displays the first internal port on the discovered device. Internal is an interface type displayed on the Ne two rk > Inte rfa c e > Ethe rne t > Edit screen. For example, if P1 and P2 are WAN, P3 to P5 are LAN, and P6 is DMZ, then Zyxel Device will display P3 as the first internal interface port number.
IP Address MAC Address Station Count
Last Update OK Cancel
For Zyxel Devices that support Po rt Ro le , if ports 3 to 5 are grouped together and there is a connection to P5 only, the Zyxel Device will display P3 as the first internal interface port number (even though there is no connection to that port). This field displays the IP address of the discovered device. This field displays the MAC address of the discovered device.
The y-axis represents the number of connected stations. The x-axis shows the time over which a station was connected. This field displays the date and time the information in the window was last updated. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
157
Chapter 6 Monitor
6.17.2 AP List: Edit AP
Select an AP and click the Edit Se le c te d Rule button in the Mo nito r > Wire le ss > AP Info rm a tio n > AP List table to display this screen. Fig ure 128 Monitor > Wireless > AP Information > AP List > Edit AP
ZyWALL USG FLEX Series User's Guide
158
Chapter 6 Monitor
Each field is described in the following table.
Table 51 Monitor > Wireless > AP Information > AP List > Edit AP
LA BEL Create new Object MAC Model
Description
Group Setting System Name
Location Roaming Group
DESC RIPTIO N
Use this menu to create a new Ra dio Pro file object to associate with this AP.
This displays the MAC address of the selected AP.
This field displays the AP's hardware model information. It displays N/ A (not applicable) only when the AP disconnects from the Zyxel Device and the information is unavailable as a result.
Enter a description for this AP. You can use up to 31 characters, spaces and underscores allowed.
Select an AP group to which you want this AP to belong.
Enter a name to identify the AP on a network. This is usually the AP's fully qualified domain name.
Specify the name of the place where the AP is located.
Specify the name of the roaming group to which the AP belongs. You can use up to 31 alphanumeric and @# characters. Dashes and underscores are also allowed. The name should start with a letter or digit.
The 802.11k neighbor list a client requests from the AP is generated according to the roaming group and RCPI (Received Channel Power Indicator) value of its neighbor APs.
When a client wants to roam from the current AP to another, other APs in the same roaming group or not in a roaming group will be candidates for roaming. Neighbor APs in a different roaming group will be excluded from the 802.11k neighbor lists even when the neighbor AP has the best signal strength.
Load Balancing Group 1/2
If the AP's roaming group is not configured, any neighbor APs can be candidates for roaming.
Load balancing is only applied to APs within the same group. If a load balancing group is not assigned to an AP, it will belong to a default group.
Radio 1/2 Setting
Override Group Radio Setting
Radio 1/2 OP Mode
Each AP can belong to up to two groups. Select this option to overwrite the AP radio settings with the settings you configure here. Select the operating mode for radio 1 or radio 2.
AP Mo de means the AP can receive connections from wireless clients and pass their data traffic through to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing).
Radio 1/2 Profile
Override Group Output Power Setting Output Power Override Group SSID Setting
Edit
MO N Mo de means the AP monitors the broadcast area for other APs, then passes their information on to the Zyxel Device where it can be determined if those APs are friendly or rogue. If an AP is set to this mode it cannot receive connections from wireless clients. Select a profile from the list. If no profile exists, you can create a new one through the C re a te ne w O b je c t menu. Select this option to overwrite the AP output power setting with the setting you configure here.
Set the output power of the AP. Select this option to overwrite the AP SSID profile setting with the setting you configure here.
This section allows you to associate an SSID profile with the radio. Select an SSID and click this button to reassign it. The selected SSID becomes editable immediately upon clicking.
ZyWALL USG FLEX Series User's Guide
159
Chapter 6 Monitor
Table 51 Monitor > Wireless > AP Information > AP List > Edit AP (continued)
LA BEL
DESC RIPTIO N
#
This is the index number of the SSID profile. You can associate up to eight SSID profiles with
an AP radio.
SSID Profile
Indicates which SSID profile is associated with this radio profile.
IP Setting
Force Overwrite IP Setting
Select this to change the AP's IP address setting to match the configuration in this screen.
Get Automatically
Select this to have the AP act as a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server.
Used Fixed IP Address
Select this if you want to specify the IP address, subnet mask, gateway and DNS server address manually.
IP Address
Enter the IP address for the AP.
Subnet Mask
Enter the subnet mask of the AP in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all devices in the network.
Gateway
Enter the IP address of the gateway. The AP sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the AP.
DNS Server IP Address
Enter the IP address of the DNS server.
VLAN Settings
Override Group Select this option to overwrite the AP VLAN setting with the setting you configure here. VLAN Setting
Force Overwrite Select this to have the Zyxel Device change the AP's management VLAN to match the
VLAN Config
configuration in this screen.
Management VLAN ID
Enter a VLAN ID for this AP.
As Native VLAN
Select this option to treat this VLAN ID as a VLAN created on the Zyxel Device and not one assigned to it from outside the network.
Storm Control Setting Traffic storm control limits the number of broadcast and/or multicast packets the Zyxel Device receives on the ports. When the maximum number of allowable broadcast and/or multicast packets is reached, the subsequent packets are discarded.
Select Bro a dc a st Sto rm C o ntro l to enable broadcast storm control on the Zyxel Device. Enabling this will drop ingress broadcast traffic in the physical Ethernet port if it exceeds the maximum traffic rate.
Rogue AP Detection Setting
Select Multic a st Sto rm C o ntro l to enable multicast storm control on the Zyxel Device. Enabling this will drop ingress multicast traffic in the physical Ethernet port if it exceeds the maximum traffic rate.
This feature allows the Zyxel Device to monitor the WiFi signals for other wireless APs. A rogue AP is a wireless access point operating in a network's coverage area that is not under the control of the network administrator, and which can potentially open up holes in a network's security.
Antenna Setting
LED Suppression Mode Configuration
Select this check box to detect Rogue APs in the network.
Select Wa ll if you mount the Zyxel Device to a wall. Select Ce iling if the Zyxel Device is mounted on a ceiling. You can switch from Wa ll to C e iling if there are still wireless dead zones, and vice versa.
If the Suppre ssio n O n check box is checked, the LEDs of yourZyxel Device will turn off after it's ready.
If the check box is unchecked, the LEDs will stay lit after theZyxel Device is ready.
ZyWALL USG FLEX Series User's Guide
160
Chapter 6 Monitor
Table 51 Monitor > Wireless > AP Information > AP List > Edit AP (continued)
LA BEL
DESC RIPTIO N
Power Setting
Select this check box if you are using a PoE injector that does not support PoE negotiation. Otherwise, the Zyxel Device cannot draw full power from the power sourcing equipment. Enable this power mode to improve the Zyxel Device's performance in this situation.
Note: Ensure that the power sourcing equipment can supply enough power to the AP to avoid abnormal system reboots.
Locator LED Configuration
Automatically Extinguish After Reset AP Configuration OK Cancel
Note: Only enable this if you are using a passive PoE injector that is not IEEE 802.3at/bt compliant but can still provide full power.
Click Turn O n button to activate the locator. The Locator function will show the actual location of the Zyxel Device between several devices in the network.
Otherwise, click Turn O ff to disable the locator feature. Enter a time interval between 1 and 60 minutes to stop the locator LED from blinking. Default is 10 minutes. Click Apply Fa c to ry De fa ult to reset all of the AP settings to the factory defaults.
Click O K to save your changes back to the Zyxel Device. Click C a nc e l to close the window with changes unsaved.
6.18 AP Info rm a tio n: Ra dio List
Click Mo nito r > Wire le ss > AP Info rm a tio n > Ra dio List to display the Ra dio List screen. Fig ure 129 Monitor > Wireless > AP Information > Radio List
The following table describes the labels in this screen.
Table 52 Monitor > Wireless > AP Information > Radio List
LA BEL
DESC RIPTIO N
More Information
Click this icon to see the traffic statistics, station count, SSID, Security Mode and VLAN ID information on the AP.
Enable Column Freeze
Select this to lock the index columns in place while scrolling to the right.
#
This field is a sequential value, and it is not associated with a specific radio.
ZyWALL USG FLEX Series User's Guide
161
Chapter 6 Monitor
Table 52 Monitor > Wireless > AP Information > Radio List
LA BEL Loading
AP Description
Frequency Band
Channel ID Tx Power Station Rx Tx Model
MAC Address Radio OP Mode
DESC RIPTIO N
This indicates the AP's load balance status (Unde rLo a d or O ve rLo a d) when load balancing is enabled on the AP. Otherwise, it shows - when load balancing is disabled or the radio is in monitor mode.
Enter a description for this AP. You can use up to 31 characters, spaces and underscores allowed.
This field displays the WLAN frequency band using the IEEE 802.11 a/b/g/n standard of 2.4 or 5 GHz.
This field displays the WLAN channels using the IEEE 802.11 protocols.
This shows the radio's output power (in dBm).
This field displays the station count information.
This field displays the total number of bytes received by the radio.
This field displays the total number of bytes transmitted by the radio.
This field displays the AP's hardware model information. It displays N/ A (not applicable) only when the AP disconnects from the Zyxel Device and the information is unavailable as a result.
This field displays the MAC address of the AP.
This field displays the Radio number. For example 1.
This field displays the operating mode of the AP. It displays n/ a for the profile for a radio not using an AP profile.
AP / ZyMesh Profile Antenna
AP Mo de means the AP can receive connections from wireless clients and pass their data traffic through to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing).
This indicates the AP radio and ZyMesh profile names to which the radio belongs.
This indicates the antenna orientation for the radio (Wa ll or C e iling ).
This shows N/ A if the AP does not allow you to adjust coverage depending on the orientation of the antenna for each radio using the web configurator or a physical switch.
ZyWALL USG FLEX Series User's Guide
162
Chapter 6 Monitor
6.18.1 Ra dio List: Mo re Info rm a tio n
This screen allows you to view detailed information about a selected radio's SSID(s), wireless traffic and wireless clients for the preceding 24 hours. To access this window, select an entry and click the Mo re Info rm a tio n button on the Ra dio List screen. Fig ure 130 Monitor > Wireless > AP Information > Radio List > More Information
ZyWALL USG FLEX Series User's Guide
163
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 53 Monitor > Wireless > AP Information > Radio List > More Information
LA BEL
DESC RIPTIO N
MBSSID Detail
This list shows information about the SSID(s) that is associated with the radio over the preceding 24 hours.
#
This is the items sequential number in the list. It has no bearing on the actual data in this list.
SSID Name
This displays an SSID associated with this radio. There can be up to eight maximum.
BSSID
This displays the MAC address associated with the SSID.
Security Mode
This displays the security mode in which the SSID is operating.
Forwarding Mode
This field indicates the forwarding mode (Lo c a l Bridg e or Tunne l) associated with the SSID profile.
VLAN
This displays the VLAN ID associated with the SSID.
Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24 hours.
y-axis
This axis represents the amount of data moved across this radio in megabytes per second.
x-axis
This axis represents the amount of time over which the data moved across this radio.
Station Count
This graph displays information about all the wireless clients that have connected to the radio over the preceding 24 hours.
y-axis
The y-axis represents the number of connected wireless clients.
x-axis
The x-axis shows the time over which a wireless client was connected.
Last Update
This field displays the date and time the information in the window was last updated.
OK
Click this to close this window.
Cancel
Click this to close this window.
Click Mo nito r > Wire le ss > AP Info rm a tio n > Built- in AP to display this screen. The following table describes the labels in this screen.
Table 54 Monitor > Wireless > AP Information > Built-in AP
LA BEL
DESC RIPTIO N
Single Station Status
Usage by
Select the measure unit in GB or MB to display the graph.
Traffic Usage
This graph displays traffic usage from associated wireless stations in the preceding 24 hours.
y-axis
The y-axis represents the amount of traffic in megabytes/gigabytes.
x-axis
The x-axis represents the time over which wireless traffic flows transmitting from/to the AP.
Station Count
This graph displays the number of wireless stations that have connected to the AP in the preceding 24 hours.
y-axis
The y-axis represents the number of connected wireless stations.
x-axis
The x-axis represents the time over which a wireless client was connected.
Refresh
Click Re fre sh to update this screen.
ZyWALL USG FLEX Series User's Guide
164
Chapter 6 Monitor
6.19 AP Info rm a tio n: To p N APs
Use this screen to view the top five or top ten wireless traffic usage and associated wireless stations for the preceding 24 hours. Click Mo nito r > Wire le ss > AP Info rm a tio n > To p N APs to display the To p N APs screen. Fig ure 131 Monitor > Wireless > AP Information > Top N APs
The following table describes the labels in this screen.
Table 55 Monitor > Wireless > AP Information > Top N APs
LA BEL View
Usage by
DESC RIPTIO N
Select this to view the top five or top ten wireless traffic usage and associated wireless stations for the preceding 24 hours.
If you view the data usage by Usa g e , select the frequency band and the measure unit in GB or MB to display the graph.
Traffic Usage y-axis x-axis
Station Count y-axis
If you view the date usage by Sta tio n Num be r, select the measure unit in GB or MB to display the graph.
This graph displays the overall traffic information about the top five or top ten wireless traffic for the preceding 24 hours.
The y-axis represents the amount of traffic in megabytes/gigabytes.
The x-axis represents the time over which wireless traffic flows transmitting from/to the AP.
This graph displays information about all the wireless stations that have connected to the AP for the preceding 24 hours.
The y-axis represents the number of connected wireless stations.
ZyWALL USG FLEX Series User's Guide
165
Chapter 6 Monitor
Table 55 Monitor > Wireless > AP Information > Top N APs
LA BEL
DESC RIPTIO N
x-axis
The x-axis represents the time over which a wireless client was connected.
Refresh
Click Re fre sh to update this screen.
6.20 AP Info rm a tio n: Sing le AP
Use this screen to view wireless traffic usage and wireless stations for a managed AP. Click Mo nito r > Wire le ss > AP Info rm a tio n > Sing le AP to display the Sing le AP screen.
Fig ure 132 Monitor > Wireless > AP Information > Single AP
The following table describes the labels in this screen.
Table 56 Monitor > Wireless > AP Information > Single AP
LA BEL
DESC RIPTIO N
AP Selection
Select a managed AP from the drop-down list box to view its wireless traffic usage and wireless stations.
Usage by
Select the measure unit in GB or MB to display the graph.
Traffic Usage
This graph displays the overall traffic information about the AP you specified for the preceding 24 hours.
y-axis
The y-axis represents the amount of traffic in megabytes/gigabytes.
x-axis
The x-axis represents the time over which wireless traffic flows transmitting from/to the AP.
ZyWALL USG FLEX Series User's Guide
166
Chapter 6 Monitor
Table 56 Monitor > Wireless > AP Information > Single AP
LA BEL
DESC RIPTIO N
Station Count
This graph displays information about all the wireless stations that have connected to the AP for the preceding 24 hours.
y-axis
The y-axis represents the number of connected wireless stations.
x-axis
The x-axis represents the time over which a wireless client was connected.
Refresh
Click Re fre sh to update this screen.
6.21 ZyMe sh
Use this screen to view the ZyMesh traffic statistics between the managed APs. Click Mo nito r > Wire le ss > ZyMe sh to display this screen.
Fig ure 133 Monitor > Wireless > ZyMesh
The following table describes the labels in this screen.
Table 57 Monitor > Wireless > ZyMesh
LA BEL
DESC RIPTIO N
# Description IP Address Channel ID Hop
Uplink AP Info SSID Name Signal Strength
This field displays the index number of the managed AP (in repeater mode) in this list.
This field displays the descriptive name of the managed AP (in repeater mode).
This field displays the IP address of the managed AP (in repeater mode).
This field displays the number of the channel used by the managed AP (in repeater mode).
This is the hop count of the managed AP. For example, "1" means the managed AP is connected to a root AP directly. "2" means there is another repeater AP between the managed AP and the root AP.
This shows the role and descriptive name of the managed AP to which this managed AP is connected wirelessly.
This indicates the name of the wireless network (SSID) the managed AP uses to associated with another managed AP.
Before the slash, this shows the signal strength the uplink AP (a root AP or a repeater) receives from this managed AP (in repeater mode).
Link Up Time MAC Address
After the slash, this shows the signal strength this managed AP (in repeater mode) receives from the uplink AP.
This field displays the time the managed AP first associated with the root AP or repeater.
This field displays the MAC address of the managed AP (in repeater mode).
ZyWALL USG FLEX Series User's Guide
167
Chapter 6 Monitor
Table 57 Monitor > Wireless > ZyMesh
LA BEL
DESC RIPTIO N
Tx Power
This field displays the output power of the managed AP (in repeater mode).
Root AP
This field displays the descriptive name of the root AP to which the managed AP is connected wirelessly.
Tx Rate
This field displays the maximum transmission rate of the root AP or repeater to which the managed AP is connected.
Rx Rate
This field displays the maximum reception rate of the root AP or repeater to which the managed AP is connected.
Refresh
Click Re fre sh to update this screen.
6.22 SSID Info
Use this screen to view the number of wireless clients currently connected to an SSID and the security type used by the SSID. Click Mo nito r > Wire le ss > SSID Info to display this screen.
Fig ure 134 Monitor > Wireless > SSID Info
The following table describes the labels in this screen.
Table 58 Monitor > Wireless > SSID Info
LA BEL
DESC RIPTIO N
#
This is the SSID's index number in this list.
SSID
This indicates the name of the wireless network to which the client is connected. A single AP can have multiple SSIDs or networks.
2.4GHz 5GHz
This shows the number of wireless clients which are currently connected to the SSID using the 2.4 GHz frequency band, Click the number to go to the Sta tio n Info > Sta tio n List screen. See Section 6.24 on page 170.
This shows the number of wireless clients which are currently connected to the SSID using the 5 GHz frequency band, Click the number to go to the Sta tio n Info > Sta tio n List screen. See Section 6.24 on page 170.
SSID Profile Name
This indicates the name of the SSID profile in which the SSID is defined,
Security Mode
This indicates which secure encryption methods is being used by the SSID.
Refresh
Click Re fre sh to update this screen.
ZyWALL USG FLEX Series User's Guide
168
Chapter 6 Monitor
6.23 Sta tio n Info : Sta tio n List
The Sta tio n Info menu contains Sta tio n List, To p N Sta tio ns and Sing le Sta tio n screens. This screen displays information about connected wireless stations. Click Mo nito r > Wire le ss > Sta tio n Info > Sta tio n List to display this screen. Fig ure 135 Monitor > Wireless > Station Info > Station List
The following table describes the labels in this screen.
Table 59 Monitor > Wireless > Station Info > Station List
LA BEL
DESC RIPTIO N
Hide/Show Advanced Settings Show Filter/ Hide Filer Filter IP Address Associated AP SSID Name MAC Address Security Mode Account
Login Type Band Search
Click this button to display a greater or lesser number of configuration fields.
Click this button to show or hide the filter settings.
Enter the IP address of the station you want to display. This field is case-sensitive. Select the AP(s) with which the stations you want to display associate. Select the SSID(s) to which the stations you want to display are connected. Enter the MAC address of the station you want to display. This field is case-sensitive. Select the security mode(s) used by the stations you want to display. Enter the user account name of the station you want to display. This field is casesensitive. Select the login method(s) used by the stations you want to display. Select the frequency band used by the stations you want to display. Click this to update the list of stations based on the search criteria.
Reset
Enable Column Freeze Station List # MAC Address SSID Name Associated AP IP Address Channel
Your search criteria is retained when navigating between screens. Click this to return the search criteria to the factory defaults and display all connected stations without a filter. Select this to lock the index columns in place while scrolling to the right.
This field is a sequential value, and it is not associated with a specific station. This field displays the MAC address of the station. This field displays the SSID names of the station. This field displays the APs that are associated with the station. This field displays the IP address of the station. This field displays the number of the channel used by the station to connect to the network.
ZyWALL USG FLEX Series User's Guide
169
Chapter 6 Monitor
Table 59 Monitor > Wireless > Station Info > Station List
LA BEL
DESC RIPTIO N
Rx Rate
This field displays the receive data rate of the station.
Tx Rate
This field displays the transmit data rate of the station.
Signal Strength
This field displays the signal strength of the station.
Association Time
This field displays the time duration the station was online and offline.
Enterprise
This field displays the RADIUS server of the station.
Captive Portal
This displays whether the station logged into the network via the captive portal login page.
MAC Auth
This displays whether the station logged into the network via MAC authentication.
Band
This field displays the frequency band which is currently being used by the station.
Capability
This displays the supported standard currently being used by the station or the standards supported by the station.
802.11 Features
This displays whether the station supports IEEE802.11r, IEEE 802.11k, IEEE 802.11v or none of the above (N/A).
Security Mode
This field displays the security mode the station is using.
Download
This field displays the number of bytes received by the station.
Upload
This field displays the number of bytes transmitted from the station.
Refresh
Click Re fre sh to update this screen.
6.24 Sta tio n Info : To p N Sta tio ns
Use this screen to view the top five or top ten traffic statistics of the wireless stations. Click Mo nito r > Wire le ss > Sta tio n Info > To p N Sta tio ns to display this screen.
Fig ure 136 Monitor > Wireless > Station Info > Top N Stations
ZyWALL USG FLEX Series User's Guide
170
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 60 Monitor > Wireless > Station Info > Top N Stations
LA BEL
DESC RIPTIO N
View
Select this to view the top five or top ten traffic statistics of the wireless stations.
Usage by
Select the measure unit in GB or MB to display the graph.
Traffic Usage
This graph displays the overall traffic information about the stations for the preceding 24 hours.
y-axis
This axis represents the amount of data moved across stations in megabytes per second.
Refresh
Click Re fre sh to update this screen.
6.25 Sta tio n Info : Sing le Sta tio n
Use this screen to view traffic statistics of the wireless station you specified. Click Mo nito r > Wire le ss > Sta tio n Info > Sing le Sta tio n to display this screen.
Fig ure 137 Monitor > Wireless > Station Info > Single Station
The following table describes the labels in this screen.
Table 61 Monitor > Wireless > Station Info > Single Station
LA BEL
DESC RIPTIO N
Station Selection
Select this to view the traffic statistics of the wireless station.
Usage by
Select the measure unit in GB or MB to display the graph.
Traffic Usage
This graph displays the overall traffic information about the station over the preceding 24 hours.
y-axis
This axis represents the amount of data moved across this station in megabytes per second.
Refresh
Click Re fre sh to update this screen.
ZyWALL USG FLEX Series User's Guide
171
Chapter 6 Monitor
6.26 De te c te d De vic e
Use this screen to view information about wireless devices detected by the AP. Click Mo nito r > Wire le ss > De te c te d De vic e to access this screen.
Note: At least one radio of the APs connected to the Zyxel Device must be set to monitor mode (on the C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt screen) in order to detect other wireless devices in its vicinity.
Fig ure 138 Monitor > Wireless > Detected Device
The following table describes the labels in this screen.
Table 62 Monitor > Wireless > Detected Device
LA BEL
DESC RIPTIO N
Discovered APs
Rogue AP
This shows how many devices are detected as rogue APs.
Suspected rogue This shows how many devices are detected as possible rogue APs. AP
Friendly AP
This shows how many devices are detected as friendly APs.
Un-Classified AP
This shows how many devices are detected, but have not been classified as either Rogue or Friendly by the Zyxel Device.
Detect now
Click this button for the Zyxel Device to scan for APs in the network.
Mark as Rogue AP
Click this button to mark the selected AP as a rogue AP. A rogue AP can be contained on the C o nfig ura tio n > Wire le ss > MO N Mo de screen.
Mark as Friendly AP
Click this button to mark the selected AP as a friendly AP. For more on managing friendly APs, see the C o nfig ura tio n > Wire le ss > MO N Mo de screen.
#
This is the station's index number in this list.
Role
This indicates the detected device's role (such as friendly or rogue).
Classified by
This indicates the detected device's classification rule.
MAC Address
This indicates the detected device's MAC address.
SSID Name
This indicates the detected device's SSID.
Channel ID
This indicates the detected device's channel ID.
802.11 Mode
This indicates the 802.11 mode (a/b/g/n) transmitted by the detected device.
Security
This indicates the encryption method (if any) used by the detected device.
ZyWALL USG FLEX Series User's Guide
172
Chapter 6 Monitor
Table 62 Monitor > Wireless > Detected Device (continued)
LA BEL Seen by
DESC RIPTIO N This indicates which AP detects the device.
If an AP in monitor mode detected this AP, this column will show "N/A".
Group Description
Last Seen Refresh
If an AP using Ro g ue AP De te c tio n detected this device, it will show the name of the AP and the signal strength from the detected device. If the wireless device is detected by more than one AP, only the top 5 APs with the highest signal strength will be shown.
This indicates which group the detected device belongs.
This displays the detected device's description. For more on managing friendly and rogue APs, see the C o nfig ura tio n > Wire le ss > MO N Mo de screen.
This indicates the last time the device was detected by the Zyxel Device.
Click this to refresh the items displayed on this page.
6.27 The Printe r Sta tus Sc re e n
This screen displays information about the connected statement printer. Click Mo nito r > Printe r Sta tus to display this screen.
Fig ure 139 Monitor > Printer Status
The following table describes the labels in this screen.
Table 63 Monitor > Printer Status
LA BEL # IPv4 Address Update Time
DESC RIPTIO N This is the index number of the printer in the list. This field displays the IP address of the printer that you configured in the screen. This field displays the date and time the Zyxel Device last synchronized with the printer.
Status
Description Nickname Firmware Version
This shows n/ a when the printer status is sync fa il. This field displays whether the Zyxel Device can connect to the printer and update the printer information. This field displays the descriptive name of the printer that you configured in the screen. This field displays the nickname of the printer that you configured in the Edit screen. This field displays the model number and firmware version of the printer.
MAC
This shows n/ a when the printer status is sync fa il. This field displays the MAC address of the printer.
ZyWALL USG FLEX Series User's Guide
173
Chapter 6 Monitor
6.28 The IPSe c Sc re e n
You can use the IPSe c Mo nito r screen to display and to manage active IPSec SAs. To access this screen, click Mo nito r > VPN Mo nito r > IPSe c . The following screen appears. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. Fig ure 140 Monitor > VPN Monitor > IPSec
Each field is described in the following table.
Table 64 Monitor > VPN Monitor > IPSec
LA BEL
DESC RIPTIO N
Name
Type the name of a IPSec SA here and click Se a rc h to find it (if it is associated). You can use a keyword or regular expression. Use up to 30 alphanumeric and _+.()!$*^:?|{}[]<>/ characters. See Section on page 175 for more details.
Policy
Type the IP address(es) or names of the local and remote policies for an IPSec SA and click Se a rc h to find it. You can use a keyword or regular expression. Use up to 30 alphanumeric and _+-.()!$*^:?|{}[]<>/ characters. See Section on page 175 for more details.
Search
Click this button to search for an IPSec SA that matches the information you specified above.
Disconnect
Select an IPSec SA and click this button to disconnect it.
Connection Check
Select an IPSec SA and click this button to check the connection.
#
This field is a sequential value, and it is not associated with a specific SA.
Serial Number
This field displays the serial number of this Zyxel Device.
System Name
This field displays the name used to identify the Zyxel Device.
Name
This field displays the name of the IPSec SA.
Policy
This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed.
My Address
This field displays the IP address of local computer.
Secure Gateway
This field displays the secure gateway information.
Up Time
This field displays how many seconds the IPSec SA has been active. This field displays N/ A if the IPSec SA uses manual keys.
Timeout
This field displays how many seconds remain in the SA life time, before the Zyxel Device automatically disconnects the IPSec SA. This field displays N/ A if the IPSec SA uses manual keys.
ZyWALL USG FLEX Series User's Guide
174
Chapter 6 Monitor
Table 64 Monitor > VPN Monitor > IPSec (continued)
LA BEL
DESC RIPTIO N
Inbound (Bytes)
This field displays the amount of traffic that has gone through the IPSec SA from the remote IPSec router to the Zyxel Device since the IPSec SA was established.
Outbound (Bytes)
This field displays the amount of traffic that has gone through the IPSec SA from the Zyxel Device to the remote IPSec router since the IPSec SA was established.
Re g ula r Expre ssio ns in Se a rc hing IPSe c SAs
A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use "a?c" (without the quotation marks) to specify abc, acc and so on.
Wildcards (*) let multiple VPN connection or policy names match the pattern. For example, use "*abc" (without the quotation marks) to specify any VPN connection or policy name that ends with "abc". A VPN connection named "testabc" would match. There could be any number (of any type) of characters in front of the "abc" at the end and the VPN connection or policy name would still match. A VPN connection or policy name named "testacc" for example would not match.
A * in the middle of a VPN connection or policy name has the Zyxel Device check the beginning and end and ignore the middle. For example, with "abc*123", any VPN connection or policy name starting with "abc" and ending in "123" matches, no matter how many characters are in between.
The whole VPN connection or policy name has to match if you do not use a question mark or asterisk.
6.29 The SSL Sc re e n
The Zyxel Device keeps track of the users who are currently logged into the VPN SSL client. Click Mo nito r > VPN Mo nito r > SSLto display the user list. Use this screen to do the following: · View a list of active SSL VPN connections. · Log out individual users and delete related session information. Once a user logs out, the corresponding entry is removed from the screen. Fig ure 141 Monitor > VPN Monitor > SSL
ZyWALL USG FLEX Series User's Guide
175
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 65 Monitor > VPN Monitor > SSL
LA BEL
DESC RIPTIO N
Disconnect
Select a connection and click this button to terminate the user's connection and delete corresponding session information from the Zyxel Device.
Refresh
Click Re fre sh to update this screen.
#
This field is a sequential value, and it is not associated with a specific SSL.
User
This field displays the account user name used to establish this SSL VPN connection.
Access
This field displays the name of the SSL VPN application the user is accessing.
Login Address
This field displays the IP address the user used to establish this SSL VPN connection.
Connected Time
This field displays the time this connection was established.
Inbound (Bytes)
This field displays the number of bytes received by the Zyxel Device on this connection.
Outbound (Bytes)
This field displays the number of bytes transmitted by the Zyxel Device on this connection.
6.30 The L2TP o ve r IPSe c Sc re e n
Click Mo nito r > VPN Mo nito r > L2TP o ve r IPSe c to open the following screen. Use this screen to display and manage the Zyxel Device's connected L2TP VPN sessions.
Fig ure 142 Monitor > VPN Monitor > L2TP over IPSec
The following table describes the fields in this screen.
Table 66 Monitor > VPN Monitor > L2TP over IPSec
LA BEL
DESC RIPTIO N
Disconnect
Select a connection and click this button to disconnect it.
Refresh
Click Re fre sh to update this screen.
#
This field is a sequential value, and it is not associated with a specific L2TP VPN session.
User Name
This field displays the remote user's user name.
Hostname
This field displays the name of the computer that has this L2TP VPN connection with the Zyxel Device.
Assigned IP
This field displays the IP address that the Zyxel Device assigned for the remote user's computer to use within the L2TP VPN tunnel.
Public IP
This field displays the public IP address that the remote user is using to connect to the Internet.
ZyWALL USG FLEX Series User's Guide
176
Chapter 6 Monitor
6.31 The App Pa tro l Sc re e n
Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-topeer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application's individual features (like text messaging, voice, video conferencing, and file transfers).
Click Mo nito r > Se c urity Sta tistic s > App Pa tro l > Sum m a ry to display the following screen. This screen displays Applic a tio n Pa tro l statistics based on the App Pa tro l profiles bound to Se c urity Po lic y profiles.
Fig ure 143 Monitor > Security Statistics > App Patrol > Summary
The following table describes the labels in this screen.
Table 67 Monitor > Security Statistics > App Patrol > Summary
LA BEL
DESC RIPTIO N
Collect Statistics
Select this check box to have the Zyxel Device collect app patrol statistics.
Apply Reset Refresh Flush Data App Patrol Statistics #
Application Forwarded Data (KB) Dropped Data (KB)
Rejected Data (KB)
Matched Auto Connection
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the Zyxel Device or click Flush Da ta . Collecting starts over and a new collection start time displays.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
Click this button to update the report display.
Click this button to discard all of the screen's statistics and update the report display.
This field is a sequential value, and it is not associated with a specific App Patrol session.
This is the protocol.
This is how much of the application's traffic the Zyxel Device has sent (in kilobytes).
This is how much of the application's traffic the Zyxel Device has discarded without notifying the client (in kilobytes). This traffic was dropped because it matched an application policy set to "drop".
This is how much of the application's traffic the Zyxel Device has discarded and notified the client that the traffic was rejected (in kilobytes). This traffic was rejected because it matched an application policy set to "reject".
This is how much of the application's traffic the Zyxel Device identified by examining the IP payload.
ZyWALL USG FLEX Series User's Guide
177
Chapter 6 Monitor
Table 67 Monitor > Security Statistics > App Patrol > Summary
LA BEL
DESC RIPTIO N
Inbound Kbps
This field displays the amount of the application's traffic that has gone to the ZyWALL (in kilo bits per second).
Outbound Kbps
This field displays the amount of the application's traffic that has gone from the ZyWALL (in kilo bits per second).
6.32 The C o nte nt Filte r Sc re e n
Click Mo nito r > Se c urity Sta tistic s > C o nte nt Filte r to display the following screen. This screen displays content filter statistics.
Fig ure 144 Monitor > Security Statistics > Content Filter
The following table describes the labels in this screen.
Table 68 Monitor > Security Statistics > Content Filter
LA BEL
DESC RIPTIO N
General Settings Collect Statistics
Select this check box to have the Zyxel Device collect content filtering statistics.
Apply Reset Refresh
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the Zyxel Device or click Flush Da ta . Collecting starts over and a new collection start time displays.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
Click this button to update the report display.
ZyWALL USG FLEX Series User's Guide
178
Chapter 6 Monitor
Table 68 Monitor > Security Statistics > Content Filter (continued)
LA BEL
DESC RIPTIO N
Flush Data
Click this button to discard all of the screen's statistics and update the report display.
Web Request Statistics
Total Submit File
This field displays the number of web pages that the Zyxel Device's content filter feature has checked.
Blocked
This is the number of web pages that the Zyxel Device blocked access.
Warned
This is the number of web pages for which the Zyxel Device displayed a warning message to the access requesters.
Passed
This is the number of web pages to which the Zyxel Device allowed access.
Category Hit Summary
Managed Web Pages
This is the number of requested web pages that the Zyxel Device's content filtering service identified as belonging to a category that was selected to be managed.
Block Hit Summary
Web Pages Warned by Category Service
This is the number of web pages that matched an external database content filtering category selected in the Zyxel Device and for which the Zyxel Device displayed a warning before allowing users access.
Web Pages Blocked by This is the number of web pages to which the Zyxel Device did not allow access due to
Custom Service
the content filtering custom service configuration.
Restricted Web Features
This is the number of web pages to which the ZyWALL limited access or removed cookies due to the content filtering custom service's restricted web features configuration.
Forbidden Web Sites This is the number of web pages to which the Zyxel Device did not allow access because they matched the content filtering custom service's forbidden web sites list.
URL Keywords
This is the number of web pages to which the Zyxel Device did not allow access because they contained one of the content filtering custom service's list of forbidden keywords.
6.33 The Anti- Ma lwa re Sc re e n
Click Mo nito r > Se c urity Sta tistic s > Anti- Ma lwa re > Sum m a ry to display the following screen. This screen displays anti-malware statistics.
ZyWALL USG FLEX Series User's Guide
179
Chapter 6 Monitor Fig ure 145 Monitor > Security Statistics > Anti-Malware > Summary: Virus Name
The following table describes the labels in this screen.
Table 69 Monitor > Security Statistics > Anti-Malware > Summary: Virus Name
LA BEL Collect Statistics
DESC RIPTIO N Select this check box to have the Zyxel Device collect anti-malware statistics.
Apply Reset Refresh Flush Data Total Viruses Detected Top Entries By
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the Zyxel Device or click Flush Da ta . Collecting starts over and a new collection start time displays.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
Click this button to update the report display.
Click this button to discard all of the screen's statistics and update the report display.
This field displays the number of different viruses that the Zyxel Device has detected.
Use this field to have the following (read-only) table display the top anti-malware log entries by Virus Na m e , So urc e IP, and De stina tio n IP, So urc e IPv6 and De stina tio n IPv6. This table displays the most common, recent virus logs. See the log screen for less common virus logs or use a syslog server to record all virus logs.
Select Virus Na m e to list the most common viruses that the Zyxel Device has detected.
Select So urc e IP to list the source IP addresses from which the Zyxel Device has detected the most virus-infected files.
Select De stina tio n IP to list the most common destination IP addresses for virus-infected files that Zyxel Device has detected.
Select So urc e IPv6 to list the source IPv6 addresses from which the Zyxel Device has detected the most virus-infected files.
Add to white list Remove from white list
Select De stina tio n IPv6 to list the most common destination IPv6 addresses for virusinfected files that Zyxel Device has detected.
Select an entry and click this to add it to the anti-malware white list.
Select an entry and click this to remove it from the anti-malware white list.
ZyWALL USG FLEX Series User's Guide
180
Chapter 6 Monitor
Table 69 Monitor > Security Statistics > Anti-Malware > Summary: Virus Name (continued)
LA BEL # Virus name
Hash
DESC RIPTIO N
This field displays the entry's rank in the list of the top entries.
This column displays when you display the entries by Virus Na m e . This displays the name of a detected virus.
This column displays a hash value, MD5 (Message Digest 5) and SHA (Secure Hash Algorithm), of the detected virus file.
Source IP Source IPv6 Destination IP Destination IPv6 Occurrences White List
MD5 and SHA are hash algorithms used to authenticate packet data.
This column displays when you display the entries by So urc e IP. It shows the source IP address of virus-infected files that the Zyxel Device has detected.
his column displays when you display the entries by So urc e IPv6. It shows the source IPv6 address of virus-infected files that the Zyxel Device has detected.
This column displays when you display the entries by De stina tio n IP. It shows the destination IP address of virus-infected files that the Zyxel Device has detected.
This column displays when you display the entries by De stina tio n IPv6. It shows the destination IPv6 address of virus-infected files that the Zyxel Device has detected.
This field displays how many times the Zyxel Device has detected the event described in the entry.
Click this to add this signature to the anti-malware white list.
Click this to remove this signature from the anti-malware white list.
The statistics display as follows when you display the top entries by source IP.
Fig ure 146 Monitor > Security Statistics > Anti-Malware > Summary: Source IP
The statistics display as follows when you display the top entries by source IPv6. Fig ure 147 Monitor > Security Statistics > Anti-Malware: Source IPv6
The statistics display as follows when you display the top entries by destination IP. Fig ure 148 Monitor > Security Statistics > Anti-Malware > Summary: Destination IP
The statistics display as follows when you display the top entries by destination IPv6.
ZyWALL USG FLEX Series User's Guide
181
Chapter 6 Monitor Fig ure 149 Monitor > Security Statistics > Anti-Malware: Destination IPv6
6.34 The Re puta tio n Filte r Sc re e n
Click Mo nito r > Se c urity Sta tistic s > Re puta tio n Filte r > Sum m a ry to display the following screen. This screen displays Reputation Filter statistics. Fig ure 150 Monitor > Security Statistics > Reputation Filter > Summary
The following table describes the labels in this screen.
Table 70 Monitor > Security Statistics > Reputation Filter > Summary
LA BEL Collect Statistics
DESC RIPTIO N Select this check box to have the Zyxel Device collect anti-malware statistics.
Refresh Flush Data Summary IP Scanned IP Hit Count URL Scanned URL Hit Count IP Detected
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the Zyxel Device or click Flush Da ta . Collecting starts over and a new collection start time displays. Click this button to update the report display. Click this button to discard all of the screen's statistics and update the report display.
This field displays the total number of IPv4 addresses that have been scanned. This field displays the total number of the hit counts on the scanned IPv4 addresses. This field displays the total number of URLs that have been scanned. This field displays the total number of the hit counts on the scanned URLs.
ZyWALL USG FLEX Series User's Guide
182
Chapter 6 Monitor
Table 70 Monitor > Security Statistics > Reputation Filter > Summary (continued)
LA BEL
DESC RIPTIO N
Add to white list
Select an entry and click this to add it to the IP reputation white list.
Remove from white list Select an entry and click this to remove it from the IP reputation white list.
Time
This field displays the date and time the entry was created.
Malicious IP
This field displays the IPv4 address with bad reputation.
Infected/Victim Host
This field displays the MAC address of the infected host.
Threat Category
This field displays the category of the entry.
Threat Level
This field displays the threat level of the entry.
URL Detected
Add to white list
Select an entry and click this to add it to the URL Threat filtering white list.
Remove from white list Select an entry and click this to remove it from the URL Threat filtering white list.
Time
This field displays the date and time the entry was created.
Source IP
This field displays the source IP address of traffic that you want to trace.
Destination IP
This field displays the destination IP address of traffic.
Threat URL
This field displays the URL of an infected website or a botnet C&C server.
Threat Category
This field displays the category of the entry.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
6.35 The IDP Sc re e n
Click Mo nito r > Se c urity Sta tistic s > IDP > Sum m a ry to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics.
Fig ure 151 Monitor > Security Statistics > IDP > Summary: Signature Name
ZyWALL USG FLEX Series User's Guide
183
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 71 Monitor > Security Statistics > IDP > Summary
LA BEL Collect Statistics
DESC RIPTIO N Select this check box to have the Zyxel Device collect IDP statistics.
Apply Reset Refresh Flush Data Total Session Scanned
Total Packet Dropped
Total Packet Reset
Top Entries By
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the Zyxel Device or click Flush Da ta . Collecting starts over and a new collection start time displays.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
Click this button to update the report display.
Click this button to discard all of the screen's statistics and update the report display.
This field displays the number of sessions that the Zyxel Device has checked for intrusion characteristics.
The Zyxel Device can detect and drop malicious packets from network traffic. This field displays the number of packets that the Zyxel Device has dropped.
The Zyxel Device can detect and drop malicious packets from network traffic. This field displays the number of packets that the Zyxel Device has reset.
Use this field to have the following (read-only) table display the top IDP log entries by Sig na ture Na m e , So urc e IP or De stina tio n IP. This table displays the most common, recent IDP logs. See the log screen for less common IDP logs or use a syslog server to record all IDP logs.
Select Sig na ture Na m e to list the most common signatures that the Zyxel Device has detected.
Select So urc e IP to list the source IP addresses from which the Zyxel Device has detected the most intrusion attempts.
Add to white list Remove from white list # Signature Name
Signature ID Type Severity Source IP Destination IP Occurrences White List
Select De stina tio n IP to list the most common destination IP addresses for intrusion attempts that the Zyxel Device has detected.
Select a signature and click this to add the selected signature to the IDP white list.
Select a signature and click this to remove the selected signature from the IDP white list.
This field displays the entry's rank in the list of the top entries.
This column displays when you display the entries by Sig na ture Na m e . The signature name identifies the type of intrusion pattern. Click the hyperlink for more detailed information on the intrusion.
This column displays when you display the entries by Sig na ture Na m e . The signature ID is a unique value given to each intrusion detected.
This column displays when you display the entries by Sig na ture Na m e . It shows the categories of intrusions.
This column displays when you display the entries by Sig na ture Na m e . It shows the level of threat that the intrusions may pose.
This column displays when you display the entries by So urc e . It shows the source IP address of the intrusion attempts.
This column displays when you display the entries by De stina tio n. It shows the destination IP address at which intrusion attempts were targeted.
This field displays how many times the Zyxel Device has detected the event described in the entry.
Click this to add this signature to the IDP white list.
Click this to remove this signature from the IDP white list.
ZyWALL USG FLEX Series User's Guide
184
Chapter 6 Monitor The statistics display as follows when you display the top entries by source. Fig ure 152 Monitor > Security Statistics > IDP > Summary: Source IP The statistics display as follows when you display the top entries by destination. Fig ure 153 Monitor > Security Statistics > IDP > Summary: Destination IP
6.36 The Em a il Se c urity Sc re e ns
The Em a il Se c urity menu contains the Sum m a ry and Sta tus screens.
6.36.1 Em a il Se c urity Sum m a ry
Click Mo nito r > Se c urity Sta tistic s > Em a il Se c urity > Sum m a ry to display the following screen. This screen displays spam statistics. Fig ure 154 Monitor > Security Statistics > Email Security > Summary
ZyWALL USG FLEX Series User's Guide
185
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 72 Monitor > Security Statistics > Email Security > Summary
LA BEL Collect Statistics
DESC RIPTIO N Select this check box to have the Zyxel Device collect email security statistics.
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the Zyxel Device or click Flush Da ta . Collecting starts over and a new collection start time displays.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
Refresh
Click this button to update the report display.
Flush Data
Click this button to discard all of the screen's statistics and update the report display.
Email Summary
Total Mails Scanned
This field displays the number of emails that the Zyxel Device's email security feature has checked.
Safe Mails
This is the number of emails that the Zyxel Device has determined to not be spam.
Safe Mails Detected This is the number of emails that matched an entry in the Zyxel Device's email security
by White list
white list.
Spam Mails
This is the number of emails that the Zyxel Device has determined to be spam.
Spam Mails Detected This is the number of emails that matched an entry in the Zyxel Device's email security
by Black List
black list.
Spam Mails Detected This is the number of emails that the Zyxel Device has determined to have malicious
by Malicious Mail
contents.
Spam Mails Detected by DNSBL
The Zyxel Device can check the sender and relay IP addresses in an email's header against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). This is the number of emails that had a sender or relay IP address in the header which matched one of the DNSBLs that the Zyxel Device uses.
Query Timeout
This is how many queries that were sent to the Zyxel Device's configured list of DNSBL domains or Mail Scan services and did not receive a response in time.
When mail session threshold is reached
Mail Sessions Forwarded This is how many email sessions the Zyxel Device allowed because they exceeded the maximum number of email sessions that the email security feature can check at a time.
You can see the Zyxel Device's threshold of concurrent email sessions on the Em a il Se c urity > Sta tus screen.
Mail Sessions Dropped
Use the Em a il Se c urity > Sum m a ry screen to set whether the Zyxel Device forwards or drops sessions that exceed this threshold.
This is how many email sessions the Zyxel Device dropped because they exceeded the maximum number of email sessions that the email security feature can check at a time.
You can see the Zyxel Device's threshold of concurrent email sessions on the Em a il Se c urity > Sta tus screen.
Statistics
Use the Em a il Se c urity > Sum m a ry screen to set whether the Zyxel Device forwards or drops sessions that exceed this threshold.
ZyWALL USG FLEX Series User's Guide
186
Chapter 6 Monitor
Table 72 Monitor > Security Statistics > Email Security > Summary (continued)
LA BEL Top Sender By
DESC RIPTIO N
Use this field to list the top email or IP addresses from which the Zyxel Device has detected the most spam.
Select Se nde r IP to list the source IP addresses from which the Zyxel Device has detected the most spam.
# Sender IP
Sender Email Address Occurrence
Select Se nde r Em a il Addre ss to list the top email addresses from which the Zyxel Device has detected the most spam.
This field displays the entry's rank in the list of the top entries.
This column displays when you display the entries by Se nde r IP. It shows the source IP address of spam emails that the Zyxel Device has detected.
This column displays when you display the entries by Se nde r Em a il Addre ss. This column displays the email addresses from which the Zyxel Device has detected the most spam.
This field displays how many spam emails the Zyxel Device detected from the sender.
6.36.2 The Em a il Se c urity Sta tus Sc re e n
Click Mo nito r > Se c urity Sta tistic s > Em a il Se c urity > Sta tus to display the Em a il Se c urity Sta tus screen. Use the Em a il Se c urity Sta tus screen to see how many email sessions the email security feature is scanning and statistics for the DNSBLs. Fig ure 155 Monitor > Security Statistics > Email Security > Status
The following table describes the labels in this screen.
Table 73 Monitor > Security Statistics > Email Security > Status
LA BEL
Resource Status
Concurrent Mail Session Scanning
DESC RIPTIO N
The darker shaded part of the bar shows how much of the Zyxel Device's total spam checking capability is currently being used.
The lighter shaded part of the bar and the pop-up show the historical high.
Refresh
The first number to the right of the bar is how many email sessions the Zyxel Device is presently checking for spam. The second number is the maximum number of email sessions that the Zyxel Device can check at once. An email session is when an email client and email server (or two email servers) connect through the Zyxel Device.
Click this button to update the information displayed on this screen.
ZyWALL USG FLEX Series User's Guide
187
Chapter 6 Monitor
Table 73 Monitor > Security Statistics > Email Security > Status
LA BEL
DESC RIPTIO N
Flush
Click this button to clear the DNSBL statistics. This also clears the concurrent mail session scanning bar's historical high.
Mail Scan Statistics
These are the statistics for the service the Zyxel Device uses. These statistics are for when the Zyxel Device actually queries the service servers.
#
This is the entry's index number in the list.
Service
This displays the name of the service.
Total Queries
This is the total number of queries the Zyxel Device has sent to this service.
Avg. Response Time (sec) This is the average for how long it takes to receive a reply from this service.
No Response
This is how many queries the Zyxel Device sent to this service without receiving a reply.
DNSBL Statistics
These are the statistics for the DNSBL the Zyxel Device uses. These statistics are for when the Zyxel Device actually queries the DNSBL servers. Matches for DNSBL responses stored in the cache do not affect these statistics.
#
This is the entry's index number in the list.
DNSBL Domain
These are the DNSBLs the Zyxel Device uses to check sender and relay IP addresses in emails.
Total Queries
This is the total number of DNS queries the Zyxel Device has sent to this DNSBL.
Avg. Response Time (sec) This is the average for how long it takes to receive a reply from this DNSBL.
No Response
This is how many DNS queries the Zyxel Device sent to this DNSBL without receiving a reply.
6.37 The SSL Inspe c tio n Sc re e ns
The Zyxel Device uses SSL Inspection to decrypt SSL traffic, sends it to the Security Service engines for inspection, then encrypts traffic that passes inspection and forwards it. You must enable SSL Inspection if you want to use Content Filtering 2.0 Safe Search.
Click Mo nito r > Se c urity Sta tistic s > SSL Inspe c tio n > Sum m a ry to display the following screen.
Fig ure 156 Monitor > Security Statistics > SSL Inspection > Summaryt
ZyWALL USG FLEX Series User's Guide
188
Chapter 6 Monitor
The following table describes the labels in this screen.
Table 74 Monitor > Security Statistics > SSL Inspection > Summary
LA BEL Collect Statistics
DESC RIPTIO N Select this check box to have the Zyxel Device collect SSL Inspection statistics.
Apply Reset Refresh Flush Data Status Maximum Concurrent Sessions Concurrent Sessions Summary Total SSL Sessions
Sessions Inspected
Decrypted (Kbytes)
Encrypted (Kbytes)
Sessions Blocked Sessions Passed
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the Zyxel Device or click Flush Da ta . Collecting starts over and a new collection start time displays. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings. Click this button to update the report display. Click this button to discard all of the screen's statistics and update the report display.
This shows the maximum number of simultaneous SSL Inspection sessions allowed for your Zyxel Device model. This shows the actual number of simultaneous SSL Inspection sessions in progress.
This is the total of SSL sessions inspected and number of sessions blocked and number of sessions passed since data was last flushed or the Zyxel Device last rebooted after C o lle c t Sta tistic s was enabled. This shows the total number of SSL sessions inspected since data was last flushed or the Zyxel Device last rebooted after C o lle c t Sta tistic s was enabled This shows the number of kilobytes (KB) of data that was decrypted for Security Service inspection. This shows the number of kilobytes (KB) of data that was re-encrypted after Security Service inspection and then forwarded. This shows the number of SSL sessions blocked. This shows the number of SSL sessions passed.
6.37.1 C e rtific a te C a c he List
SSL traffic to a server to be excluded from SSL Inspection is identified by its certificate. Traffic in an Exc lude List is not intercepted by SSLInspe c tio n.
Click Mo nito r > Se c urity Sta tistic s > SSLInspe c tio n > C e rtific a te C a c he List to display a screen that shows details on SSL traffic going to servers identified by its certificate and an option to add that traffic to the Exc lude List.
ZyWALL USG FLEX Series User's Guide
189
Chapter 6 Monitor Fig ure 157 Monitor > Security Statistics > SSL Inspection > Certificate Cache List
The following table describes the labels in this screen.
Table 75 Monitor > Security Statistics > SSL Inspection > Certificate Cache List
LA BEL
Certificate Cache List
DESC RIPTIO N
Add to Exclude list
# In Exclude List
Select and item in the list and click this icon to add the common name (CN) to the Exc lude List.
This field is a sequential value, and it is not associated with a specific entry.
If any one of common name, DNS name, email address or IP address of the certificate is in the Exc lude List, then traffic to the server identified by the certificate is excluded from inspection.
The icons here are defined as follows:
· Gray: The identity of the certificate is not in the Exc lude List · Green: The common name of the certificate is in the Exc lude List · Yellow: The common name of certificate is not in the Exc lude List but one of the
DNS name, email address or IP address is.
Time
This is the latest date (yyyy-mm-dd) and time (hh-mm-ss) that the record in the certificate cache list was met.
Common Name
This displays the common name in the certificate of the SSL traffic destination server.
Server Name Indication
Server Name Indication (SNI) is the domain name entered in the browser, FTP client, etc. to begin the SSL session with the server. It allows multiple SSL sessions to the same IP address and port number with different certificates from different SNI. This field displays the SNI for this SSL session.
SSL Version
This field shows the SSL version. SSLv3/TLS1.0 is currently supported.
Destination
This displays the IP address and port number of the SSL traffic destination server.
Valid Time
This displays the cache item expiry time in seconds. The cache item is deleted when the remaining time expires.
Refresh
Click this button to update the information on the screen.
6.38 Lo g Sc re e ns
Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Lo g s, or you can select a specific category of log messages (for example, security policy or user). You can also look at the debugging log by selecting De bug Lo g . All debugging messages have the same priority.
ZyWALL USG FLEX Series User's Guide
190
Chapter 6 Monitor
6.38.1 Vie w Lo g
To access this screen, click Mo nito r > Lo g . The log is displayed on the following screen.
Note: When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.
· The maximum possible number of log messages in the Zyxel Device varies by model.
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. The Web Configurator saves the filter settings if you leave the Vie w Lo g screen and return to it later.
Fig ure 158 Monitor > Log > View Log
The following table describes the labels in this screen.
Table 76 Monitor > Log > View Log
LA BEL Show (Hide) Filter
DESC RIPTIO N
Click this button to show or hide criteria that allow you to filter logs that will be displayed.
If the filter settings are hidden, the C a te g o ry, Em a il Lo g No w, Re fre sh, and C le a r fields are available.
Category Priority
If the filter settings are shown, the C a te g o ry, Prio rity, So urc e Addre ss, De stina tio n Addre ss, So urc e Inte rfa c e , De stina tio n Inte rfa c e , Se rvic e , Ke ywo rd, Pro to c o l and Se a rc h fields are available.
Select the type of log message(s) you want to view. You can also view All Lo g s at one time, or you can view the De b ug Lo g .
This displays when you show the filter. Select the priority of log messages to display. The log displays the log messages with this priority or higher. Choices are: a ny, e m e rg , a le rt, c rit, e rro r, wa rn, no tic e , and info , from highest priority to lowest priority. This field is grayed out if the C a te g o ry is De b ug Lo g .
ZyWALL USG FLEX Series User's Guide
191
Chapter 6 Monitor
Table 76 Monitor > Log > View Log (continued)
LA BEL
DESC RIPTIO N
Source Address
This displays when you show the filter. Type the source IP address of the incoming packet that generated the log message. Do not include the port in this filter.
Destination Address
This displays when you show the filter. Type the IP address of the destination of the incoming packet when the log message was generated. Do not include the port in this filter.
Source Interface
This displays when you show the filter. Type the source interface of the incoming packet that generated the log message.
Destination Interface
This displays when you show the filter. Type the interface of the destination of the incoming packet when the log message was generated.
Service
This displays when you show the filter. Select the service whose log messages you would like to see. The Web Configurator uses the protocol and destination port number(s) of the service to select which log messages you see.
Keyword
This displays when you show the filter. Type a keyword to look for in the Me ssa g e , So urc e , De stina tio n and No te fields. If a match is found in any field, the log message is displayed. You can use up to 63 alphanumeric characters and the underscore, as well as punctuation marks ()' ,:;?! +-*/= #$% @ ; the period, double quotes, and brackets are not allowed.
Protocol
This displays when you show the filter. Select a service protocol whose log messages you would like to see.
Search
This displays when you show the filter. Click this button to update the log using the current filter settings.
Reset
Click Re se t to return the screen to its last-saved settings.
Email Log Now Refresh
Click this button to send log message(s) to the Ac tive email address(es) specified in the Se nd Lo g To field on the Lo g Se tting s page.
Click this button to update the information on the screen.
Clear
Click this button to clear the whole log, regardless of what is currently displayed on the screen.
#
This field is a sequential value, and it is not associated with a specific log message.
Time
This field displays the time the log message was recorded.
Priority
This field displays the priority of the log message. It has the same range of values as the Prio rity field above.
Category
This field displays the log that generated the log message. It is the same value used in the C a te g o ry field above.
Message
This field displays the reason the log message was generated. The text "[count=x]", where x is a number, appears at the end of the Me ssa g e field if log consolidation is turned on and multiple entries were aggregated to generate into this one.
Source
This field displays the source IP address and the port number in the event that generated the log message.
Destination
This field displays the destination IP address and the port number of the event that generated the log message.
Note
This field displays any additional information about the log message.
6.38.2 Vie w AP Lo g
Click on Mo nito r > Lo g > Vie w AP Lo g to open the following screen.
ZyWALL USG FLEX Series User's Guide
192
Chapter 6 Monitor Fig ure 159 Monitor > Log > View AP Log
The following table describes the labels in this screen.
Table 77 Monitor > Log > View AP Log
LA BEL Show Filter
DESC RIPTIO N Click this button to show or hide the filter settings.
If the filter settings are hidden, the Displa y, Em a il Lo g No w, Re fre sh, and C le a r fields are available.
Select an AP Query Log Query Status AP Information Log File Status Last Log Query Time Display
Priority
Source Address Destination Address
Source Interface
Destination Interface
Service Keyword Protocol
If the filter settings are shown, the Displa y, Prio rity, So urc e Addre ss, De stina tio n Addre ss, So urc e Inte rfa c e , De stina tio n Inte rfa c e , Se rvic e , Ke ywo rd, Pro to c o l, and Se a rc h fields are available.
Click the pull down menu to choose an AP.
Click Query to create a Query log.
The field displays the
This field displays the AP information. N/A is displayed when
This field displays how many logs are available. It will display Empty if there's none.
This field displays the most recent time a log query was solicited.
Select the category of log message(s) you want to view. You can also view All Lo g s at one time, or you can view the De b ug Lo g .
This displays when you show the filter. Select the priority of log messages to display. The log displays the log messages with this priority or higher. Choices are: a ny, e m e rg , a le rt, c rit, e rro r, wa rn, no tic e , and info , from highest priority to lowest priority. This field is readonly if the C a te g o ry is De b ug Lo g .
Type the IP address of the source AP.
This displays when you show the filter. Type the IP address of the destination of the incoming packet when the log message was generated. Do not include the port in this filter.
This displays when you show the filter. Type the source interface of the incoming packet that generated the log message.
This displays when you show the filter. Type the interface of the destination of the incoming packet when the log message was generated.
Select a policy service available from Zyxel Device from the pull down menu. Type a keyword of the policy service available from Zyxel Device to search for a log.
Select the protocol of the AP from the pull down menu.
ZyWALL USG FLEX Series User's Guide
193
Chapter 6 Monitor
Table 77 Monitor > Log > View AP Log (continued)
LA BEL
DESC RIPTIO N
Search
Click this to start the search.
Email Log Now
Click this button to send log message(s) to the Ac tive email address(es) specified in the Se nd Lo g To field on the Lo g Se tting s page.
Refresh
Click this button to update the information on the screen.
Clear
Click this button to clear the whole log, regardless of what is currently displayed on the screen.
#
This field is a sequential value, and it is not associated with a specific log message.
Time
This field displays the time the log message was recorded.
Priority Category
This displays when you show the filter. Select the priority of log messages to display. The log displays the log messages with this priority or higher. Choices are: a ny, e m e rg , a le rt, c rit, e rro r, wa rn, no tic e , and info , from highest priority to lowest priority. This field is readonly if the C a te g o ry is De b ug Lo g .
This field displays the log that generated the log message. It is the same value used in the Displa y and (other) C a te g o ry fields.
Message
This field displays the message of the log.
Source
This displays the source IP address of the selected log message.
Destination
This displays the source IP address of the selected log message.
Note
This field displays any additional information about the log message.
6.38.3 Dyna m ic Use rs Lo g
Use this screen to view the Zyxel Device's dynamic guest account log messages. Click Mo nito r > Lo g > Dyna m ic Use rs Lo g to access this screen.
Fig ure 160 Monitor > Log > Dynamic Users Log
The following table describes the labels in this screen.
Table 78 Monitor > Log > Dynamic Users Log
LA BEL
DESC RIPTIO N
Begin/End Date
Select the first and last dates to specify a time period. The Zyxel Device displays log messages only for the accounts created during the specified time period after you click Se a rc h.
Begin/End Time
Select the begin time of the first date and the end time of the last date to specify a time period. The Zyxel Device displays log messages only for the accounts created during the specified time period after you click Se a rc h.
ZyWALL USG FLEX Series User's Guide
194
Chapter 6 Monitor
Table 78 Monitor > Log > Dynamic Users Log (continued)
LA BEL
DESC RIPTIO N
Search
Click this button to update the information on the screen using the filter criteria in the date and time fields.
Refresh
Click this button to update the information in the screen.
Clear
Click this button to delete the log messages for invalid accounts.
#
This is the index number of the dynamic guest account in the list.
Status
This field displays whether an account expires or not.
Username
This field displays the user name of the account.
Create Time
This field displays when the account was created.
Remaining Time This field displays the amount of Internet access time remaining for each account.
Time Period
This field displays the total account of time the account can use to access the Internet through the Zyxel Device.
Expiration Time This field displays the date and time the account becomes invalid.
Note: Once the time allocated to a dynamic account is used up or a dynamic account remains un-used after the expiration time, the account is deleted from the account list.
Quota (T/U/D)
This field displays how much data in both directions (Total) or upstream data (Upload) and downstream data (Download) can be transmitted through the WAN interface before the account expires.
Remaining Quota This field displays the remaining amount of data that can be transmitted or received by each
(T/U/D)
account. You can see the amount of either data in both directions (Total) or upstream data
(Upload) and downstream data (Download).
Bandwidth (U/D) This field displays the maximum upstream (Upload) and downstream (Download) bandwidth allowed for the user account in kilobits per second.
Real Name
This field displays the user's name of the account.
Email
This field displays the email of the account.
Charge
This field displays the total cost of the account.
Payment Info
This field displays the method of payment for each account.
Phone Num
This field displays the telephone number for the user account.
ZyWALL USG FLEX Series User's Guide
195
C HA PTER 7 Lic e nsing
7.1 Re g istra tio n O ve rvie w
Use the C o nfig ura tio n > Lic e nsing > Re g istra tio n screens to register your Zyxel Device and manage its service subscriptions. · Use the Re g istra tio n screen (see Section 7.1.2 on page 197) to refresh Zyxel Device registration, go to
portal.myZyxel.com to register your Zyxel Device and activate a service, such as content filtering. · Use the Se rvic e screen (see Section 7.1.3 on page 197) to display the status of your service
registrations and upgrade licenses. · Use the Sig na ture Upda te screen (see Section 7.2.2 on page 200) to download the latest signatures for
your licensed services.
7.1.1 Wha t yo u Ne e d to Kno w
This section introduces the topics covered in this chapter.
Sub sc riptio n Se rvic e s Ava ila b le
See C o nfig ura tio n > Lic e nsing > Re g istra tio n > Se rvic e for the subscription services that your Zyxel Device supports. Zyxel offers two types of security packs for your Zyxel Device. The subscription services you can use on the Zyxel Device vary depending on the security pack license you purchase. See the table below for services available in each pack. You can purchase an iCard and enter its license key at myZyxel to extend a service.
ZyWALL USG FLEX Series User's Guide
196
Chapter 7 Licensing
USG FLEX Se rie s
Table 79 USG FLEX Series Security Subscription Services
SERVIC E MO DULE SERVIC E
BUNDLE LIC ENSE
Web Filtering
Content Filter
V
Application Security App Patrol
V
Anti-Malware
Anti-Malware
V
IPS
IDP
V
Email Security (Anti- Email Security
V
Spam)
SecuReporter Premium
SecuReporter Premium
1-Year Standard Service
· Unlimited log retention period · Log analysis for 30 days
7.1.2 Re g istra tio n Sc re e n
Click the link in this screen to register your Zyxel Device at myZyxel. Then click Re fre sh in this screen and wait a few moments for the registration information to update. If the page does not refresh, make sure the Internet connection is working and click Re fre sh again. The Zyxel Device should already have Internet access and be able to access myZyxel. Click C o nfig ura tio n > Lic e nsing > Re g istra tio n in the navigation panel to open the screen as shown next.
Click on the icon to go to the OneSecurity website where there is guidance on configuration walkthrough and other information.
Fig ure 161 Configuration > Licensing > Registration
7.1.3 Se rvic e Sc re e n
Use this screen to display the status of your service registrations and upgrade licenses. To activate or extend a standard service subscription, purchase an iCard and enter the iCard's PIN number (license key) at myZyxel. Click Ac tiva te in this screen to enable both Trial and Standard services on this Zyxel Device. Click C o nfig ura tio n > Lic e nsing > Re g istra tio n > Se rvic e to open the screen as shown next.
ZyWALL USG FLEX Series User's Guide
197
Chapter 7 Licensing Fig ure 162 Configuration > Licensing > Registration > Service - USG FLEX 500
The following table describes the labels in this screen.
Table 80 Configuration > Licensing > Registration > Service
LA BEL
DESC RIPTIO N
Service Status
#
This is the entry's position in the list.
Service
This lists the name of services or service modules that are available on the Zyxel Device.
Web Filtering (CF):
This is a license to a database that can block websites by category, such as Gambling.
IPS (IDP)
This is a license to detect Intrusion Detection and Prevention attacks.
Application Patrol
This is a license to use signatures for Application Patrol inspection to manage the use of various applications on the network.
Anti-Malware
This is a license for signatures to detect malware patterns in files.
Email Security (AntiSpam)
This is a license to use anti-spam signatures to mark or discard spam (unsolicited commercial or junk email).
SecuReporter
This is a license that allows SecuReporter to collect and analyze logs from your Zyxel Device in order to identify anomalies, notify you of potential internal or external threats, and report on network usage. The Zyxel Device retains logs up to 7 days.
SecuReporter Premium
This is a license that allows SecuReporter to collect and analyze logs from your Zyxel Device in order to identify anomalies, notify you of potential internal or external threats, and report on network usage. The Zyxel Device retains logs up to 1 year.
Managed AP Service
This is a license to manage more APs than the default for your Zyxel Device when the AP controller is enabled.
Hotspot Management Subscription Service
This is a license to manage hotspot functions such as Billing, Printer Manager, Free Time, IPnP, Walled Garden and Advertisement.
Concurrent Device Upgrade
This is a license to increase the number of devices (based on unique MAC address) that can log in and use the Zyxel Device Hotspot at the same time.
ZyWALL USG FLEX Series User's Guide
198
Chapter 7 Licensing
Table 80 Configuration > Licensing > Registration > Service (continued)
LA BEL Device HA Pro
Firmware Upgrade Service Status
DESC RIPTIO N
This is a license for professional High Availability (HA) that lets a backup Zyxel Device automatically take over if the master Zyxel Device fails.
This is a free license to get Cloud Helper notifications when new firmware is available. You must register your Zyxel Device at myZyxel.
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
Service Type Expiration Date
De fa ult displays for quantity-based licenses when the Zyxel Device is currently using the allowed free number without a license. For example, if a Zyxel Device is allowed to manage x number of APs without a license and it is currently using that number, then Managed AP Service Sta tus displays De fa ult.
This field displays whether you applied for a trial application (Tria l) or registered a service with your iCard's PIN number (Sta nda rd). This field is blank when a service is not activated.
This field displays the date your service license expires or the date the grace period expires if the license has already expired.
Count Action
You can continue to use IDP/AppPatrol, Anti-Malware, Content Filter, Email Security during the grace period. After the grace period ends, all of these features are disabled.
This field displays how many instances of a service you can use with your current license. N/ A means a count does not apply to this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Service License Refresh
Then, click Ac tiva te to connect with the myZyxel server to activate the new license.
Click this button to renew service license information (such as the registration status and expiration day).
Note: It is recommended you use this button after you register for a new service.
7.2 Sig na ture Upda te
This section shows you how to update the signature packages of the Zyxel Device.
· Use the C o nfig ura tio n > Lic e nsing > Sig na ture Upda te screen (Section 7.2.2 on page 200) to update the signatures used for a service, such as IDP and application patrol.
7.2.1 Wha t yo u Ne e d to Kno w
· You need a valid service registration to update the anti-malware signatures, the URL Threat filter signatures, the IDP signatures and the App-Patrol signatures.
· You do not need a service registration to update the system-protection signatures. · Schedule signature updates for a day and time when your network is least busy to minimize disruption
to your network. · Your custom signature configurations are not over-written when you download new signatures.
ZyWALL USG FLEX Series User's Guide
199
Chapter 7 Licensing
Note: The Zyxel Device does not have to reboot when you upload new signatures.
7.2.2 The Sig na ture Sc re e n
Click C o nfig ura tio n > Lic e nsing > Sig na ture Upda te to display the following screen. Fig ure 163 Configuration > Licensing > Signature Update
The following table describes the labels in this screen.
Table 81 Configuration > Licensing > Signature Update
LA BEL Service Status
Feature Type Current Version
Released Date Last Sync
Action
DESC RIPTIO N
The following fields display the status and information on the current signature set that the Zyxel Device is using.
This field displays the name of the services available on the Zyxel Device.
This field displays the type of service engine used by the Zyxel Device.
This field displays the signatures version number currently used by the Zyxel Device. This number gets larger as new signatures are added.
This field displays the date and time the set was released.
This field displays the date and time the Zyxel Device last checked for new signatures at myZyxel.
Click the Upda te icon to have the Zyxel Device immediately check for new signatures at myZyxel. If new signatures are found, they are then downloaded to the Zyxel Device.
Click the Sc he dule icon to have the Zyxel Device automatically check for new signatures regularly at the time and day specified. You should select a time when your network is not busy for minimal interruption.
7.2.3 Auto Upda te
Click the Sc he dule icon of a service to display the following screen.
ZyWALL USG FLEX Series User's Guide
200
Chapter 7 Licensing Fig ure 164 Configuration > Licensing > Signature Update: Schedule > Auto Update
The following table describes the labels in this screen.
Table 82 Configuration > Licensing > Signature Update: Schedule > Auto Update
LA BEL
DESC RIPTIO N
Auto Update
Select this check box to have the Zyxel Device automatically check for new signatures regularly at the time and day specified.
You should select a time when your network is not busy for minimal interruption.
Hourly Daily Weekly
OK
Select this option to have the Zyxel Device check for new signatures every hour.
Select this option to have the Zyxel Device check for new signatures every day at the specified time. The time format is the 24 hour clock, so `23' means 11 PM for example.
Select this option to have the Zyxel Device check for new signatures once a week on the day and at the time specified.
Click this button to save your changes to the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
201
C HA PTER 8 Wire le ss
8.1 O ve rvie w
Use the Wire le ss screens to configure how the Zyxel Device manages supported Access Points (APs). Supported APs should be in managed mode. See the product page Lic e nse s tab for a list of supported APs.
8.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the C o ntro lle r screen (Section 8.2 on page 202) to set how the Zyxel Device allows new APs to connect to the network and set the country code of APs that are connected to the Zyxel Device.
· Use the AP Ma na g e m e nt screens (Section 8.3 on page 204) to manage all of the APs connected to the Zyxel Device.
· Use the Ro g ue AP screen (Section 8.4 on page 220) to assign APs either to the rogue AP list or the friendly AP list.
· Use the Auto He a ling screen (Section 8.5 on page 223) to extend the wireless service coverage area of the managed APs when one of the APs fails.
· Use the RTLS screen (Section 8.6 on page 224) to allow managed APs with battery-powered Wi-Fi tags be part of Ekahau RTLS (Real Time Location Service). RTLS can track the location of APs managed by the Zyxel Device to create maps, alerts, and reports.
8.2 C o ntro lle r Sc re e n
Use this screen to set how the Zyxel Device allows new APs to connect to the network. Click C o nfig ura tio n > Wire le ss > C o ntro lle r to access this screen. Fig ure 165 Configuration > Wireless > Controller
ZyWALL USG FLEX Series User's Guide
202
Chapter 8 Wireless
Each field is described in the following table.
Table 83 Configuration > Wireless > Controller
LA BEL
DESC RIPTIO N
Country Code Select the country code of APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located/installed. The available channels vary depending on the country you selected.
Registration Type
Select Ma nua l to add each AP to the Zyxel Device for management, or Alwa ys Ac c e pt to automatically add APs to the Zyxel Device for management.
If you select Ma nua l, then go to Mo nito r > Wire le ss > AP Info rm a tio n > AP List, select an AP to be managed and then click Add to Mg nt AP List. That AP will then appear in C o nfig ura tio n > Wire le ss > C o ntro lle r > Mg nt. AP List.
Note: Select the Ma nua l option for managing a specific set of APs. This is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue APs.
Apply Reset
APs must be connected to the Zyxel Device by a wired connection or network. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
8.2.1 C o nne c ting a n AP to the Zyxe l De vic e
· You can connect an AP directly to one of the Ethernet ports on the Zyxel Device. You can also connect an AP indirectly to the Zyxel Device through the local network.
· If an AP and the Zyxel Device are on the same subnet, the AP will automatically detect and connect to the Zyxel Device.
· If an AP and the Zyxel Device are on different subnets, then you can must configure the AP to connect to the Zyxel Device. You can do this manually or by configuring DHCP Option 138 on the AP's DHCP server.
· After an AP has successfully connected to the Zyxel Device, the AP appears in the AP List on MO NITO R > Wire le ss > AP Info rm a tio n.
8.2.2 C o nne c ting a n AP to the Zyxe l De vic e Ma nua lly
1 Ensure that the Zyxel Device has a static IP address.
2 Connect to and log on to the AP using a web browser.
3 On the AP, go to C O NFIG URATIO N > Ne two rk > AC Disc o ve ry.
4 Under Disc o ve ry Se tting , select Ma nua l.
5 Under Prim a ry sta tic AC IP, enter the IP address of the Zyxel Device.
6 Click Apply. The Zyxel Device can now manage the AP.
8.2.3 C o nne c ting a n AP to the Zyxe l De vic e Using DHC P O ptio n 138
1 Ensure that the Zyxel Device has a static IP address.
ZyWALL USG FLEX Series User's Guide
203
Chapter 8 Wireless
2 Log on to the DHCP server and configure settings for the network in which the AP is located. 3 Add a new DHCP option with the following values:
Name: Capwap AC Code: 138 Type: IP Address Value: <Zyxel Device IP address> 4 Restart the AP. The AP picks up a new DCHP-assigned IP address. The Zyxel Device can now manage the AP. Use the AP Ma na g e m e nt screens to manage all of the APs connected to the Zyxel Device.
8.3 AP Ma na g e m e nt Sc re e ns
Use these screens to manage all of the APs connected to the Zyxel Device. Click C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt to access these screens. Click on the icon to go to the OneSecurity website where there is guidance on configuration walkthroughs and other information.
8.3.1 Mg nt. AP List
Fig ure 166 Configuration > Wireless > AP Management > Mgnt. AP List
Each field is described in the following table.
Table 84 Configuration > Wireless > AP Management > Mgnt. AP List
LA BEL
DESC RIPTIO N
Filter AP List
Click Sho w Adva nc e d Se tting s to reveal Filte r fields where you can display managed APs by status, keyword or those managed by the Nebula portal.
Select the type of APs you want to display.
Select All to show all kinds of APs that are currently or used to be connected to the Zyxel Device.
Select Ne b ula Fle xPRO to show the APs that can work in Nebula cloud management mode.
ZyWALL USG FLEX Series User's Guide
204
Chapter 8 Wireless
Table 84 Configuration > Wireless > AP Management > Mgnt. AP List (continued)
LA BEL
DESC RIPTIO N
Status
Select the status of APs you want to display.
Keyword
Enter a keyword to display the APs that include it in their AP information, such as model number, firmware version, MAC address and so on. This field is case-sensitive.
Search
Click this to update the list of APs based on the search criteria.
Your search criteria is retained when navigating between screens.
Reset
Click this to return the search criteria to the factory defaults and display all currently or previously connected APs without a filter.
Enable Column Freeze
Select this to lock the index columns in place while scrolling to the right.
Edit the selected rule Select an AP and click this to change the selected AP's properties, such as its group, radio, VLAN and port settings.
Add to Mgmt AP List Select an AP and click this to add the selected AP to the managed AP list.
Reboot device
Remove the selected rule
Select one or multiple APs and click this button to force the AP(s) to restart.
Select one or multiple APs and click this button to remove the AP(s) from the manged AP list.
DCS Now
Note: If on the C o nfig ura tio n > Wire le ss > C o ntro lle r screen you set the Re g istra tio n Type to Alwa ys Ac c e pt, then as soon as you remove an AP from this list it reconnects.
Select one or multiple APs and click this button to use DCS (Dynamic Channel Selection) to allow the AP to automatically find a less-used channel in an environment where there are many APs and there may be interference.
Note: You should have enabled DCS in the applied AP radio profile before the APs can use DCS.
Note: DCS is not supported on the radio which is working in repeater AP mode.
More Information
Select an AP and click this to view a daily station count about the selected AP. The count records station activity on the AP over a consecutive 24 hour period.
Radio Information
Select an online AP and click this button to go to the Mo nito r > Wire le ss > AP Info rm a tio n > Ra dio List screen to view detailed information about the AP's radios.
Query Controller Log Select one or multiple APs and click this button to go to the Mo nito r > Lo g > Vie w Lo g screen to view the selected AP's current log messages.
Nebula
Select an AP and click this to open a screen where you can set whether the AP's IP address and VLAN settings will be changed when it goes into Nebula cloud management mode.
Upgrade Firmware Now Suppression On
Suppression Off
Locator On
Note: The AP will be set to Nebula cloud management mode and removed from the managed AP list right after you click O K.
Select one or more APs and click this button to update the APs' firmware version.
Select an AP and click this button to enable the AP's LED suppression mode. All the LEDs of the AP will turn off after the AP is ready. This button is not available if the selected AP doesn't support suppression mode.
Select an AP and click this button to disable the AP's LED suppression mode. The AP LEDs stay lit after the AP is ready. This button is not available if the selected AP doesn't support suppression mode.
Select an AP and click this button to run the locator feature. The AP's Locator LED will start to blink for 10 minutes by default. It will show the actual location of the AP between several devices on the network.
ZyWALL USG FLEX Series User's Guide
205
Chapter 8 Wireless
Table 84 Configuration > Wireless > AP Management > Mgnt. AP List (continued)
LA BEL # Status
DESC RIPTIO N This field is a sequential value, and it is not associated with any entry. This field displays the status of AP.
Description
CPU Usage IP Address MAC Address Station 2.4G Station 5G Recent Online Time
LED Status
· Online All · Online · Conflict · Non Support · Updating · Offline All · Offline · Offline for Firmware Update · Update · Un-Mgmt
This field displays the AP's description, which you can configure by selecting the AP's entry and clicking the Edit button.
This field displays the CPU Usage of the AP.
This field displays the IP address of the AP.
This field displays the MAC address of the AP.
This field displays the number of 2.4G wireless clients connected to the AP.
This field displays the number of 5G wireless clients connected to the AP.
This displays the most recent time the AP came on-line. N/ A displays if the AP has not come on-line since the Zyxel Device last started up.
This displays the AP LED status.
N/ A displays if the AP does not support LED suppression mode and/or have a locator LED to show the actual location of the AP.
A gray LED icon signifies that the AP LED suppression mode is enabled. All the LEDs of the AP will turn off after the AP is ready.
A green LED icon signifies that the AP LED suppression mode is disabled and the AP LEDs stay lit after the AP is ready.
A sun icon signifies that the AP's locator LED is blinking.
Model
Apply Refresh
A circle signifies that the AP's locator LED is extinguished.
This field displays the AP's hardware model information. It displays N/ A (not applicable) only when the AP disconnects from the Zyxel Device and the information is unavailable as a result.
Click Apply to save your changes back to the Zyxel Device.
Click Re fre sh to update the AP list.
ZyWALL USG FLEX Series User's Guide
206
Chapter 8 Wireless
8.3.1.1 Edit AP List
Select an AP and click the Edit button in the C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt table to display this screen. Fig ure 167 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List
ZyWALL USG FLEX Series User's Guide
207
Chapter 8 Wireless
Each field is described in the following table.
Table 85 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List
LA BEL Create new Object MAC Model
S/N Description
Group Setting System Name
Location Roaming Group
DESC RIPTIO N
Use this menu to create a new Ra dio Pro file object to associate with this AP.
This displays the MAC address of the selected AP.
This field displays the AP's hardware model information. It displays N/ A (not applicable) only when the AP disconnects from the Zyxel Device and the information is unavailable as a result.
This displays the serial number of the selected AP.
Enter a description for this AP. You can use up to 31 characters, spaces and underscores allowed.
Select an AP group to which you want this AP to belong.
Enter a name to identify the AP on a network. This is usually the AP's fully qualified domain name.
Specify the name of the place where the AP is located.
Specify the name of the roaming group to which the AP belongs. You can use up to 31 alphanumeric and @# characters. Dashes and underscores are also allowed. The name should start with a letter or digit.
The 802.11k neighbor list a client requests from the AP is generated according to the roaming group and RCPI (Received Channel Power Indicator) value of its neighbor APs.
When a client wants to roam from the current AP to another, other APs in the same roaming group or not in a roaming group will be candidates for roaming. Neighbor APs in a different roaming group will be excluded from the 802.11k neighbor lists even when the neighbor AP has the best signal strength.
Load Balancing Group 1/2
If the AP's roaming group is not configured, any neighbor APs can be candidates for roaming.
Load balancing is only applied to APs within the same group. If a load balancing group is not assigned to an AP, it will belong to a default group.
Radio 1/2 Setting
Override Group Radio Setting
Each AP can belong to up to two groups. Select this option to overwrite the AP radio settings with the settings you configure here.
ZyWALL USG FLEX Series User's Guide
208
Chapter 8 Wireless
Table 85 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List (continued)
LA BEL OP Mode
DESC RIPTIO N Select the operating mode for radio 1 or radio 2.
AP Mo de means the AP can receive connections from wireless clients and pass their data traffic through to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing).
MO N Mo de means the AP monitors the broadcast area for other APs, then passes their information on to the Zyxel Device where it can be determined if those APs are friendly or rogue. If an AP is set to this mode it cannot receive connections from wireless clients.
Ro o t AP means the radio acts as an AP and also supports the wireless connections with other APs (in repeater mode) to form a ZyMesh to extend its wireless network.
Re pe a te r AP means the radio can establish a wireless connection with other APs (in either root AP or repeater mode).
Note: To prevent bridge loops, do NOT set both radios on a managed AP to Re pe a te r AP mode.
Note: The root AP and repeater AP(s) in a ZyMesh must use the same country code and AP radio profile settings in order to communicate with each other.
Radio 1/2 AP Profile
Radio 1/2 Profile
Radio 1/2 ZyMesh Profile
Enable Wireless Bridging
Note: Ensure you restart the managed AP after you change its operating mode.
Select an AP profile from the list. If no profile exists, you can create a new one through the C re a te ne w O b je c t menu. Select a monitor profile from the list. If no profile exists, you can create a new one through the C re a te ne w O b je c t menu. This field is available only when the radio is in Ro o t AP or Re pe a te r AP mode.
Select the ZyMesh profile the radio uses to connect to a root AP or repeater. This field is available only when the radio is in Re pe a te r AP mode.
Select this option to enable wireless bridging on the radio.
The managed AP must support LAN provision and the radio should be in repeater mode. VLAN and bridge interfaces are created automatically according to the LAN port's VLAN settings. When wireless bridging is enabled, the managed repeater AP can still transmit data through its Ethernet port(s) after the ZyMesh link is up. Be careful to avoid bridge loops.
Override Group Output Power Setting Output Power Override Group SSID Setting
Edit
#
SSID Profile IP Setting Force Overwrite IP Setting
The managed APs in the same ZyMesh must use the same static VLAN ID. Select this option to overwrite the AP output power setting with the setting you configure here.
Set the output power of the AP. Select this option to overwrite the AP SSID profile setting with the setting you configure here. This section allows you to associate an SSID profile with the radio. Select an SSID and click this button to reassign it. The selected SSID becomes editable immediately upon clicking. This is the index number of the SSID profile. You can associate up to eight SSID profiles with an AP radio. Indicates which SSID profile is associated with this radio profile.
Select this to have the Zyxel Device change the AP's IP address setting to match the configuration in this screen.
ZyWALL USG FLEX Series User's Guide
209
Chapter 8 Wireless
Table 85 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List (continued)
LA BEL
DESC RIPTIO N
Get Automatically
Select this to have the AP act as a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server.
Use Fixed IP Address Select this if you want to specify the IP address, subnet mask, gateway and DNS server address manually.
IP Address
Enter the IP address for the AP.
Subnet Mask
Enter the subnet mask of the AP in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all devices in the network.
Gateway
Enter the IP address of the gateway. The AP sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the AP.
DNS Server IP Address
Enter the IP address of the DNS server.
VLAN Settings
Override Group VLAN Setting
Select this option to overwrite the AP VLAN setting with the setting you configure here.
Force Overwrite VLAN Config
Select this to have the Zyxel Device change the AP's management VLAN to match the configuration in this screen.
Management VLAN Enter a VLAN ID for this AP. ID
As Native VLAN
Select this option to treat this VLAN ID as a VLAN created on the Zyxel Device and not one assigned to it from outside the network.
Storm Control Setting
Broadcast Storm Control
Enabling this will drop ingress broadcast traffic in the physical Ethernet port if it exceeds the maximum traffic rate. The maximum traffic rate can be changed using the CLI (see CLI Reference Guide).
Multicast Storm Control
Enabling this will drop ingress multicast traffic in the physical Ethernet port if it exceeds the maximum traffic rate. The maximum traffic rate can be changed using the CLI (see CLI Reference Guide)
Rogue AP Detection Setting
Override Group Rogue AP Detection Setting
Select this option to overwrite the AP Rogue Detection Settings with the settings you configure here
Enable Rogue AP Detection
Select this option to detect Rogue APs in the network.
Antenna Setting
This section is available only when the AP has an antenna switch. The screen varies depending on whether the AP has a physical antenna switch or allows you to change antenna orientation settings on a per-radio basis or on a per-AP basis.
Wall/ Ceiling
This allows you to adjust coverage depending on the antenna orientation of the AP's radios for better coverage.
LED Suppression Mode Configuration
Suppression On
Select Wa ll if you mount the AP to a wall. Select C e iling if the AP is mounted on a ceiling. You can switch from Wa ll to C e iling if there are still wireless dead zones, and vice versa. This section is available only when the AP supports LED suppression mode.
Select this option to enable the AP's LED suppression mode. All the LEDs of the AP will turn off after the AP is ready.
If the check box is unchecked, it means the LEDs will stay lit after the AP is ready.
ZyWALL USG FLEX Series User's Guide
210
Chapter 8 Wireless
Table 85 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List (continued)
LA BEL
DESC RIPTIO N
Power Setting
Enable Fo rc e o ve rride the po we r m o de to full po we r if you are using a PoE injector that does not support PoE negotiation. Otherwise, the AP cannot draw full power from the power sourcing equipment. Enable this power mode to improve the AP's performance in this situation.
Note: Ensure that the power sourcing equipment can supply enough power to the AP to avoid abnormal system reboots.
Locator LED Configuration Turn On/ Turn Off
Automatically Extinguish After
Reset AP Configuration Apply Factory Default OK Cancel
Note: Only enable this if you are using a passive PoE injector that is not IEEE 802.3at/bt compliant but can still provide full power.
This section is available only when the AP has a locator LED.
When the locator LED is off, click the Turn O n button to activate the locator function. It will show the actual location of the AP between several devices in the network. If the locator LED is blinking, click the Turn O ff button to stop the locator LED from blinking immediately. Enter a time interval between 1 and 60 minutes to stop the locator LED from blinking. The locator LED will start to blink for the number of minutes set here. If you make changes to the time default setting, it will be stored as the default when the AP restarts. This section is available only when the AP is online.
Click the button to reset all of the AP settings to the factory defaults.
Click O K to save your changes back to the Zyxel Device. Click C a nc e l to close the window with changes unsaved.
8.3.2 AP Po lic y
Use this screen to configure the AP controller's IP address on the managed APs and determine the action the managed APs take if the current AP controller fails. Click C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt > AP Po lic y to access this screen.
Fig ure 168 Configuration > Wireless > AP Management > AP Policy
ZyWALL USG FLEX Series User's Guide
211
Chapter 8 Wireless
Each field is described in the following table.
Table 86 Configuration > Wireless > AP Management > AP Policy
LA BEL
DESC RIPTIO N
Force Override AC IP Select this to have the Zyxel Device change the AP controller's IP address on the managed
Config on AP
AP(s) to match the configuration in this screen.
Override Type
Select Auto to have the managed AP(s) automatically send broadcast packets to find any other available AP controllers.
Select Ma nua l to replace the AP controller's IP address configured on the managed AP(s) with the one(s) you specified below.
Primary Controller
Specify the IP address of the primary AP controller if you set O ve rride Type to Ma nua l.
Secondary Controller Specify the IP address of the secondary AP controller if you set O ve rride Type to Ma nua l.
Fall back to Primary Controller when possible
Select this option to have the managed AP(s) change back to associate with the primary AP controller as soon as the primary AP controller is available.
Fall Back Check Interval
Set how often the managed AP(s) check whether the primary AP controller is available.
Firmware Updating
Updating Type
Specify how you want the Zyxel Device to upgrade AP firmware.
Select C APWAP to have the Zyxel Device use CAPWAP (Control and Provisioning of Wireless Access Points protocol) to automatically update firmware on the managed APs.
Apply Reset
Select FTP to allow the managed APs to download the latest firmware from the Zyxel Device using FTP.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
8.3.3 AP G ro up
Use this screen to configure AP groups, which define the radio, port, VLAN and load balancing settings and apply the settings to all APs in the group. An AP can belong to one AP group at a time. Click C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt > AP G ro up to access this screen.
Fig ure 169 Configuration > Wireless > AP Management > AP Group
ZyWALL USG FLEX Series User's Guide
212
Chapter 8 Wireless
Each field is described in the following table.
Table 87 Configuration > Wireless > AP Management > AP Group
LA BEL
DESC RIPTIO N
Group Setting
Default Group
Select a group that is used as the default group.
Group Summary
Any AP that is not configured to associate with a specific AP group belongs to the default group automatically.
Add Edit
Click this button to create a new AP group. Select an entry and click this button to edit its properties.
Remove
Select an entry and click this button to remove it from the list.
DCS Now
Note: You cannot remove a group with which an AP is associated.
Select one or multiple groups and click this button to use DCS (Dynamic Channel Selection) to allow the APs in the group(s) to automatically find a less-used channel in an environment where there are many APs and there may be interference.
Note: You should have enabled DCS in the applied AP radio profile before the APs can use DCS.
# Group Name Member Count Apply Reset
Note: DCS is not supported on the radio which is working in repeater AP mode.
This is the index number of the group in the list. This is the name of the group. This is the total number of APs which belong to this group. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
213
Chapter 8 Wireless
8.3.3.1 Add/ Edit AP G ro up
Click Add or select an AP group and click the Edit button in the C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt > AP G ro up table to display this screen. Fig ure 170 Configuration > Wireless > AP Management > AP Group > Add/Edit
ZyWALL USG FLEX Series User's Guide
214
Chapter 8 Wireless
Each field is described in the following table.
Table 88 Configuration > Wireless > AP Management > AP Group > Add/Edit
LA BEL General Settings Group Name
Description
Location Radio 1/2 Setting OP Mode
DESC RIPTIO N
Enter a name for this group. You can use up to 31 alphanumeric characters. Dashes and underscores are also allowed. The name should start with a letter. Enter a description for this group. You can use up to 31 characters, spaces and underscores allowed. Specify the name of the place where the AP group is located.
Select the operating mode for radio 1 or radio 2.
AP Mo de means the AP can receive connections from wireless clients and pass their data traffic through to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing).
MO N Mo de means the AP monitors the broadcast area for other APs, then passes their information on to the Zyxel Device where it can be determined if those APs are friendly or rogue. If an AP is set to this mode it cannot receive connections from wireless clients.
Ro o t AP means the radio acts as an AP and also supports the wireless connections with other APs (in repeater mode) to form a ZyMesh to extend its wireless network.
Re pe a te r AP means the radio can establish a wireless connection with other APs (in either root AP or repeater mode).
Note: To prevent bridge loops, do NOT set both radios on a managed AP to Re pe a te r AP mode.
Note: The root AP and repeater AP(s) in a ZyMesh must use the same country code and AP radio profile settings in order to communicate with each other.
Radio 1/2 AP Profile Radio 1/2 Profile Radio 1/2 ZyMesh Profile Enable Wireless Bridging
Output Power
Note: Ensure you restart the managed AP after you change its operating mode.
Select an AP profile from the list. If no profile exists, you can create a new one through the C re a te ne w O b je c t menu. Select a monitor profile from the list. If no profile exists, you can create a new one through the C re a te ne w O b je c t menu. This field is available only when the radio is in Ro o t AP or Re pe a te r AP mode.
Select the ZyMesh profile the radio uses to connect to a root AP or repeater. This field is available only when the radio is in Re pe a te r AP mode.
Select this option to enable wireless bridging on the radio.
The managed AP must support LAN provision and the radio should be in repeater mode. VLAN and bridge interfaces are created automatically according to the LAN port's VLAN settings. When wireless bridging is enabled, the managed repeater AP can still transmit data through its Ethernet port(s) after the ZyMesh link is up. Be careful to avoid bridge loops.
The managed APs in the same ZyMesh must use the same static VLAN ID. Set the maximum output power of the AP.
If there is a high density of APs in an area, decrease the output power of the managed AP to reduce interference with other APs.
Note: Reducing the output power also reduces the Zyxel Device's effective broadcast radius.
ZyWALL USG FLEX Series User's Guide
215
Chapter 8 Wireless
Table 88 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued)
LA BEL Edit
#
SSID Profile VLAN Settings Force Overwrite VLAN Config Management VLAN ID As Native VLAN
Port Settings Model Specific Setting Port Setting Edit
Activate/Inactivate
# Status Port PVID
DESC RIPTIO N Select an SSID and click this button to reassign it. The selected SSID becomes editable immediately upon clicking. This is the index number of the SSID profile. You can associate up to eight SSID profiles with an AP radio. Indicates which SSID profile is associated with this radio profile.
Select this to have the Zyxel Device change the AP's management VLAN to match the configuration in this screen. Enter a VLAN ID for this AP.
Select this option to treat this VLAN ID as a VLAN created on the Zyxel Device and not one assigned to it from outside the network.
Select the model of the managed AP to display the model-specific port and VLAN settings in the tables below. You can activate or deactivate a non-uplink port. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . This is the port's index number in this list. This displays whether or not the port is activated. This shows the name of the physical Ethernet port on the managed AP. This shows the port's PVID.
VLAN Configuration
# Status Name VID Member Load Balancing Setting Enable Load Balancing
A PVID (Port VLAN ID) is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines. Use Add to create a new VLAN Configuration. Select a VLAN Configuration first to use the Edit, Re m o ve , Ac tiva te and Ina c tiva te buttons. This is the VLAN's index number in this list. This displays whether or not the VLAN is activated. This shows the name of the VLAN. This shows the VLAN ID number. This field displays the Ethernet port(s) that is a member of this VLAN.
Select this to enable load balancing on the Zyxel Device. Use this section to configure wireless network traffic load balancing between the managed APs in this group.
Note: Load balancing is not supported on the radio which is working in root AP or repeater AP mode.
ZyWALL USG FLEX Series User's Guide
216
Chapter 8 Wireless
Table 88 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued)
LA BEL
DESC RIPTIO N
Mode
Select a mode by which load balancing is carried out.
Select By Sta tio n Num b e r to balance network traffic based on the number of specified stations connected to an AP.
Select By Tra ffic Le ve l to balance network traffic based on the volume generated by the stations connected to an AP.
Radio 1/2 Max Station Number Disassociate station when overloaded
Select By Sm a rt C la ssro o m to balance network traffic based on the number of specified stations connected to an AP. The AP ignores association request and authentication request packets from any new station when the maximum number of stations is reached.
If you select By Sta tio n Num be r or By Tra ffic Le ve l, once the threshold is crossed (either the maximum station numbers or with network traffic), the AP delays association request and authentication request packets from any new station that attempts to make a connection. This allows the station to automatically attempt to connect to another, less burdened AP if one is available.
Enter the threshold number of stations at which an AP begins load balancing its connections.
This function is enabled by default and the disassociation priority is always Sig na l Stre ng th when you set Mo de to By Sta tio n Num b e r.
Select this option to disassociate wireless clients connected to the AP when it becomes overloaded. If you do not enable this option, then the AP simply delays the connection until it can afford the bandwidth it requires, or it transfers the connection to another AP within its broadcast radius.
The disassociation priority is determined automatically by the Zyxel Device and is as follows:
· Idle Tim e o ut - Devices that have been idle the longest will be disassociated first. If none of the connected devices are idle, then the priority shifts to Sig na l Stre ng th.
· Sig na l Stre ng th - Devices with the weakest signal strength will be disassociated first.
Note: If you enable this function, you should ensure that there are multiple APs within the broadcast radius that can accept any rejected or kicked wireless clients; otherwise, a wireless client attempting to connect to an overloaded AP will be kicked continuously and never be allowed to connect.
Radio 1/2 Traffic Select the threshold traffic level at which the AP begins load balancing its connections
Level
(Lo w, Me dium , Hig h).
The maximum bandwidth allowed for each level is:
Rogue AP Detection Setting Enable Rogue AP Detection AP List Available
Member
AP List Available
· Lo w - 11 Mbps, · Me dium - 23 Mbps · Hig h - 35M bps
Select this option to detect Rogue APs in the network.
This lists the APs that do not belong to this group. Select the APs that you want to add to the group you are editing, and click the right arrow button to add them. This lists the APs that belong to this group. Select any APs that you want to remove from the group, and click the left arrow button to remove them.
This lists the APs that do not belong to this group. Select the APs that you want to add to the group you are editing, and click the right arrow button to add them.
ZyWALL USG FLEX Series User's Guide
217
Chapter 8 Wireless
Table 88 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued)
LA BEL
DESC RIPTIO N
Member
This lists the APs that belong to this group. Select any APs that you want to remove from the group, and click the left arrow button to remove them.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Override Member AP Setting
Click C a nc e l to close the window with changes unsaved.
Click this button to overwrite the settings of all managed APs in this group with the settings you configure here. All O ve rride G ro up check boxes on the AP Ma na g e m e nt > Mg nt. AP List > Edit AP List screen for the APs in this group will be deselected.
8.3.4 Firm wa re
The Zyxel Device stores an AP firmware in order to manage supported APs. This screen allows the Zyxel Device to check for and download new AP firmware when it becomes available on the firmware server. All APs managed by the Zyxel Device must have the same firmware version as the AP firmware on the Zyxel Device.
When an AP connects to the Zyxel Device wireless controller, the Zyxel Device will check if the AP has the same firmware version as the AP firmware on the Zyxel Device. If yes, then the Zyxel Device can manage it. If no, then the AP must upgrade (or downgrade) its firmware to be the same version as the AP firmware on the Zyxel Device (and reboot).
The Zyxel Device should always have the latest AP firmware so that:
· APs don't have to downgrade firmware in order to be managed · All new APs are supported.
Use C he c k to see if the Zyxel Device has the latest AP firmware. Use Apply to have the Zyxel Device download the latest AP firmware (see Mo re De ta ils for more information on the firmware) from the firmware server. If the Zyxel Device does not have enough space for the latest AP firmware, then the Zyxel Device will delete an existing firmware that no AP is using before downloading the new AP firmware.
ZyWALL USG FLEX Series User's Guide
218
Chapter 8 Wireless
Click C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt > Firm wa re to access this screen. Fig ure 171 Configuration > Wireless > AP Management > Firmware
Each field is described in the following table.
Table 89 Configuration > Wireless > AP Management > Firmware
LA BEL
DESC RIPTIO N
AP Firmware Runtime Firmware
Available Firmware
This displays the current AP firmware version on the Zyxel Device. The Zyxel Device must have the latest AP firmware to manage all supported APs.
This field displays if there is a later AP firmware version available on the firmware server. It displays N/ A if the Zyxel Device cannot connect with the firmware server. Check that the Zyxel Device has Internet access if N/ A displays and then click the C he c k button below.
If a newer Zyxel Device AP firmware is available, its version number and a Mo re De ta ils icon displays here.
Last Check Success Check
This displays the date and time the last check for new firmware was made and whether the check is in progress (c he c king ), was successful (suc c e ss), or has failed (fa il).
Click this button to have the Zyxel Device display the latest AP firmware version available on the firmware server.
ZyWALL USG FLEX Series User's Guide
219
Chapter 8 Wireless
Table 89 Configuration > Wireless > AP Management > Firmware (continued)
LA BEL
DESC RIPTIO N
Apply AP Firmware
Due to space limitations, the Zyxel Device only downloads and keeps AP firmware for APs it is currently managing. If you connect a new AP to the Zyxel Device, the Zyxel Device may need to download a new AP firmware. Please wait while downloading new firmware as the speed depends on your Internet connection speed. Make sure to maintain the Internet connection while downloading new firmware.
Apply
Click this to download newer Ava ila b le Firm wa re from the firmware server and update the Runtim e Firm wa re version.
#
This is an index number of a managed AP.
Model
This displays the name of all manageable AP models.
Runtime Firmware Refresh
This displays the firmware version that the managed AP must have in order to be managed by the Zyxel Device. Firmware for APs that the Zyxel Device already has displays in bold; firmware that the Zyxel Device doesn't have or is still downloading is grayed out. Firmware that is in the download queue will show To b e do wnlo a de d.
Click this to update the model firmware table.
8.4 Ro g ue AP
Use this screen to assign APs either to the rogue AP list or the friendly AP list. A rogue AP is a wireless access point operating in a network's coverage area that is not under the control of the network administrator, and which can potentially open up holes in a network's security.
Click C o nfig ura tio n > Wire le ss > Ro g ue AP to access this screen.
ZyWALL USG FLEX Series User's Guide
220
Chapter 8 Wireless Fig ure 172 Configuration > Wireless > Rogue AP
Each field is described in the following table.
Table 90 Configuration > Wireless > Rogue AP
LA BEL
DESC RIPTIO N
Suspected Rogue AP Classification Rule
Click the check boxes (We a k Se c urity (O pe n, WEP, WPA- PSK), Un- m a na g e d AP, Hidde n SSID, SSID Ke ywo rd) of the characteristics an AP should have for the Zyxel Device to rule it as a rogue AP.
Add
Click this to add an SSID Keyword.
Edit
Select an SSID Keyword and click this button to modify it.
Remove
Select an existing SSID keyword and click this button to delete it.
#
This is the SSID Keyword's index number in this list.
SSID Keyword
This field displays the SSID Keyword.
Rogue/Friendly AP List
Add
Click this button to add an AP to the list and assign it either friendly or rogue status.
Edit
Select an AP in the list to edit and reassign its status.
Remove
Select an AP in the list to remove.
ZyWALL USG FLEX Series User's Guide
221
Chapter 8 Wireless
Table 90 Configuration > Wireless > Rogue AP (continued)
LA BEL Containment
DESC RIPTIO N Click this button to quarantine the selected AP.
Dis-Containment
A quarantined AP cannot grant access to any network services. Any stations that attempt to connect to a quarantined AP are disconnected automatically.
Click this button to take the selected AP out of quarantine.
# Containment Role
MAC Address Description Rogue/Friendly AP List Importing/Exporting File Path / Browse / Importing
Exporting Monitor Mode Settings Enable Rogue AP Containment Apply Reset
An unquarantined AP has normal access to the network. This field is a sequential value, and it is not associated with any interface. This field indicates the selected AP's containment status. This field indicates whether the selected AP is a ro g ue - a p or a frie ndly- a p. To change the AP's role, click the Edit button. This field indicates the AP's radio MAC address. This field displays the AP's description. You can modify this by clicking the Edit button. These controls allow you to export the current list of rogue and friendly APs or import existing lists. Enter the file name and path of the list you want to import or click the Bro wse button to locate it. Once the File Pa th field has been populated, click Im po rting to bring the list into the Zyxel Device. Click this button to export the current list of either rogue APs or friendly APS.
Select this to enable rogue AP containment.
Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
8.4.1 Add/ Edit Ro g ue / Frie ndly List
Select an AP and click the Edit button in the C o nfig ura tio n > Wire le ss > Ro g ue AP table to display this screen.
Fig ure 173 Configuration > Wireless > Rogue AP > Add/Edit Rogue/Friendly
Each field is described in the following table.
Table 91 Configuration > Wireless > Rogue AP > Add/Edit Rogue/Friendly
LA BEL
DESC RIPTIO N
MAC
Enter the MAC address of the AP you want to add to the list. A MAC address is a unique hardware identifier in the following hexadecimal format: xx:xx:xx:xx:xx:xx where xx is a hexadecimal number separated by colons.
Description
Enter up to 60 characters for the AP's description. Spaces and underscores are allowed.
ZyWALL USG FLEX Series User's Guide
222
Chapter 8 Wireless
Table 91 Configuration > Wireless > Rogue AP > Add/Edit Rogue/Friendly (continued)
LA BEL
DESC RIPTIO N
Role
Select either Ro g ue AP or Frie ndly AP for the AP's role.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to close the window with changes unsaved.
8.5 Auto He a ling
Use this screen to enable auto healing, which allows you to extend the wireless service coverage area of the managed APs when one of the APs fails. Click C o nfig ura tio n > Wire le ss > Auto He a ling to access this screen.
Fig ure 174 Configuration > Wireless > Auto Healing
Each field is described in the following table.
Table 92 Configuration > Wireless > Auto Healing
LA BEL
DESC RIPTIO N
Enable Auto Healing
Save Current State
Auto Healing Interval
Select this option to turn on the auto healing feature.
Click this button to have all manged APs immediately scan their neighborhoods three times in a row and update their neighbor lists to the AP controller (Zyxel Device). Set the time interval (in minutes) at which the managed APs scan their neighborhoods and report the status of neighbor APs to the AP controller (Zyxel Device).
Power Threshold
An AP is considered "failed" if the AP controller obtains the same scan result that the AP is missing from the neighbor list of other APs three times.
Set the power level (in dBm) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas.
Apply Reset
When the failed AP is working again, its neighbor APs return their output power to the original level.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
223
Chapter 8 Wireless
8.6 RTLS O ve rvie w
Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the Zyxel Device to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements. Use the Zyxel Device with the Ekahau RTLS system to take signal strength measurements at the APs (Integrated Approach / Blink Mode). The following example shows the Ekahau RTLS Integrated Approach (Blink Mode). 1 The Wi-Fi tag sends blink packets at specified intervals (or triggered by something like motion or button presses). 2 The APs pick up the blink packets, measure the signal strength, and send it to the Zyxel Device. 3 The Zyxel Device forwards the signal measurements to the Ekahau RTLS Controller. 4 The Ekahau RTLS Controller calculates the tag positions. Fig ure 175 RTLS Example
8.6.1 Wha t Yo u C a n Do in this C ha pte r
Use the RTLS screen (Section 8.6.3 on page 225) to use the managed APs as part of an Ekahau RTLS (Real Time Location Service) to track the location of Ekahau Wi-Fi tags.
8.6.2 Be fo re Yo u Be g in
You need: · At least three APs managed by the Zyxel Device (the more APs the better since it increases the
amount of information the Ekahau RTLS Controller has for calculating the location of the tags) · IP addresses for the Ekahau Wi-Fi tags · A dedicated RTLS SSID is recommended
ZyWALL USG FLEX Series User's Guide
224
Chapter 8 Wireless
· Ekahau RTLS Controller in blink mode with TZSP Updater enabled
· Security policies to allow RTLS traffic if the Zyxel Device security policy control is enabled or the Ekahau RTLS Controller is behind a firewall.
For example, if the Ekahau RTLS Controller is behind a firewall, open ports 8550, 8553, and 8569 to allow traffic the APs send to reach the Ekahau RTLS Controller.
The following table lists default port numbers and types of packets RTLS uses.
Table 93 RTLS Traffic Port Numbers
PO RTNUMBER TYPE DESC RIPTIO N
8548
TCP
Ekahau T201 location update.
8549
UDP
Ekahau T201 location update.
8550
TCP
Ekahau T201 tag maintenance protocol and Ekahau RTLS Controller user interface.
8552
UDP
Ekahau Location Protocol
8553
UDP
Ekahau Maintenance Protocol
8554
UDP
Ekahau T301 firmware update.
8560
TCP
Ekahau Vision web interface
8562
UDP
Ekahau T301W firmware update.
8569
UDP
Ekahau TZSP Listener Port
8.6.3 C o nfig uring RTLS
Click C o nfig ura tio n > Wire le ss > RTLS to open this screen. Use this screen to turn RTLS (Real Time Location System) on or off and specify the IP address and server port of the Ekahau RTLS Controller.
Fig ure 176 Configuration > Wireless > RTLS
The following table describes the labels in this screen.
Table 94 Configuration > Wireless > RTLS
LA BEL
DESC RIPTIO N
Enable
Select this to use Wi-Fi to track the location of Ekahau Wi-Fi tags.
IP Address
Specify the IP address of the Ekahau RTLS Controller.
Server Port
Specify the server port number of the Ekahau RTLS Controller.
ZyWALL USG FLEX Series User's Guide
225
Chapter 8 Wireless
Table 94 Configuration > Wireless > RTLS (continued)
LA BEL
DESC RIPTIO N
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
8.7 Te c hnic a l Re fe re nc e
The following section contains additional technical information about wireless features.
8.7.1 Dyna m ic C ha nne l Se le c tio n
When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of interference. Dynamic channel selection frees the network administrator from this task by letting the AP do it automatically. The AP can scan the area around it looking for the channel with the least amount of interference.
In the 2.4 GHz spectrum, each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart. Channel 1 is centered on 2.412 GHz while channel 13 is centered on 2.472 GHz.
Fig ure 177 An Example Three-Channel Deployment
Three channels are situated in such a way as to create almost no interference with one another if used exclusively: 1, 6 and 11. When an AP broadcasts on any of these three channels, it should not interfere with neighboring APs as long as they are also limited to same trio.
Fig ure 178 An Example Four-Channel Deployment
ZyWALL USG FLEX Series User's Guide
226
Chapter 8 Wireless
However, some regions require the use of other channels and often use a safety scheme with the following four channels: 1, 4, 7 and 11. While they are situated sufficiently close to both each other and the three so-called "safe" channels (1,6 and 11) that interference becomes inevitable, the severity of it is dependent upon other factors: proximity to the affected AP, signal strength, activity, and so on.
Finally, there is an alternative four channel scheme for ETSI, consisting of channels 1, 5, 9, 13. This offers significantly less overlap that the other one.
Fig ure 179 An Alternative Four-Channel Deployment
8.7.2 Lo a d Ba la nc ing
Because there is a hard upper limit on an AP's wireless bandwidth, load balancing can be crucial in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.
There are two kinds of wireless load balancing available on the Zyxel Device:
Lo a d b a la nc ing b y sta tio n num b e r limits the number of devices allowed to connect to your AP. If you know exactly how many stations you want to let connect, choose this option.
For example, if your company's graphic design team has their own AP and they have 10 computers, you can load balance for 10. Later, if someone from the sales department visits the graphic design team's offices for a meeting and he tries to access the network, his computer's connection is delayed, giving it the opportunity to connect to a different, neighboring AP. If he still connects to the AP regardless of the delay, then the AP may boot other people who are already connected in order to associate with the new connection.
Lo a d b a la nc ing b y tra ffic le ve l limits the number of connections to the AP based on maximum bandwidth available. If you are uncertain as to the exact number of wireless connections you will have then choose this option. By setting a maximum bandwidth cap, you allow any number of devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or delayed provided that there are other APs in range.
Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can't possibly know how many connections his AP will have at any given moment. As such, he decides to put a limit on the bandwidth that is available to his customers but not on the actual number of connections he allows. This means anyone can connect to his wireless network as long as the AP has the bandwidth to spare. If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP.
ZyWALL USG FLEX Series User's Guide
227
C HA PTER 9
Inte rfa c e s
9.1 Inte rfa c e O ve rvie w
Use the Inte rfa c e screens to configure the Zyxel Device's interfaces. You can also create interfaces on top of other interfaces.
· Po rts are the physical ports to which you connect cables. · Inte rfa c e s are used within the system operationally. You use them in configuring various features. An
interface also describes a network that is directly connected to the Zyxel Device. For example, You connect the LAN network to the LAN interface. · Zo ne s are groups of interfaces used to ease security policy configuration.
9.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Po rt Ro le screen (Section 9.2 on page 233) to create port groups and to assign physical ports and port groups to Ethernet interfaces.
· Use the Po rt C o nfig ura tio n screen (Section 9.3 on page 234) to configure Zyxel Device port settings. · Use the Ethe rne t screens (Section 9.4 on page 235) to configure the Ethernet interfaces. Ethernet
interfaces are the foundation for defining other interfaces and network policies. RIP and OSPF are also configured in these interfaces. · Use the PPP screens (Section 9.5 on page 258) for PPPoE, PPTP or L2TP Internet connections. · Use the C e llula r screens (Section 9.6 on page 265) to configure settings for interfaces for Internet connections through an installed mobile broadband card. · Use the Tunne l screens (Section 9.7 on page 274) to configure tunnel interfaces to be used in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels. · Use the VLAN screens (Section 9.8 on page 281) to divide the physical network into multiple logical networks. VLAN interfaces receive and send tagged frames. The Zyxel Device automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface. · Use the Bridg e screens (Section 9.9 on page 294) to combine two or more network segments into a single network. · Use the VTI screens (Section 9.10 on page 308) to encrypt or decrypt IPv4 traffic from or to the interface according to the IP routing table. · Use the Trunk screens (Section 9.11 on page 313) to configure load balancing.
9.1.2 Wha t Yo u Ne e d to Kno w
Inte rfa c e C ha ra c te ristic s
Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface).
ZyWALL USG FLEX Series User's Guide
228
Chapter 9 Interfaces
· An interface is a logical entity through which (layer-3) packets pass. · An interface is bound to a physical port or another interface. · Many interfaces can share the same physical port. · An interface belongs to at most one zone. · Many interfaces can belong to the same zone. · Layer-3 virtualization (IP alias, for example) is a kind of interface.
Type s o f Inte rfa c e s
You can create several types of interfaces in the Zyxel Device.
· Setting interfaces to the same port role forms a port group. Port groups creates a hardware connection between physical ports at the layer-2 (data link, MAC address) level. Port groups are created when you use the Inte rfa c e > Po rt Ro le s or Inte rfa c e > Po rt G ro ups screen to set multiple physical ports to be part of the same interface.
· Ethe rne t inte rfa c e s are the foundation for defining other interfaces and network policies. RIP and OSPF are also configured in these interfaces.
· Tunne l inte rfa c e s send IPv4 or IPv6 packets from one network to a specific network through the Internet or a public network.
· VLAN inte rfa c e s receive and send tagged frames. The Zyxel Device automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
· Bridg e inte rfa c e s create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage of some security features in the Zyxel Device. You can also assign an IP address and subnet mask to the bridge.
· PPP inte rfa c e s support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP/L2TP interfaces.
· C e llula r inte rfa c e s are for mobile broadband WAN connections via a connected mobile broadband device.
· Virtua l inte rfa c e s provide additional routing information in the Zyxel Device. There are three types: virtua l Ethe rne t inte rfa c e s, virtua l VLAN inte rfa c e s, and virtua l b ridg e inte rfa c e s.
· Trunk inte rfa c e s manage load balancing between interfaces.
Port groups and trunks have a lot of characteristics that are specific to each type of interface. The other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and virtual--have a lot of similar characteristics. These characteristics are listed in the following table and discussed in more detail below.
Table 95 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics
C HARAC TERISTIC S ETHERNET
ETHERNET
PPP C ELLULAR
VLAN BRIDG E
Name*
wan1, wan2 lan1, lan2, dmz
pppx cellularx
vlanx brx
Configurable Zone No
No
Yes
Yes
Yes
Yes
IP Address Assignment
Static IP address Yes
Yes
Yes
Yes
Yes
Yes
DHCP client
Yes
No
Yes
Yes
Yes
Yes
Routing metric Yes
Yes
Yes
Yes
Yes
Yes
Interface Parameters
V IRTUA L ** No
Yes No Yes
ZyWALL USG FLEX Series User's Guide
229
Chapter 9 Interfaces
Table 95 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics (continued)
C HARAC TERISTIC S ETHERNET
ETHERNET
PPP C ELLULAR
VLAN BRIDG E VIRTUAL
Bandwidth
Yes
Yes
Yes
Yes
restrictions
Yes
Yes
Yes
Packet size
Yes
Yes
Yes
Yes
(MTU)
Yes
Yes
No
DHCP
DHCP server
No
Yes
No
No
Yes
Yes
No
DHCP relay
No
Yes
No
No
Yes
Yes
No
Connectivity Check Yes
No
Yes
Yes
Yes
Yes
No
Note: - * The format of interface names other than the Ethernet and ppp interface names is strict. Each name consists of 2-4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, Ethernet interface names are wan1, wan2, lan1, lan2, dmz; VLAN interfaces are vlan0, vlan1, vlan2,...; and so on.
** - The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.
Re la tio nships Be twe e n Inte rfa c e s
In the Zyxel Device, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports or port groups. The relationships between interfaces are explained in the following table.
Table 96 Relationships Between Different Types of Interfaces
INTERFAC E Ethernet interface VLAN interface bridge interface
REQ UIRED PO RT/ INTERFAC E physical port Ethernet interface Ethernet interface*
PPP interface
VLAN interface* Ethernet interface*
VLAN interface*
bridge interface
WAN1, WAN2, OPT*
ZyWALL USG FLEX Series User's Guide
230
Chapter 9 Interfaces
Table 96 Relationships Between Different Types of Interfaces (continued)
INTERFAC E virtual interface
REQ UIRED PO RT/ INTERFAC E
(virtual Ethernet interface)
Ethernet interface*
(virtual VLAN interface)
VLAN interface*
(virtual bridge interface) trunk
bridge interface Ethernet interface
Cellular interface
VLAN interface
bridge interface
PPP interface
Note: * You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it.
IPv6 O ve rvie w
IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP addresses.
IPv6 Addre ssing
An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
IPv6 addresses can be abbreviated in two ways:
· Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0.
· Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.
Pre fix a nd Pre fix Le ng th
Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6 prefix length specifies how many most significant bits (start from the left) in the address compose the network address. The prefix length is written as "/x" where x is a number. For example,
2001:db8:1a2b:15::1a2f:0/32
means that the first 32 bits (2001:db8) from the left is the network prefix.
ZyWALL USG FLEX Series User's Guide
231
Chapter 9 Interfaces
Link- lo c a l Addre ss
A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a "private IP address" in IPv4. You can have the same link-local address on multiple interfaces on a device. A linklocal unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows.
Table 97 Link-local Unicast Address Format
1111 1110 10
0
Interface ID
10 bits
54 bits
64 bits
Sub ne t Ma sking
Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 ~ 10, A ~ F). Each block's 16 bits are then represented by four hexadecimal characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000.
Sta te le ss Auto c o nfig ura tio n
With stateless autoconfiguration in IPv6, addresses can be uniquely and automatically generated. Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful autoconfiguration, the owner and status of addresses don't need to be maintained by a DHCP server. Every IPv6 device is able to generate its own and unique IP address automatically when IPv6 is initiated on its interface. It combines the prefix and the interface ID (generated from its own Ethernet MAC address) to form a complete IPv6 address.
When IPv6 is enabled on a device, its interface automatically generates a link-local address (beginning with fe80).
When the Zyxel Device's WAN interface is connected to an ISP with a router and the Zyxel Device is set to automatically obtain an IPv6 network prefix from the router for the interface, it generates another address which combines its interface ID and global and subnet information advertised from the router. (In IPv6, all network interfaces can be associated with several addresses.) This is a routable global IP address.
Pre fix De le g a tio n
Prefix delegation enables an IPv6 router (the Zyxel Device) to use the IPv6 prefix (network address) received from the ISP (or a connected uplink router) for its LAN. The Zyxel Device uses the received IPv6 prefix (for example, 2001:db2::/48) to generate its LAN IP address. Through sending Router Advertisements (RAs) regularly by multicast, the router passes the IPv6 prefix information to its LAN hosts. The hosts then can use the prefix to generate their IPv6 addresses.
IPv6 Ro ute r Adve rtise m e nt
An IPv6 router sends router advertisement messages periodically to advertise its presence and other parameters to the hosts on the same network.
ZyWALL USG FLEX Series User's Guide
232
Chapter 9 Interfaces
DHC Pv6
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, RFC 3315) is a server-client protocol that allows a DHCP server to assign and pass IPv6 network addresses, prefixes and other configuration information to DHCP clients. DHCPv6 servers and clients exchange DHCP messages using UDP. Each DHCP client and server has a unique DHCP Unique IDentifier (DUID), which is used for identification when they are exchanging DHCPv6 messages. The DUID is generated from the MAC address, time, vendor assigned ID and/or the vendor's private enterprise number registered with the IANA. It should not change over time even after you reboot the device.
9.1.3 Wha t Yo u Ne e d to Do First
For IPv6 settings, go to the C o nfig ura tio n > Syste m > IPv6 screen to enable IPv6 support on the Zyxel Device first.
9.2 Po rt Ro le
To access this screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > Po rt Ro le . Use the Po rt Ro le screen to set the Zyxel Device's physical ports to ZONE interfaces. This creates a hardware connection between the physical ports at the layer-2 (data link, MAC address) level. This provides wire-speed throughput but no security. Note the following if you are configuring from a computer connected to a la n1, la n2, e xt- wla n, e xt- la n or dm z port and change the port's role: · A port's IP address varies as its role changes, make sure your computer's IP address is on the same
subnet as the Zyxel Device's interface IP address. · Use the appropriate interface IP address to access the Zyxel Device. Fig ure 180 Configuration > Network > Interface > Port Role
ZyWALL USG FLEX Series User's Guide
233
Chapter 9 Interfaces The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown at the bottom of the screen. Use the radio buttons to select for which interface (network) you want to use each physical port. For example, select a port's LAN radio button to use the port as part of the LAN interface. The port will use the Zyxel Device's LAN IP address and MAC address. When you assign more than one physical port to a network, you create a port group. Port groups have the following characteristics: · There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed
throughput but no security. · It can increase the bandwidth between the port group and other interfaces. · The port group uses a single MAC address. Click Apply to save your changes and apply them to the Zyxel Device. Click Re se t to change the port groups to their current configuration (last-saved values).
9.3 Po rt C o nfig ura tio n
Use this screen to configure port settings. Click C o nfig ura tio n > Ne two rk > Inte rfa c e > Po rt C o nfig ura tio n in the navigation panel to display the configuration screen. Note: You cannot configure the speed and duplex mode of fiber ports. Fig ure 181 Configuration > Network > Interface > Port Configuration
ZyWALL USG FLEX Series User's Guide
234
Chapter 9 Interfaces
Each field is described in the following table.
Table 98 Configuration > Network > Interface > Port Configuration
LA BEL
DESC RIPTIO N
Edit Name
Select an entry, and click this button to configure the speed and the duplex mode of the Ethernet connection on this port.
This field displays the name of the port.
Interface
This field displays the interface for the port.
Type Settings
This field displays the cable type that is used on the port.
Select the speed and the duplex mode of the Ethernet connection on this port. Choices are Auto Ne g o tia te , 1000Mb ps- Full Duple x, 100Mb ps- Full Duple x, 100Mb ps- Ha lf Duple x, 10Mb ps- Full Duple x, and 10Mb ps- Ha lf Duple x.
Selecting Auto Ne g o tia te allows one port to negotiate with a peer port automatically to obtain the connection speed (of up to 1000M) and duplex mode that both ends support. When auto-negotiation is turned on, a port on the Zyxel Device negotiates with the peer automatically to determine the connection speed and duplex mode. If the peer port does not support auto-negotiation or turns off this feature, the Zyxel Device determines the connection speed by detecting the signal on the cable and using half duplex mode. When the Zyxel Device's auto-negotiation is turned off, a port uses the pre-configured speed and duplex mode when making a connection, thus requiring you to make sure that the settings of the peer port are the same in order to connect.
Status Apply Reset
This field displays the speed and the duplex mode of the Ethernet connection on the port. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
9.4 Ethe rne t Sum m a ry Sc re e n
This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. If you enabled IPv6 on the C o nfig ura tio n > Syste m > IPv6 screen, you can also configure Ethernet interfaces used for your IPv6 networks on this screen. To access this screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > Ethe rne t.
Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any of them. If an Ethernet interface does not have any physical ports assigned to it, the Ethernet interface is effectively removed from the Zyxel Device, but you can still configure it.
Ethernet interfaces are similar to other types of interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict the amount of bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available.
Use Ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one. The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The Zyxel Device supports the following routing protocols: RIP, OSPF and BGP. See Chapter 10 on page 336 for background information about these routing protocols.
ZyWALL USG FLEX Series User's Guide
235
Chapter 9 Interfaces Fig ure 182 Configuration > Network > Interface > Ethernet
Each field is described in the following table.
Table 99 Configuration > Network > Interface > Ethernet
LA BEL
DESC RIPTIO N
Configuration / IPv6 Configuration
Use the C o nfig ura tio n section for IPv4 network settings. Use the IPv6 C o nfig ura tio n section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove a virtual interface, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an interface, select it and click Ac tiva te .
Inactivate
To turn off an interface, select it and click Ina c tiva te .
Create Virtual Interface
To open the screen where you can create a virtual Ethernet interface, select an Ethernet interface and click C re a te Virtua l Inte rfa c e .
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
#
This field is a sequential value, and it is not associated with any interface.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the name of the interface.
Description
This field displays the description of the interface.
ZyWALL USG FLEX Series User's Guide
236
Chapter 9 Interfaces
Table 99 Configuration > Network > Interface > Ethernet (continued)
LA BEL IP Address
DESC RIPTIO N
This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (on the IPv4 network) or :: (on the IPv6 network), the interface does not have an IP address yet.
On the IPv4 network, this screen also shows whether the IP address is a static IP address (STATIC ) or dynamically assigned (DHC P). IP addresses are always static in virtual interfaces.
Mask Apply Reset
On the IPv6 network, this screen also shows whether the IP address is a static IP address (STATIC ), link-local IP address (LINK LO C AL), dynamically assigned (DHC P), or an IPv6 StateLess Address AutoConfiguration IP address (SLAAC ). See Section 9.1.2 on page 228 for more information about IPv6.
This field displays the interface's subnet mask in dot decimal notation.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
9.4.1 Ethe rne t Edit
The Ethe rne t Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, connectivity check, and MAC address settings. To access this screen, click an Edit icon on the Ethe rne t Sum m a ry screen. (See Section 9.4 on page 235.)
The OPT interface's Edit > C o nfig ura tio n screen is shown here as an example. The screens for other interfaces are similar and contain a subset to the OPT interface screen's fields.
Note: If you create IP address objects based on an interface's IP address, subnet, or gateway, the Zyxel Device automatically updates every rule or setting that uses the object whenever the interface's IP address settings change. For example, if you change the VLAN's IP address, the Zyxel Device automatically updates the corresponding interface-based, LAN subnet address object.
With RIP, you can use Ethernet interfaces to do the following things.
· Enable and disable RIP in the underlying physical port or port group. · Select which direction(s) routing information is exchanged - The Zyxel Device can receive routing
information, send routing information, or do both. · Select which version of RIP to support in each direction - The Zyxel Device supports RIP-1, RIP-2, and
both versions. · Select the broadcasting method used by RIP-2 packets - The Zyxel Device can use subnet
broadcasting or multicasting.
With OSPF, you can use Ethernet interfaces to do the following things.
· Enable and disable OSPF in the underlying physical port or port group. · Select the area to which the interface belongs. · Override the default link cost and authentication method for the selected area. · Select in which direction(s) routing information is exchanged - The Zyxel Device can receive routing
information, send routing information, or do both.
Set the priority used to identify the DR or BDR if one does not exist.
ZyWALL USG FLEX Series User's Guide
237
Chapter 9 Interfaces
9.4.1.1 IG MP Pro xy
Internet Group Management Protocol (IGMP) proxy is used for multicast routing. IGMP proxy enables the Zyxel Device to issue IGMP host messages on behalf of hosts that the Zyxel Device discovered on its IGMP-enabled interfaces. The Zyxel Device acts as a proxy for its hosts. Refer to the following figure. · DS: Downstream traffic · US: Upstream traffic · R: Router · MS: Multicast Server · Enable IGMP Upstream (US) on the Zyxel Device interface that connects to a router (R) running IGMP
that is closer to the multicast server (MS). · Enable IGMP Downstream on the Zyxel Device interface which connects to the multicast hosts. Fig ure 183 IGMP Proxy
ZyWALL USG FLEX Series User's Guide
238
Chapter 9 Interfaces Fig ure 184 Configuration > Network > Interface > Ethernet > Edit (External Type)
ZyWALL USG FLEX Series User's Guide
239
Chapter 9 Interfaces
Configuration > Network > Interface > Ethernet > Edit (External Type
ZyWALL USG FLEX Series User's Guide
240
Chapter 9 Interfaces Fig ure 185 Configuration > Network > Interface > Ethernet > Edit (Internal Type)
ZyWALL USG FLEX Series User's Guide
241
Chapter 9 Interfaces
Configuration > Network > Interface > Ethernet > Edit (Internal Type)
ZyWALL USG FLEX Series User's Guide
242
Chapter 9 Interfaces Fig ure 186 Configuration > Network > Interface > Ethernet > Edit (OPT)
ZyWALL USG FLEX Series User's Guide
243
Configuration > Network > Interface > Ethernet > Edit (OPT)
Chapter 9 Interfaces
These screen's fields are described in the table below.
Table 100 Configuration > Network > Interface > Ethernet > Edit
LA BEL IPv4/IPv6 View / IPv4 View / IPv6 View Show Advanced Settings / Hide Advanced Settings Create New Object
General Settings Enable Interface
General IPv6 Setting Enable IPv6
Interface Properties Interface Type
DESC RIPTIO N Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields.
Click this button to display a greater or lesser number of configuration fields.
Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen.
Select this to enable this interface. Clear this to disable this interface.
Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.
This field is configurable for the O PTinterface only. Select to which type of network you will connect this interface. When you select inte rna l or e xte rna l the rest of the screen's options automatically adjust to correspond. The Zyxel Device automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic.
inte rna l is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The Zyxel Device automatically adds default SNAT settings for traffic flowing from this interface to an external interface.
e xte rna l is for connecting to an external network (like the Internet). The Zyxel Device automatically adds this interface to the default WAN trunk.
Interface Name
For g e ne ra l, the rest of the screen's options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface.
Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long.
ZyWALL USG FLEX Series User's Guide
244
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL Port Zone
MAC Address Description
IP Address Assignment
Get Automatically
DESC RIPTIO N
This is the name of the Ethernet interface's physical port.
Select the zone to which this interface is to belong. You use zones to apply security settings such as security policy, IDP, remote management, anti-malware, and application patrol. Make sure to select the correct zone as otherwise traffic may be blocked by a security policy.
This field is read-only. This is the MAC address that the Ethernet interface uses.
Enter a description of this interface. You can use alphanumeric and ()+/:=?!*#@$_%-
characters, and it can be up to 60 characters long. Spaces are allowed, but the string can't start with a space.
These IP address fields configure an IPv4 IP address on the interface itself. If you change this IP address on the interface, you may also need to change a related address object for the network connected to the interface. For example, if you use this screen to change the IP address of your LAN interface, you should also change the corresponding LAN subnet address object.
This option appears when Inte rfa c e Type is e xte rna l or g e ne ra l. Select this to make the interface a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server.
DHCP Option 60
You should not select this if the interface is assigned to a VRRP group. See Chapter 40 on page 826.
DHCP Option 60 is used by the Zyxel Device for identification to the DHCP server using the VCI (Vendor Class Identifier) on the DHCP server. The Zyxel Device adds it in the initial DHCP discovery message that a DHCP client broadcasts in search of an IP address. The DHCP server can assign different IP addresses or options to clients with the specific VCI or reject the request from clients without the specific VCI.
Type a string using up to 63 of these characters [a-zA-Z0-9!\"#$%&\'()*+,-./ :;<=>?@\[\\\]^_`{}] to identify this Zyxel Device to the DHCP server. For example, Zyxel-TW.
Use Fixed IP Address
This option appears when Inte rfa c e Type is e xte rna l or g e ne ra l. Select this if you want to specify the IP address, subnet mask, and gateway manually.
IP Address
Enter the IP address for this interface.
Subnet Mask
Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.
Gateway
This option appears when Inte rfa c e Type is e xte rna l or g e ne ra l. Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.
Metric
This option appears when Inte rfa c e Type is e xte rna l or g e ne ra l. Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface.
IGMP Upstream
Enable IG MP Upstre a m on the interface which connects to a router running IGMP that is closer to the multicast server.
IGMP Downstream
Enable IG MP Do wnstre a m on the interface which connects to the multicast hosts.
IPv6 Address Assignment
These IP address fields configure an IPv6 IP address on the interface itself.
Enable Stateless Address Autoconfiguration (SLAAC)
Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router on the network.
ZyWALL USG FLEX Series User's Guide
245
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL Link-Local Address IPv6 Address/ Prefix Length
DESC RIPTIO N
This displays the IPv6 link-local address and the network prefix that the Zyxel Device generates itself for the interface.
Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional.
Gateway Metric
Address from DHCPv6 Prefix Delegation
The prefix length indicates what the left-most part of the IP address is the same for all computers on the network, that is, the network address.
Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal notation.
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Use this table to have the Zyxel Device obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 232 for more information.
To use prefix delegation, you must:
Add Edit Remove References # Delegated Prefix Suffix Address
· Create at least one DHCPv6 request object before configuring this table. · The external interface must be a DHCPv6 client. You must configure the DHCPv6
request options using a DHCPv6 request object with the type of prefix-delegation. · Assign the prefix delegation to an internal interface and enable router advertisement
on that interface. Click this to create an entry. Select an entry and click this to change the settings. Select an entry and click this to delete it from this table. Select an entry and click Re fe re nc e s to check which settings use the entry. This field is a sequential value, and it is not associated with any entry. Select the DHCPv6 request object to use from the drop-down list.
Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Zyxel Device will append it to the delegated prefix.
Address
For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field.
This field displays the combined IPv6 IP address for this interface.
DHCPv6 Setting DHCPv6
DUID
Note: This field displays the combined address after you click O K and reopen this screen.
Select N/ A to not use DHCPv6.
Select C lie nt to set this interface to act as a DHCPv6 client.
Select Se rve r to set this interface to act as a DHCPv6 server which assigns IP addresses and provides subnet mask, gateway, and DNS server information to clients.
Select Re la y to set this interface to route DHCPv6 requests to the DHCPv6 relay server you specify. The DHCPv6 server(s) may be on another network. This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 233 for more information.
ZyWALL USG FLEX Series User's Guide
246
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL
DESC RIPTIO N
DUID as MAC
Select this if you want the DUID is generated from the interface's default MAC address.
Customized DUID If you want to use a customized DUID, enter it here for the interface.
Enable Rapid Commit
Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.
Information Refresh Time Request Address
DHCPv6 Request Options / DHCPv6 Lease Options Add
Remove References
# Name Type Value
Interface
Relay Server
IPv6 Router Advertisement Setting
Enable Router Advertisement Advertised Hosts Get Network Configuration From DHCPv6
Advertised Hosts Get Other Configuration From DHCPv6
Router Preference
Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Enter the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6.
This field is available if you set this interface to DHCPv6 C lie nt. Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6.
If this interface is a DHCPv6 client, use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server. If the interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings that determine what additional information to offer to the DHCPv6 clients.
Click this to create an entry in this table. See Section 9.4.5 on page 256 for more information.
Select an entry and click this to delete it from this table.
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
This field is a sequential value, and it is not associated with any entry.
This field displays the name of the DHCPv6 request or lease object.
This field displays the type of the object.
This field displays the IPv6 prefix that the Zyxel Device obtained from an uplink router (Se rve r is selected) or will advertise to its clients (C lie nt is selected).
When Re la y is selected, select this check box and an interface from the drop-down list if you want to use it as the relay server.
When Re la y is selected, select this check box and enter the IP address of a DHCPv6 server as the relay server.
Select this to enable this interface to send router advertisement messages periodically. See IPv6 Router Advertisement on page 232 for more information.
Select this to have the Zyxel Device indicate to hosts to obtain network settings (such as prefix and DNS settings) through DHCPv6.
Clear this to have the Zyxel Device indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message.
Select this to have the Zyxel Device indicate to hosts to obtain DNS information through DHCPv6.
Clear this to have the Zyxel Device indicate to hosts that DNS information is not available in this network.
Select the router preference (Lo w, Me dium or Hig h) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the Zyxel Device. This helps hosts to choose their default router especially when there are multiple IPv6 router on the network.
Note: Make sure the hosts also support router preference to make this function work.
ZyWALL USG FLEX Series User's Guide
247
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL MTU
Hop Limit
Advertised Prefix Table Add Edit Remove # IPv6 Address/ Prefix Length
Advertised Prefix from DHCPv6 Prefix Delegation Add Edit Remove # Delegated Prefix Suffix Address
DESC RIPTIO N
The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device discards the packet and sends an error message to the sender to inform this.
Enter the maximum number of network segments that a packet can cross before reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.
Configure this table only if you want the Zyxel Device to advertise a fixed prefix to the network.
Click this to create an IPv6 prefix address.
Select an entry in this table and click this to modify it.
Select an entry in this table and click this to delete it.
This field is a sequential value, and it is not associated with any entry.
Enter the IPv6 network prefix address and the prefix length.
The prefix length indicates what the left-most part of the IP address is the same for all computers on the network, that is, the network address.
This table is available when the Inte rfa c e Type is inte rna l. Use this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix.
Click this to create an entry in this table.
Select an entry in this table and click this to modify it.
Select an entry in this table and click this to delete it.
This field is a sequential value, and it is not associated with any entry.
Select the DHCPv6 request object to use for generating the network prefix for the network.
Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The Zyxel Device will append it to the selected delegated prefix. The combined address is the network prefix for the network.
Address
For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for another interface. You can use ::1111/64 and ::2222/64 for the suffix address respectively. But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.
This is the final network prefix combined by the delegated prefix and the suffix.
Note: This field displays the combined address after you click O K and reopen this screen.
Interface Parameters
Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576.
Ingress Bandwidth
This is reserved for future use.
Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576.
MTU
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.
ZyWALL USG FLEX Series User's Guide
248
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL Connectivity Check
DESC RIPTIO N These fields appear when Inte rfa c e Pro pe rtie s is Exte rna l or G e ne ra l.
Enable Connectivity Check Check Method
The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. Select this to turn on the connection check.
Select the method that the gateway allows.
Select ic m p to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Check Period Check Timeout Check Fail Tolerance Check Default Gateway Check this address Check Port
Check these addresses Probe Succeeds When
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Enter the number of seconds between connection check attempts. Enter the number of seconds to wait for a response before the attempt is a failure. Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. Select this to use the default gateway for the connectivity check.
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address on the field next to it. This field only displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check. Type one or two domain names or IP addresses for the connectivity check.
This field applies when you specify two domain names or IP addresses for the connectivity check.
Select a ny o ne if you want the check to pass if at least one of the domain names or IP addresses responds.
DHCP Setting DHCP
Select a ll if you want the check to pass only if both domain names or IP addresses respond. This section appears when Inte rfa c e Type is inte rna l or g e ne ra l. Select what type of DHCP service the Zyxel Device provides to the network. Choices are:
No ne - the Zyxel Device does not provide any DHCP services. There is already a DHCP server on the network.
DHC P Re la y - the Zyxel Device routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.
Relay Server 1 Relay Server 2
DHC P Se rve r - the Zyxel Device assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The Zyxel Device is the DHCP server for the network.
These fields appear if the Zyxel Device is a DHC P Re la y.
Enter the IP address of a DHCP server for the network.
This field is optional. Enter the IP address of another DHCP server for the network.
These fields appear if the Zyxel Device is a DHC P Se rve r.
ZyWALL USG FLEX Series User's Guide
249
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL IP Pool Start Address
DESC RIPTIO N
Enter the IP address from which the Zyxel Device begins allocating IP addresses. If you want to assign a static IP address to a specific computer, use the Sta tic DHC P Ta b le .
Pool Size
If this field is blank, the Po o l Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface's IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface's IP address.
Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface's Sub ne t Ma sk. For example, if the Sub ne t Ma sk is 255.255.255.0 and IP Po o l Sta rt Addre ss is 10.10.10.10, the Zyxel Device can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
First DNS Server, Second DNS Server, Third DNS Server
If this field is blank, the IP Po o l Sta rt Addre ss must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface's IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface's IP address.
Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses.
C usto m De fine d - enter a static IP address.
Fro m ISP - select the DNS server that another interface received from its DHCP server.
First WINS Server, Second WINS Server Default Router
Zyxe l De vic e - the DHCP clients use the IP address of this interface and the Zyxel Device works as a DNS relay.
Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
If you set this interface to DHC P Se rve r, you can select to use either the interface's IP address or another IP address as the default router. This default router will become the DHCP clients' default gateway.
Lease time
To use another IP address as the default router, select C usto m De fine d and enter the IP address.
Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are:
infinite - select this if IP addresses never expire.
Extended Options
Add Edit Remove # Name Code Type Value
da ys, ho urs, a nd m inute s - select this to enter how long IP addresses are valid. This table is available if you selected DHC P se rve r.
Configure this table if you want to send more information to DHCP clients through DHCP packets. Click this to create an entry in this table. See Section 9.4.6 on page 257. Select an entry in this table and click this to modify it. Select an entry in this table and click this to delete it. This field is a sequential value, and it is not associated with any entry. This is the name of the DHCP option. This is the code number of the DHCP option. This is the type of the set value for the DHCP option. This is the value set for the DHCP option.
ZyWALL USG FLEX Series User's Guide
250
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL PXE Server
DESC RIPTIO N
PXE (Preboot eXecution Environment) allows a client computer to use the network to boot up and install an operating system via a PXE-capable Network Interface Card (NIC).
PXE is available for computers on internal interfaces to allow them to boot up using boot software on a PXE server. The Zyxel Device acts as an intermediary between the PXE server and the computers that need boot software.
PXE Boot Loader File
Enable IP/MAC Binding
Enable Logs for IP/MAC Binding Violation Static DHCP Table
Add Edit Remove # IP Address MAC Description
RIP Setting Enable RIP Direction
The PXE server must have a public IPv4 address. You must enable DHC P Se rve r on the Zyxel Device so that it can receive information from the PXE server.
A boot loader is a computer program that loads the operating system for the computer. Type the exact file name of the boot loader software file, including filename extension, that is on the PXE server. If the wrong filename is typed, then the client computers cannot boot.
Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.
Select this option to have the Zyxel Device generate a log if a device connected to this interface attempts to use an IP address that is bound to another device's MAC address.
Configure a list of static IP addresses the Zyxel Device assigns to computers connected to the interface. Otherwise, the Zyxel Device assigns an IP address dynamically using the interface's IP Po o l Sta rt Addre ss and Po o l Size .
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This field is a sequential value, and it is not associated with a specific entry.
Enter the IP address to assign to a device with this entry's MAC address.
Enter the MAC address to which to assign this entry's IP address.
Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
See Section 10.6 on page 337 for more information about RIP.
Select this to enable RIP in this interface.
This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box.
BiDir - This interface sends and receives routing information.
In- O nly - This interface receives routing information.
Send Version Receive Version V2-Broadcast OSPF Setting Area Priority
Link Cost
O ut- O nly - This interface sends routing information.
This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 a nd 2.
This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 a nd 2.
This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Zyxel Device uses multicasting.
See Section 10.7 on page 339 for more information about OSPF.
Select the area in which this interface belongs. Select No ne to disable OSPF in this interface.
Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR. Set the priority to zero if the interface can not be the DR or BDR.
Enter the cost (between 1 and 65,535) to route packets through this interface.
ZyWALL USG FLEX Series User's Guide
251
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL Passive Interface
Authentication
DESC RIPTIO N
Select this to stop forwarding OSPF routing information from the selected interface. As a result, this interface only receives routing information.
Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use. Choices are:
Sa m e - a s- Are a - use the default authentication method in the area
No ne - disable authentication
Te xt - authenticate OSPF routing information using a plain-text password
MD5 - authenticate OSPF routing information using MD5 encryption
Text Authentication Key
This field is available if the Authe ntic a tio n is Te xt. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
MD5
This field is available if the Authe ntic a tio n is MD5. Type the ID for MD5 authentication. The ID
Authentication ID can be between 1 and 255.
MD5 Authentication Key
This field is available if the Authe ntic a tio n is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
MAC Address Setting This section appears when Inte rfa c e Pro pe rtie s is Exte rna l or G e ne ra l. Have the interface use either the factory assigned default MAC address, a manually specified MAC address, or clone the MAC address of another device or computer.
Use Default MAC Select this option to have the interface use the factory assigned default MAC address. By
Address
default, the Zyxel Device uses the factory assigned MAC address to identify itself.
Overwrite Default MAC Address
Select this option to have the interface use a different MAC address. Either enter the MAC address in the fields or click C lo ne b y ho st and enter the IP address of the device or computer whose MAC you are cloning. Once it is successfully configured, the address will be copied to the configuration file. It will not change unless you change the setting or upload a different configuration file.
Proxy ARP
Proxy ARP is available for external or general interfaces on the Zyxel Device. See Section 9.4.2 on page 253 for more information on Proxy ARP.
Enable Proxy ARP Select this to allow the Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are:
Add
· Ethernet · VLAN · Bridge
See Section 9.4.2 on page 253 for more information.
Click Add to create an IPv4 Addre ss, an IPv4 C IDR (for example, 192.168.1.1/24) or an IPv4 Ra ng e (for example, 192.168.1.2-192.168.1.100) as the target IP address. The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses. For example, if the IPv4 Addre ss is 192.168.1.5, then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address.
Select an existing entry and click Re m o ve to delete that entry.
Related Setting
ZyWALL USG FLEX Series User's Guide
252
Chapter 9 Interfaces
Table 100 Configuration > Network > Interface > Ethernet > Edit (continued)
LA BEL Configure PPPoE/PPTP Configure VLAN Configure WAN TRUNK Configure Policy Route
DESC RIPTIO N Click PPPo E/ PPTP if this interface's Internet connection uses PPPoE or PPTP or L2TP.
Click VLAN if you want to configure a VLAN interface for this Ethernet interface. Click WAN TRUNK to go to a screen where you can set this interface to be part of a WAN trunk for load balancing. Click Po lic y Ro ute to go to the policy route summary screen where you can manually associate traffic with this interface.
OK Cancel
You must manually configure a policy route to add routing and SNAT settings for an interface with the Inte rfa c e Type set to g e ne ra l. You can also configure a policy route to override the default routing and SNAT behavior for an interface with an Inte rfa c e Type of inte rna l or e xte rna l.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
9.4.2 Pro xy ARP
An Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a MAC address. An ARP broadcast is sent to all devices on the same Ethernet network to request the MAC address of a target IP address.
In the following figure, a host in a WAN subnet (A) broadcasts an ARP request to all devices within its network in order to find the MAC address of a target IP address (172.16.x.x). However, the target IP address may be in another subnet (B) that has the same network IP address (172.16.x.x). A router, such as the Zyxel Device, does not forward broadcasts, so the request will not reach its destination.
Enable Pro xy ARP (RFC 1027) to allow the Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are:
· Ethernet · VLAN · Bridge
The Zyxel Device sends its external MAC address to the WAN sender as the destination for the target IP address. From then on the sender will send packets containing that target IP address directly to the external interface of the Zyxel Device. The Zyxel Device then forwards the packet to the correct target IP address in its LAN.
Fig ure 187 Proxy ARP
172.16.x.x
172.16.x.x
ZyWALL USG FLEX Series User's Guide
253
Chapter 9 Interfaces
To allow the Zyxel Device to answer external interface ARP requests on behalf of a device on a supported interface, select the interface, click Add or Edit, then click Add in the Pro xy ARP section of the screen. Fig ure 188 Interface > Edit > Add Proxy ARP
The following table describes labels that can appear in this screen.
Table 101 Interface > Edit > Add Proxy ARP
LA BEL
DESC RIPTIO N
Interface Name This identifies the interface for which the configuration settings that use it are displayed.
Address Type
Choose IPv4 Addre ss, or IPv4 C IDR (for example, 192.168.1.1/24) or an IPv4 Ra ng e (for example, 192.168.1.2-192.168.1.100) and then enter the target IP address information. The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses. For example, if the IPv4 Addre ss is 192.168.1.5, then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
9.4.3 Virtua l Inte rfa c e s
Use virtual interfaces to tell the Zyxel Device where to route packets. Virtual interfaces can also be used in VPN gateways (see Chapter 19 on page 418) and VRRP groups (see Chapter 40 on page 826).
Virtual interfaces can be created on top of Ethernet interfaces, VLAN interfaces, or bridge interfaces. Virtual VLAN interfaces recognize and use the same VLAN ID. Otherwise, there is no difference between each type of virtual interface. Network policies (for example, security policies) that apply to the underlying interface automatically apply to the virtual interface as well.
Like other interfaces, virtual interfaces have an IP address, subnet mask, and gateway used to make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients. The virtual interface uses the same MTU and bandwidth settings that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available.
This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click the C re a te Virtua l Inte rfa c e icon on the Ethernet, VLAN, or bridge interface summary screen.
ZyWALL USG FLEX Series User's Guide
254
Chapter 9 Interfaces Fig ure 189 Configuration > Network > Interface > Create Virtual Interface
Each field is described in the table below.
Table 102 Configuration > Network > Interface > Create Virtual Interface
LA BEL
DESC RIPTIO N
Interface Properties
Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface.
Description
Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and
()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
IP Address Assignment
IP Address
Enter the IP address for this interface.
Subnet Mask
Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.
Gateway
Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.
Metric
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
9.4.4 Re fe re nc e s
When a configuration screen includes an Re fe re nc e s icon, select a configuration object and click Re fe re nc e s to open the Re fe re nc e s screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object.
ZyWALL USG FLEX Series User's Guide
255
Fig ure 190 References
Chapter 9 Interfaces
The following table describes labels that can appear in this screen.
Table 103 References
LA BEL
DESC RIPTIO N
Name
This identifies the object for which the configuration settings that use it are displayed. Click the object's name to display the object's configuration screen in the main window.
#
This field is a sequential value, and it is not associated with any entry.
Service
This is the type of setting that references the selected object. Click a service's name to display the service's configuration screen in the main window.
Priority
If it is applicable, this field lists the referencing configuration item's position in its list, otherwise N/ A displays.
Name
This field identifies the configuration item that references the object.
Description
If the referencing configuration item has a description configured, it displays here.
Refresh
Click this to update the information in this screen.
Cancel
Click C a nc e l to close the screen.
9.4.5 Add/ Edit DHC Pv6 Re q ue st/ Re le a se O ptio ns
When you configure an interface as a DHCPv6 server or client, you can additionally add DHCPv6 request or lease options which have the Zyxel Device to add more information in the DHCPv6 packets. To open the screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > Ethe rne t > Edit, select DHC Pv6 Se rve r or DHC Pv6 C lie nt in the DHC Pv6 Se tting section, and then click Add in the DHC Pv6 Re q ue st O ptio ns or DHC Pv6 Le a se O ptio ns table.
Fig ure 191 Configuration > Network > Interface > Ethernet > Edit > Add DHCPv6 Request/Lease Options
Select a DHCPv6 request or lease object in the Se le c t o ne o b je c t field and click O K to save it. Click C a nc e l to exit without saving the setting.
ZyWALL USG FLEX Series User's Guide
256
Chapter 9 Interfaces
9.4.6 Add/ Edit DHC P Exte nde d O ptio ns
When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended options which have the Zyxel Device to add more information in the DHCP packets. The available fields vary depending on the DHCP option you select in this screen. To open the screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > Ethe rne t > Edit, select DHC P Se rve r in the DHC P Se tting section, and then click Add or Edit in the Exte nde d O ptio ns table.
Fig ure 192 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options
The following table describes labels that can appear in this screen.
Table 104 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options
LA BEL
DESC RIPTIO N
Option
Select which DHCP option that you want to add in the DHCP packets sent through the interface. See the next table for more information.
Name
This field displays the name of the selected DHCP option. If you selected Use r De fine d in the O ptio n field, enter a descriptive name to identify the DHCP option. You can enter up to 16 characters ("a-z", "A-Z, "0-9", "-", and "_") with no spaces allowed. The first character must be alphabetical (a-z, A-Z).
Code
This field displays the code number of the selected DHCP option. If you selected Use r De fine d in the O ptio n field, enter a number for the option. This field is mandatory.
Type
This is the type of the selected DHCP option. If you selected Use r De fine d in the O ptio n field, select an appropriate type for the value that you will enter in the next field. Only advanced users should configure Use r De fine d. Misconfiguration could result in interface lockout.
Value
Enter the value for the selected DHCP option. For example, if you selected TFTP Se rve r Na m e (66) and the type is TEXT, enter the DNS domain name of a TFTP server here. This field is mandatory.
First IP Address, Second IP Address, Third IP Address
If you selected Tim e Se rve r (4), NTP Se rve r (41), SIP Se rve r (120), C APWAP AC (138), or TFTP Se rve r (150), you have to enter at least one IP address of the corresponding servers in these fields. The servers should be listed in order of your preference.
First Enterprise ID, If you selected VIVC (124) or VIVS (125), you have to enter at least one vendor's 32-bit
Second Enterprise enterprise number in these fields. An enterprise number is a unique number that identifies a
ID
company.
First Class, Second If you selected VIVC (124), enter the details of the hardware configuration of the host on which
Class
the client is running, or of industry consortium compliance.
First Information, Second Information
If you selected VIVS (125), enter additional information for the corresponding enterprise number in these fields.
ZyWALL USG FLEX Series User's Guide
257
Chapter 9 Interfaces
Table 104 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options
LA BEL
DESC RIPTIO N
OK
Click this to close this screen and update the settings to the previous Edit screen.
Cancel
Click C a nc e l to close the screen.
The following table lists the available DHCP extended options (defined in RFCs) on the Zyxel Device. See RFCs for more information.
Table 105 DHCP Extended Options
O PTIO N NAME Time Offset
Time Server NTP Server TFTP Server Name
Bootfile
SIP Server
VIVC
C O DE 2
4 42 66
67
120
124
DESC RIPTIO N
This option specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC).
This option specifies a list of Time servers available to the client.
This option specifies a list of the NTP servers available to the client by IP address.
This option is used to identify a TFTP server when the "sname" field in the DHCP header has been used for DHCP options. The minimum length of the value is 1.
This option is used to identify a bootfile when the "file" field in the DHCP header has been used for DHCP options. The minimum length of the value is 1.
This option carries either an IPv4 address or a DNS domain name to be used by the SIP client to locate a SIP server.
Vendor-Identifying Vendor Class option
VIVS
A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs.
125
Vendor-Identifying Vendor-Specific option
CAPWAP AC
DHCP clients and servers may use this option to exchange vendor-specific information.
138
CAPWAP Access Controller addresses option
TFTP Server
The Control And Provisioning of Wireless Access Points Protocol allows a Wireless Termination Point (WTP) to use DHCP to discover the Access Controllers to which it is to connect. This option carries a list of IPv4 addresses indicating one or more CAPWAP ACs available to the WTP.
150
The option contains one or more IPv4 addresses that the client may use. The
current use of this option is for downloading configuration from a VoIP server via
TFTP; however, the option may be used for purposes other than contacting a VoIP
configuration server.
9.5 PPP Inte rfa c e s
Use PPPoE/PPTP/L2TP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP/L2TP software on each computer on the network.
ZyWALL USG FLEX Series User's Guide
258
Chapter 9 Interfaces Fig ure 193 Example: PPPoE/PPTP/L2TP Interfaces
PPPoE/PPTP/L2TP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP/L2TP interfaces and other interfaces. · You must also configure an ISP account object for the PPPoE/PPTP/L2TP interface to use.
Each ISP account specifies the protocol (PPPoE or PPTP or L2TP), as well as your ISP account information. If you change ISPs later, you only have to create a new ISP account, not a new PPPoE/ PPTP/L2TP interface. You should not have to change any network policies. · You do not set up the subnet mask or gateway. PPPoE/PPTP/L2TP interfaces are interfaces between the Zyxel Device and only one computer. Therefore, the subnet mask is always 255.255.255.255. In addition, the Zyxel Device always treats the ISP as a gateway.
9.5.1 PPP Inte rfa c e Sum m a ry
This screen lists every PPPoE/PPTP/L2TP interface. To access this screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > PPP. Fig ure 194 Configuration > Network > Interface > PPP
ZyWALL USG FLEX Series User's Guide
259
Chapter 9 Interfaces
Each field is described in the table below.
Table 106 Configuration > Network > Interface > PPP
LA BEL User Configuration / System Default
Add Edit
Remove
Activate Inactivate Connect
Disconnect
References
# Status
DESC RIPTIO N
The Zyxel Device comes with the (non-removable) Syste m De fa ult PPP interfaces preconfigured. You can create (and delete) Use r C o nfig ura tio n PPP interfaces. Syste m De fa ult PPP interfaces vary by model.
Click this to create a new user-configured PPP interface.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove a user-configured PPP interface, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To connect an interface, select it and click C o nne c t. You might use this in testing the interface or to manually establish the connection for a Dia l- o n- De m a nd PPPoE/PPTP interface.
To disconnect an interface, select it and click Disc o nne c t. You might use this in testing the interface.
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
This field is a sequential value, and it is not associated with any interface.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Name Description Base Interface Account Profile Apply Reset
The connect icon is lit when the interface is connected and dimmed when it is disconnected. This field displays the name of the interface. This field displays the description of the interface. This field displays the interface on the top of which the PPPoE/PPTP/L2TP interface is. This field displays the ISP account used by this PPPoE/PPTP interface. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
9.5.2 PPP Inte rfa c e Add o r Edit
Note: You have to set up an ISP account before you create a PPPoE/PPTP/L2TP interface.
This screen lets you configure a PPPoE or PPTP or L2TP interface. If you enabled IPv6 on the C o nfig ura tio n > Syste m > IPv6 screen, you can also configure PPP interfaces used for your IPv6 networks on this screen. To access this screen, click the Add icon or an Edit icon on the PPP Interface screen.
ZyWALL USG FLEX Series User's Guide
260
Chapter 9 Interfaces Fig ure 195 Configuration > Network > Interface > PPP > Add
ZyWALL USG FLEX Series User's Guide
261
Chapter 9 Interfaces
Each field is explained in the following table.
Table 107 Configuration > Network > Interface > PPP > Add
LA BEL
DESC RIPTIO N
IPv4/IPv6 View / IPv4 Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. View / IPv6 View
Show Advanced Settings / Hide Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Create New Object Click this button to create an ISP Account or a DHCPv6 request object that you may use for the ISP or DHCPv6 settings in this screen.
General Settings
Enable Interface Select this to enable this interface. Clear this to disable this interface.
General IPv6 Setting
Enable IPv6
Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.
Interface Properties
Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long.
Base Interface Select the interface upon which this PPP interface is built.
Note: Multiple PPP interfaces can use the same base interface.
Zone Description
Connectivity Nailed-Up
Dial-on-Demand
ISP Setting Account Profile
Protocol User Name Service Name IP Address Assignment Get Automatically Use Fixed IP Address IP Address
Select the zone to which this PPP interface belongs. The zone determines the security settings the Zyxel Device uses for the interface.
Enter a description of this interface. You can use alphanumeric and ()+/:=?!*#@$_%-
characters, and it can be up to 60 characters long. Spaces are allowed, but the string can't start with a space.
Select this if the PPPoE/PPTP/L2TP connection should always be up. Clear this to have the Zyxel Device establish the PPPoE/PPTP/L2TP connection only when there is traffic. You might use this option if a lot of traffic needs to go through the interface or it does not cost extra to keep the connection up all the time. Select this to have the Zyxel Device establish the PPPoE/PPTP/L2TP connection only when there is traffic. You might use this option if there is little traffic through the interface or if it costs money to keep the connection available.
Select the ISP account that this PPPoE/PPTP/L2TP interface uses. The drop-down box lists ISP accounts by name. Use C re a te ne w O b je c t if you need to configure a new ISP account (see Chapter 39 on page 819 for details). This field is read-only. It displays the protocol specified in the ISP account. This field is read-only. It displays the user name for the ISP account. This field is read-only. It displays the PPPoE service name specified in the ISP account. This field is blank if the ISP account uses PPTP. Click Sho w Adva nc e d Se tting s to display more settings. Click Hide Adva nc e d Se tting s to display fewer settings. Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP/L2TP interfaces. Select this if you want to specify the IP address manually.
This field is enabled if you select Use Fixe d IP Addre ss.
Enter the IP address for this interface.
ZyWALL USG FLEX Series User's Guide
262
Chapter 9 Interfaces
Table 107 Configuration > Network > Interface > PPP > Add (continued)
LA BEL Gateway
DESC RIPTIO N This field is enabled if you select Use Fixe d IP Addre ss.
Metric
IPv6 Address Assignment
Enable Stateless Address Autoconfiguration (SLAAC) Metric
Address from DHCPv6 Prefix Delegation
Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.
Enter the priority of the gateway (the ISP) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
These IP address fields configure an IPv6 IP address on the interface itself.
Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router on the network.
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Use this table to have the Zyxel Device obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 232 for more information.
To use prefix delegation, you must:
Add Edit Remove References
# Delegated Prefix Suffix Address
· Create at least one DHCPv6 request object before configuring this table. · The external interface must be a DHCPv6 client. You must configure the DHCPv6
request options using a DHCPv6 request object with the type of prefix-delegation. · Assign the prefix delegation to an internal interface and enable router advertisement
on that interface. Click this to create an entry. Select an entry and click this to change the settings. Select an entry and click this to delete it from this table. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with any entry. Select the DHCPv6 request object to use from the drop-down list.
Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Zyxel Device will append it to the delegated prefix.
Address
For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field.
This field displays the combined IPv6 IP address for this interface.
DHCPv6 Setting DHCPv6
DUID
Note: This field displays the combined address after you click O K and reopen this screen.
Select C lie nt to obtain an IP address and DNS information from the service provider for the interface. Otherwise, select N/ A to disable the function. This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 233 for more information.
ZyWALL USG FLEX Series User's Guide
263
Chapter 9 Interfaces
Table 107 Configuration > Network > Interface > PPP > Add (continued)
LA BEL
DESC RIPTIO N
DUID as MAC
Select this if you want the DUID is generated from the interface's default MAC address.
Customized DUID If you want to use a customized DUID, enter it here for the interface.
Enable Rapid Commit
Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.
Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Request Address Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6.
DHCPv6 Request Use this section to configure DHCPv6 request settings that determine what additional
Options
information to get from the DHCPv6 server.
Add
Click this to create an entry in this table. See Section 9.4.6 on page 257 for more information.
Remove
Select an entry and click this to delete it from this table.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
Name
This field displays the name of the DHCPv6 request object.
Type
This field displays the type of the object.
Value
This field displays the IPv6 prefix that the Zyxel Device will advertise to its clients.
Interface Parameters
Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576.
Ingress Bandwidth
This is reserved for future use.
Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576.
MTU
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1492. Usually, this value is 1492.
Connectivity Check
The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check.
Enable Connectivity Check
Select this to turn on the connection check.
Check Method Select the method that the gateway allows.
Select ic m p to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Check Period Check Timeout Check Fail Tolerance Check Default Gateway
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available.
Enter the number of seconds between connection check attempts.
Enter the number of seconds to wait for a response before the attempt is a failure.
Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway.
Select this to use the default gateway for the connectivity check.
ZyWALL USG FLEX Series User's Guide
264
Chapter 9 Interfaces
Table 107 Configuration > Network > Interface > PPP > Add (continued)
LA BEL
DESC RIPTIO N
Check this address
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.
Check Port
This field only displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check.
Related Setting
Configure WAN TRUNK
Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing.
Policy Route
Click Po lic y Ro ute to go to the screen where you can manually configure a policy route to associate traffic with this interface.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
9.6 C e llula r C o nfig ura tio n Sc re e n
Mobile broadband is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices.
Note: The actual data rate you obtain varies depending on the mobile broadband device you use, the signal strength to the service provider's base station, and so on.
You can configure how the Zyxel Device's mobile broadband device connects to a network (refer to Section 9.6.1 on page 268):
· You can set the mobile broadband device to connect only to the home network, which is the network to which you are originally subscribed.
· You can set the mobile broadband device to connect to other networks if the signal strength of the home network is too low or it is unavailable.
3G
3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices.
4G
4G is the fourth generation of the mobile telecommunications technology and a successor of 3G. Both the WiMAX and Long Term Evolution (LTE) standards are the 4G candidate systems. 4G only supports allIP-based packet-switched telephony services and is required to offer Gigabit speed access.
Note: The actual data rate you obtain varies depending on your mobile environment. The environmental factors may include the number of mobile devices which are currently connected to the mobile network, the signal strength to the mobile network, and so on.
ZyWALL USG FLEX Series User's Guide
265
Chapter 9 Interfaces
See the following table for a comparison between 2G, 2.5G, 2.75G, 3G and 4G wireless technologies.
Table 108 2G, 2.5G, 2.75G, 3G, 3.5G and 4G Wireless Technologies
NAME TYPE
MO BILE PHO NE AND DATA STANDARDS
G SM- BASED
C DMA- BASED
DA TA SPEED
2G
Circuit- GSM (Global System for Mobile
switched Communications), Personal Handy-
phone System (PHS), etc.
Interim Standard 95 (IS-95), the first CDMA-based digital cellular standard pioneered by Qualcomm. The brand name for IS-95 is cdmaOne. IS-95 is also known as TIA-EIA-95.
Slow
2.5G
Packetswitched
GPRS (General Packet Radio Services), High-Speed Circuit-Switched Data (HSCSD), etc.
CDMA2000 is a hybrid 2.5G / 3G protocol of mobile telecommunications standards that use CDMA, a multiple access scheme for digital radio.
2.75G
Packet- Enhanced Data rates for GSM Evolution switched (EDGE), Enhanced GPRS (EGPRS), etc.
CDMA2000 1xRTT (1 times Radio Transmission Technology) is the core CDMA2000 wireless air interface standard. It is also known as 1x, 1xRTT, or IS2000 and considered to be a 2.5G or 2.75G technology.
3G
Packet- UMTS (Universal Mobile
CDMA2000 EV-DO (Evolution-Data Optimized,
switched Telecommunications System), a third-
originally 1x Evolution-Data Only), also referred to as
generation (3G) wireless standard
EV-DO, EVDO, or just EV, is an evolution of
defined in ITU specification, is sometimes CDMA2000 1xRTT and enables high-speed wireless
marketed as 3GSM. The UMTS uses GSM connectivity. It is also denoted as IS-856 or High
infrastructures and W-CDMA (Wideband Data Rate (HDR).
Code Division Multiple Access) as the air
interface. The International
Telecommunication Union (ITU) is an
international organization within which
governments and the private sector
coordinate global telecom networks
and services.
3.5G
Packetswitched
HSDPA (High-Speed Downlink Packet Access) is a mobile telephony protocol, used for UMTS-based 3G networks and allows for higher data transfer speeds.
4G/LTE
Packetswitched
The LTE (Long Term Evolution) standard is based on the GSM and UMTS network technologies.
Fast
To change your mobile broadband WAN settings, click C o nfig ura tio n > Ne two rk > Inte rfa c e > C e llula r.
Note: Install (or connect) a compatible mobile broadband USB device to use a cellular connection.
Note: The WAN IP addresses of a Zyxel Device with multiple WAN interfaces must be on different subnets.
ZyWALL USG FLEX Series User's Guide
266
Chapter 9 Interfaces Fig ure 196 Configuration > Network > Interface > Cellular
The following table describes the labels in this screen.
Table 109 Configuration > Network > Interface > Cellular
LA BEL Add Edit
Remove
Activate Inactivate Connect
Disconnect
References
# Status
DESC RIPTIO N
Click this to create a new cellular interface.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To connect an interface, select it and click C o nne c t. You might use this in testing the interface or to manually establish the connection.
To disconnect an interface, select it and click Disc o nne c t. You might use this in testing the interface.
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
This field is a sequential value, and it is not associated with any interface.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Name
Description
Extension Slot
Connected Device
ISP Settings
Mobile Broadband Dongle Support
The connect icon is lit when the interface is connected and dimmed when it is disconnected. This field displays the name of the interface. This field displays the description of the interface. This field displays where the entry's cellular card is located. This field displays the name of the cellular card.
This field displays the profile of ISP settings that this cellular interface is set to use. You should have registered your Zyxel Device at myZyxel. myZyxel hosts a list of supported mobile broadband dongle devices. You should have an Internet connection to access this website.
ZyWALL USG FLEX Series User's Guide
267
Chapter 9 Interfaces
Table 109 Configuration > Network > Interface > Cellular (continued)
LA BEL
DESC RIPTIO N
Latest Version This displays the latest supported mobile broadband dongle list version number.
Current Version
This displays the currently supported (by the Zyxel Device) mobile broadband dongle list version number.
Update Now If the latest version number is greater than the current version number, then click this button to download the latest list of supported mobile broadband dongle devices to the Zyxel Device.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
9.6.1 C e llula r C ho o se Slo t
To change your mobile broadband settings, click C o nfig ura tio n > Ne two rk > Inte rfa c e > C e llula r > Add (or Edit). In the pop-up window that displays, select the slot that contains the mobile broadband device, then the Add C e llula r c o nfig ura tio n screen displays.
9.6.2 Add / Edit C e llula r C o nfig ura tio n
This screen displays after you select the slot that contains the mobile broadband device in the previous pop-up window.
ZyWALL USG FLEX Series User's Guide
268
Chapter 9 Interfaces Fig ure 197 Configuration > Network > Interface > Cellular > Add / Edit
ZyWALL USG FLEX Series User's Guide
269
Chapter 9 Interfaces
The following table describes the labels in this screen.
Table 110 Configuration > Network > Interface > Cellular > Add / Edit
LA BEL Show Advanced Settings / Hide Advanced Settings General Settings
Enable Interface Interface Properties
Interface Name Zone
Extension Slot Connected Device Description
Connectivity Nailed-Up
Idle timeout
ISP Settings Profile Selection
DESC RIPTIO N Click this button to display a greater or lesser number of configuration fields.
Select this option to turn on this interface.
Select a name for the interface. Select the zone to which you want the cellular interface to belong. The zone determines the security settings the Zyxel Device uses for the interface. This is the USB slot that you are configuring for use with a mobile broadband card. This displays the manufacturer and model name of your mobile broadband card if you inserted one in the Zyxel Device. Otherwise, it displays no ne .
Enter a description of this interface. You can use alphanumeric and ()+/:=?!*#@$_%-
characters, and it can be up to 60 characters long. Spaces are allowed, but the string can't start with a space.
Select this if the connection should always be up. Clear this to have the Zyxel Device to establish the connection only when there is traffic. You might not nail up the connection if there is little traffic through the interface or if it costs money to keep the connection available. This value specifies the time in seconds (0~360) that elapses before the Zyxel Device automatically disconnects from the ISP's server. Zero disables the idle timeout.
Select De vic e to use one of the mobile broadband device's profiles of device settings. Then select the profile (use Pro file 1 unless your ISP instructed you to do otherwise).
APN
Select C usto m to configure your device settings yourself.
This field is read-only if you selected De vic e in the profile selection. Select C usto m in the profile selection to be able to manually input the APN (Access Point Name) provided by your service provider. This field applies with a GSM or HSDPA mobile broadband card. Enter the APN from your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method.
Dial String
You can enter up to 63 ASCII printable characters. Spaces are allowed.
Enter the dial string if your ISP provides a string, which would include the APN, to initialize the mobile broadband card.
You can enter up to 63 ASCII printable characters. Spaces are allowed.
Authentication Type
This field is available only when you insert a GSM mobile broadband card.
The Zyxel Device supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms.
Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:
No ne : No authentication for outgoing calls.
C HAP - Your Zyxel Device accepts CHAP requests only.
PAP - Your Zyxel Device accepts PAP requests only.
ZyWALL USG FLEX Series User's Guide
270
Chapter 9 Interfaces
Table 110 Configuration > Network > Interface > Cellular > Add / Edit (continued)
LA BEL User Name
DESC RIPTIO N
This field displays when you select an authentication type other than No ne . This field is readonly if you selected De vic e in the profile selection. If this field is configurable, enter the user name for this mobile broadband card exactly as the service provider gave it to you.
Password
You can use 1 ~ 64 alphanumeric and #:%-_@$./ characters. The first character must be alphanumeric or -_@$./. Spaces are not allowed.
This field displays when you select an authentication type other than No ne . This field is readonly if you selected De vic e in the profile selection and the password is included in the mobile broadband card's profile. If this field is configurable, enter the password for this SIM card exactly as the service provider gave it to you.
Retype to Confirm
SIM Card Setting PIN Code
You can use 0 ~ 63 alphanumeric and `~!@#$%^&*()_-+={}|;:'<,>./ characters. Spaces are not allowed.
This field displays when you select an authentication type other than No ne . This field is readonly if you selected De vic e in the profile selection and the password is included in the mobile broadband card's profile. If this field is configurable, re-enter the password for this SIM card exactly as the service provider gave it to you.
This field displays with a GSM or HSDPA mobile broadband card. A PIN (Personal Identification Number) code is a key to a mobile broadband card. Without the PIN code, you cannot use the mobile broadband card.
Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the mobile broadband card may be blocked by your ISP and you cannot use the account to access the Internet.
If your ISP disabled PIN code authentication, enter an arbitrary number.
Retype to Confirm
Type the PIN code again to confirm it.
Interface Parameters
Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.
Ingress Bandwidth
This is reserved for future use.
Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576.
MTU
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1492. Usually, this value is 1492.
Connectivity Check
The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check.
Enable Connectivity Check
Select this to turn on the connection check.
Check Method Select the method that the gateway allows.
Select ic m p to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Check Period Check Timeout
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available.
Enter the number of seconds between connection check attempts.
Enter the number of seconds to wait for a response before the attempt is a failure.
ZyWALL USG FLEX Series User's Guide
271
Chapter 9 Interfaces
Table 110 Configuration > Network > Interface > Cellular > Add / Edit (continued)
LA BEL Check Fail Tolerance Check Default Gateway Check this address Check Port
Related Setting Configure WAN TRUNK Configure Policy Route
IP Address Assignment
Get Automatically Use Fixed IP Address IP Address Assignment Metric
Device Settings Band Selection
DESC RIPTIO N Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. Select this to use the default gateway for the connectivity check.
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. This field only displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check.
Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing. Click Po lic y Ro ute to go to the policy route summary screen where you can configure a policy route to override the default routing and SNAT behavior for the interface.
Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Select this option If the ISP assigned a fixed IP address.
Enter the cellular interface's WAN IP address in this field if you selected Use Fixe d IP Addre ss.
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
This field appears if you selected a mobile broadband device that allows you to select the type of network to use. Select the type of mobile broadband service for your mobile broadband connection. If you are unsure what to select, check with your mobile broadband service provider to find the mobile broadband service available to you in your region.
Select a uto to have the card connect to an available network. Choose this option if you do not know what networks are available.
You may want to manually specify the type of network to use if you are charged differently for different types of network or you only have one type of network available to you.
Select G PRS / EDG E (G SM) o nly to have this interface only use a 2.5G or 2.75G network (respectively). If you only have a GSM network available to you, you may want to select this so the Zyxel Device does not spend time looking for a WCDMA network.
Select UMTS / HSDPA (WC DMA) o nly to have this interface only use a 3G or 3.5G network (respectively). You may want to do this if you want to make sure the interface does not use the GSM network.
Select LTE o nly to have this interface only use a 4G LTE network. This option only appears when a USG dongle for 4G technology is inserted.
ZyWALL USG FLEX Series User's Guide
272
Chapter 9 Interfaces
Table 110 Configuration > Network > Interface > Cellular > Add / Edit (continued)
LA BEL Network Selection
DESC RIPTIO N
Home network is the network to which you are originally subscribed.
Select Ho m e to have the mobile broadband device connect only to the home network. If the home network is down, the Zyxel Device's mobile broadband Internet connection is also unavailable.
Budget Setup Enable Budget Control Time Budget
Data Budget
Select Auto (Default) to allow the mobile broadband device to connect to a network to which you are not subscribed when necessary, for example when the home network is down or another mobile broadband base station's signal is stronger. This is recommended if you need continuous Internet connectivity. If you select this, you may be charged using the rate of a different network.
Select this to set a monthly limit for the user account of the installed mobile broadband card. You can set a limit on the total traffic and/or call time. The Zyxel Device takes the actions you specified when a limit is exceeded during the month.
Select this and specify the amount of time (in hours) that the mobile broadband connection can be used within one month. If you change the value after you configure and enable budget control, the Zyxel Device resets the statistics.
Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the mobile broadband connection within one month.
Select Do wnlo a d to set a limit on the downstream traffic (from the ISP to the Zyxel Device).
Select Uplo a d to set a limit on the upstream traffic (from the Zyxel Device to the ISP).
Select Do wnlo a d/ Uplo a d to set a limit on the total traffic in both directions.
Reset time and data budget counters on Reset time and data budget counters
Actions when over budget Log
New connection Current connection
If you change the value after you configure and enable budget control, the Zyxel Device resets the statistics.
Select the date on which the Zyxel Device resets the budget every month. If the date you selected is not available in a month, such as 30th or 31st, the Zyxel Device resets the budget on the last day of the month.
This button is available only when you enable budget control in this screen.
Click this button to reset the time and data budgets immediately. The count starts over with the mobile broadband connection's full configured monthly time and data budgets. This does not affect the normal monthly budget restart; so if you configured the time and data budget counters to reset on the second day of the month and you use this button on the first, the time and data budget counters will still reset on the second.
Specify the actions the Zyxel Device takes when the time or data limit is exceeded.
Select No ne to not create a log, Lo g to create a log, or Lo g - a le rt to create an alert log. If you select Lo g or Lo g - a le rt you can also select re c urring e ve ry to have the Zyxel Device send a log or alert for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert.
Select Allo w to permit new mobile broadband connections or Disa llo w to drop/block new mobile broadband connections.
Select Ke e p to maintain an existing mobile broadband connection or Dro p to disconnect it. You cannot set Ne w c o nne c tio n to Allo w and C urre nt c o nne c tio n to Dro p at the same time.
Actions when over % of time budget or % of data budget
If you set Ne w c o nne c tio n to Disa llo w and C urre nt c o nne c tio n to Ke e p, the Zyxel Device allows you to transmit data using the current connection, but you cannot build a new connection if the existing connection is disconnected.
Specify the actions the Zyxel Device takes when the specified percentage of time budget or data limit is exceeded. Enter a number from 1 to 99 in the percentage fields. If you change the value after you configure and enable budget control, the Zyxel Device resets the statistics.
ZyWALL USG FLEX Series User's Guide
273
Chapter 9 Interfaces
Table 110 Configuration > Network > Interface > Cellular > Add / Edit (continued)
LA BEL
DESC RIPTIO N
Log
Select No ne to not create a log when the Zyxel Device takes this action, Lo g to create a
log, or Lo g - a le rt to create an alert log. If you select Lo g or Lo g - a le rt you can also select
re c urring e ve ry to have the Zyxel Device send a log or alert for this event periodically.
Specify how often (from 1 to 65535 minutes) to send the log or alert.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
9.7 Tunne l Inte rfa c e s
The Zyxel Device uses tunnel interfaces in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels.
G RE Tunne ling
GRE tunnels encapsulate a wide variety of network layer protocol packet types inside IP tunnels. A GRE tunnel serves as a virtual point-to-point link between the Zyxel Device and another router over an IPv4 network. At the time of writing, the Zyxel Device only supports GRE tunneling in IPv4 networks.
Fig ure 198 GRE Tunnel Example
IPv6 O ve r IPv4 Tunne ls
To route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to be used. Fig ure 199 IPv6 over IPv4 Network
On the Zyxel Device, you can either set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4 tunnel. The following describes each method:
ZyWALL USG FLEX Series User's Guide
274
Chapter 9 Interfaces
IPv6- in- IPv4 Tunne ling
Use this mode on the WAN of the Zyxel Device if · your Zyxel Device has a public IPv4 IP address given from your ISP, and · you want to transmit your IPv6 packets to one and only one remote site whose LAN network is also an
IPv6 network. With this mode, the Zyxel Device encapsulates IPv6 packets within IPv4 packets across the Internet. You must know the WAN IP address of the remote gateway device. This mode is normally used for a site-tosite application such as two branch offices. Fig ure 200 IPv6-in-IPv4 Tunnel
In the Zyxel Device, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to make the tunnel work.
6to 4 Tunne ling
This mode also enables IPv6 packets to cross IPv4 networks. Unlike IPv6-in-IPv4 tunneling, you do not need to configure a policy route for a 6to4 tunnel. Through your properly pre-configuring the destination router's IP address in the IP address assignments to hosts, the Zyxel Device can automatically forward 6to4 packets to the destination they want to go. A 6to4 relay router is required to route 6to4 packets to a native IPv6 network if the packet's destination do not match your specified criteria. In this mode, the Zyxel Device should get a public IPv4 address for the WAN. The Zyxel Device adds an IPv4 IP header to an IPv6 packet when transmitting the packet to the Internet. In reverse, the Zyxel Device removes the IPv4 header from an IPv6 packet when receiving it from the Internet. An IPv6 address using the 6to4 mode consists of an IPv4 address, the format is as the following: 2002:[a public IPv4 address in hexadecimal]::/48 For example, a public IPv4 address is 202.156.30.41. The converted hexadecimal IP string is ca.9c.1Ee.29. The IPv6 address prefix becomes 2002:ca9c:1e29::/48.
ZyWALL USG FLEX Series User's Guide
275
Fig ure 201 6to4 Tunnel I Pv6
Chapter 9 Interfaces I Pv4
I nternet
I Pv6
I Pv6
9.7.1 C o nfig uring a Tunne l
This screen lists the Zyxel Device's configured tunnel interfaces. To access this screen, click Ne two rk > Inte rfa c e > Tunne l. Fig ure 202 Network > Interface > Tunnel
Each field is explained in the following table.
Table 111 Network > Interface > Tunnel
LA BEL
DESC RIPTIO N
Add
Click this to create a new GRE tunnel interface.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
#
This field is a sequential value, and it is not associated with any interface.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the name of the interface.
ZyWALL USG FLEX Series User's Guide
276
Chapter 9 Interfaces
Table 111 Network > Interface > Tunnel (continued)
LA BEL
DESC RIPTIO N
IP Address
This is the IP address of the interface. If the interface is active (and connected), the Zyxel Device tunnels local traffic sent to this IP address to the Re m o te G a te wa y Addre ss.
Tunnel Mode
This is the tunnel mode of the interface (G RE, IPv6- in- IPv4 or 6to 4). This field also displays the interface's IPv4 IP address and subnet mask if it is a GRE tunnel. Otherwise, it displays the interface's IPv6 IP address and prefix length.
My Address
This is the interface or IP address uses to identify itself to the remote gateway. The Zyxel Device uses this as the source for the packets it tunnels to the remote gateway.
Remote Gateway Address
This is the IP address or domain name of the remote gateway to which this interface tunnels traffic.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to begin configuring this screen afresh.
9.7.2 Tunne l Add o r Edit Sc re e n
This screen lets you configure a tunnel interface. Click C o nfig ura tio n > Ne two rk > Inte rfa c e > Tunne l > Add (or Edit) to open the following screen.
ZyWALL USG FLEX Series User's Guide
277
Chapter 9 Interfaces Fig ure 203 Network > Interface > Tunnel > Add/Edit
Each field is explained in the following table.
Table 112 Network > Interface > Tunnel > Add/Edit
LA BEL
DESC RIPTIO N
Show Advanced Settings / Hide Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
General Settings
Enable
Select this to enable this interface. Clear this to disable this interface.
Interface Properties
ZyWALL USG FLEX Series User's Guide
278
Chapter 9 Interfaces
Table 112 Network > Interface > Tunnel > Add/Edit (continued)
LA BEL Interface Name
Zone
Tunnel Mode
IP Address Assignment
IP Address Subnet Mask
Metric
IPv6 Address Assignment
IPv6 Address/ Prefix Length
DESC RIPTIO N
This field is read-only if you are editing an existing tunnel interface. Enter the name of the tunnel interface. The format is tunnelx, where x is 0 - 3. For example, tunnel0. Use this field to select the zone to which this interface belongs. This controls what security settings the Zyxel Device applies to this interface. Select the tunneling protocol of the interface (G RE, IPv6- in- IPv4 or 6to 4). See Section 9.7 on page 274 for more information. This section is available if you are configuring a GRE tunnel.
Enter the IP address for this interface. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network. Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first. This section is available if you are configuring an IPv6-in-IPv4 or a 6to4 tunnel.
Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional.
Metric
6to4 Tunnel Parameter
6to4 Prefix
The prefix length indicates what the left-most part of the IP address is the same for all computers on the network, that is, the network address.
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
This section is available if you are configuring a 6to4 tunnel which encapsulates IPv6 to IPv4 packets.
Enter the IPv6 prefix of a destination network. The Zyxel Device forwards IPv6 packets to the hosts on the matched network.
Relay Router Remote Gateway Prefix
If you enter a prefix starting with 2002, the Zyxel Device will forward the matched packets to the IPv4 IP address converted from the packets' destination address. The IPv4 IP address can be converted from the next 32 bits after the prefix you specified in this field. See 6to4 Tunneling on page 275 for an example. The Zyxel Device forwards the unmatched packets to the specified Re la y Ro ute r.
Enter the IPv4 address of a 6to4 relay router which helps forward packets between 6to4 networks and native IPv6 networks.
Enter the IPv4 network address and network bits of a remote 6to4 gateway, for example, 14.15.0.0/16.
This field works if you enter a 6to 4 Pre fix not starting with 2002 (2003 for example). The Zyxel Device forwards the matched packets to a remote gateway with the network address you specify here, and the bits converted after the 6to 4 Pre fix in the packets.
Gateway Settings My Address
For example, you configure the 6to4 prefix to 2003:A0B::/32 and the remote gateway prefix to 14.15.0.0/16. If a packet's destination is 2003:A0B:1011:5::8, the Zyxel Device forwards the packet to 14.15.16.17, where the network address is 14.15.0.0 and the host address is the remain bits converted from 1011 after the packet's 6to4 prefix (2003:A0B).
Specify the interface or IP address to use as the source address for the packets this interface tunnels to the remote gateway. The remote gateway sends traffic to this interface or IP address.
ZyWALL USG FLEX Series User's Guide
279
Chapter 9 Interfaces
Table 112 Network > Interface > Tunnel > Add/Edit (continued)
LA BEL
DESC RIPTIO N
Remote Gateway Address
Enter the IP address or domain name of the remote gateway to which this interface tunnels traffic.
Auto m a tic displays in this field if you are configuring a 6to 4 tunnel. It means the 6to4 tunnel will help forward packets to the corresponding remote gateway automatically by looking at the packet's destination address.
Interface Parameters
Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.
Ingress Bandwidth
This is reserved for future use.
Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576.
MTU
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.
Connectivity Check This section is available if you are configuring a GRE tunnel.
Enable Connectivity Check Check Method
The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. Select this to turn on the connection check.
Select the method that the gateway allows.
Select ic m p to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Check Period Check Timeout Check Fail Tolerance Check Default Gateway Check this address Check Port
Related Setting WAN TRUNK Policy Route
OK Cancel
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Enter the number of seconds between connection check attempts. Enter the number of seconds to wait for a response before the attempt is a failure. Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. Select this to use the default gateway for the connectivity check.
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. This field displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check.
Click this link to go to a screen where you can configure WAN trunk load balancing. Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
280
Chapter 9 Interfaces
9.8 VLAN Inte rfa c e s
A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Fig ure 204 Example: Before VLAN
In this example, there are two physical networks and three departments A, B, and C . The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. Fig ure 205 Example: After VLAN
Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.) · Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by
the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network. · Traffic between VLANs (or between a VLAN and another type of network) is layer-3 communication (network layer, IP addresses). It is handled by the router. This approach provides a few advantages. · Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users. · Higher security - If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN.
ZyWALL USG FLEX Series User's Guide
281
Chapter 9 Interfaces
· Better manageability - You can align network policies more appropriately for users. For example, you can create different content filtering rules for each VLAN (each department in the example above), and you can set different bandwidth limits for each VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies.
In this example, the new switch handles the following types of traffic: · Inside VLAN 2. · Between the router and VLAN 1. · Between the router and VLAN 2. · Between the router and VLAN 3.
VLAN Inte rfa c e s O ve rvie w
In the Zyxel Device, each VLAN is called a VLAN interface. As a router, the Zyxel Device routes traffic between VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces. Note: Each VLAN interface is created on top of only one Ethernet interface. Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available.
9.8.1 VLAN Sum m a ry Sc re e n
This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. If you enabled IPv6 on the C o nfig ura tio n > Syste m > IPv6 screen, you can also configure VLAN interfaces used for your IPv6 networks on this screen. To access this screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > V LA N. Fig ure 206 Configuration > Network > Interface > VLAN
ZyWALL USG FLEX Series User's Guide
282
Chapter 9 Interfaces
Each field is explained in the following table.
Table 113 Configuration > Network > Interface > VLAN
LA BEL Configuration / IPv6 Configuration Edit
Remove
Activate Inactivate Create Virtual Interface References
# Status Name Description Port/VID
DESC RIPTIO N
Use the C o nfig ura tio n section for IPv4 network settings. Use the IPv6 C o nfig ura tio n section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To open the screen where you can create a virtual interface, select an interface and click C re a te Virtua l Inte rfa c e .
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
This field is a sequential value, and it is not associated with any interface.
This icon is lit when the entry is active and dimmed when the entry is inactive.
This field displays the name of the interface.
This field displays the description of the interface.
For VLAN interfaces, this field displays
IP Address
· the Ethernet interface on which the VLAN interface is created · the VLAN ID
For virtual interfaces, this field is blank.
This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet.
Mask Apply Reset
This screen also shows whether the IP address is a static IP address (STATIC ) or dynamically assigned (DHC P). IP addresses are always static in virtual interfaces. This field displays the interface's subnet mask in dot decimal notation. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
9.8.2 VLAN Add/ Edit
Select an existing entry on the previous screen and click Edit or click Add to create a new entry. The following screen appears.
ZyWALL USG FLEX Series User's Guide
283
Chapter 9 Interfaces Fig ure 207 Configuration > Network > Interface > VLAN > Add /Edit
ZyWALL USG FLEX Series User's Guide
284
Chapter 9 Interfaces
ZyWALL USG FLEX Series User's Guide
285
Chapter 9 Interfaces
Each field is explained in the following table.
Table 114 Configuration > Network > Interface > VLAN > Add / Edit
LA BEL IPv4/IPv6 View / IPv4 View / IPv6 View Show Advanced Settings / Hide Advanced Settings Create New Object
General Settings Enable Interface
General IPv6 Setting Enable IPv6
Interface Properties Interface Type
DESC RIPTIO N Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Click this button to display a greater or lesser number of configuration fields.
Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen.
Select this to turn this interface on. Clear this to disable this interface.
Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.
Select one of the following option depending on the type of network to which the Zyxel Device is connected or if you want to additionally manually configure some related settings.
inte rna l is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The Zyxel Device automatically adds default SNAT settings for traffic flowing from this interface to an external interface.
e xte rna l is for connecting to an external network (like the Internet). The Zyxel Device automatically adds this interface to the default WAN trunk.
Interface Name
Zone Base Port VLAN ID
For g e ne ra l, the rest of the screen's options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface.
This field is read-only if you are editing an existing VLAN interface. Enter the number of the VLAN interface. You can use a number from 0~4094. For example, use vlan0, vlan8, and so on. The total number of VLANs you can configure on the Zyxel Device depends on the model.
Select the zone to which the VLAN interface belongs.
Select the Ethernet interface on which the VLAN interface runs.
Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 4094. (0 and 4095 are reserved.)
ZyWALL USG FLEX Series User's Guide
286
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL Priority Code
Description
IP Address Assignment
Get Automatically
DESC RIPTIO N This is a 3-bit field within a 802.1Q VLAN tag that's used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. See Table 188 on page 472. The setting configured in C o nfig ura tio n > BWM overwrites the priority setting here.
Enter a description of this interface. You can use alphanumeric and ()+/:=?!*#@$_%-
characters, and it can be up to 60 characters long. Spaces are allowed, but the string can't start with a space.
Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP address, subnet mask, and gateway automatically.
DHCP Option 60
You should not select this if the interface is assigned to a VRRP group.
DHCP Option 60 is used by the Zyxel Device for identification to the DHCP server using the VCI (Vendor Class Identifier) on the DHCP server. The Zyxel Device adds it in the initial DHCP discovery message that a DHCP client broadcasts in search of an IP address. The DHCP server can assign different IP addresses or options to clients with the specific VCI or reject the request from clients without the specific VCI.
Use Fixed IP Address IP Address
Type a string using up to 63 of these characters [a-zA-Z0-9!\"#$%&\'()*+,-./ :;<=>?@\[\\\]^_`{}] to identify this Zyxel Device to the DHCP server. For example, Zyxel-TW. Select this if you want to specify the IP address, subnet mask, and gateway manually.
This field is enabled if you select Use Fixe d IP Addre ss.
Subnet Mask
Enter the IP address for this interface. This field is enabled if you select Use Fixe d IP Addre ss.
Gateway
Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.
This field is enabled if you select Use Fixe d IP Addre ss.
Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.
Metric
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface.
IGMP Upstream
Enable IG MP Upstre a m on the interface which connects to a router running IGMP that is closer to the multicast server.
IGMP Downstream
Enable IG MP Do wnstre a m on the interface which connects to the multicast hosts.
IPv6 Address Assignment
These IP address fields configure an IPv6 IP address on the interface itself.
Enable Stateless Address Autoconfiguration (SLAAC)
Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router on the network.
Link-Local address
This displays the IPv6 link-local address and the network prefix that the Zyxel Device generates itself for the interface.
ZyWALL USG FLEX Series User's Guide
287
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL IPv6 Address/ Prefix Length
DESC RIPTIO N
Enter the IPv6 address and the prefix length for this interface if you want to configure a static IP address for this interface. This field is optional.
Gateway Metric
Address from DHCPv6 Prefix Delegation
The prefix length indicates what the left-most part of the IP address is the same for all computers on the network, that is, the network address.
Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal notation.
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Use this table to have the Zyxel Device obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 232 for more information.
To use prefix delegation, you must:
Add Edit Remove References
# Delegated Prefix Suffix Address
· Create at least one DHCPv6 request object before configuring this table. · The external interface must be a DHCPv6 client. You must configure the DHCPv6
request options using a DHCPv6 request object with the type of prefix-delegation. · Assign the prefix delegation to an internal interface and enable router advertisement
on that interface. Click this to create an entry. Select an entry and click this to change the settings. Select an entry and click this to delete it from this table. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example. This field is a sequential value, and it is not associated with any entry. Select the DHCPv6 request object to use from the drop-down list.
Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Zyxel Device will append it to the delegated prefix.
Address
For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field.
This field displays the combined IPv6 IP address for this interface.
DHCPv6 Setting DHCPv6
DUID DUID as MAC
Note: This field displays the combined address after you click O K and reopen this screen.
Select N/ A to not use DHCPv6.
Select C lie nt to set this interface to act as a DHCPv6 client.
Select Se rve r to set this interface to act as a DHCPv6 server which assigns IP addresses and provides subnet mask, gateway, and DNS server information to clients.
Select Re la y to set this interface to route DHCPv6 requests to the DHCPv6 relay server you specify. The DHCPv6 server(s) may be on another network. This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 233 for more information. Select this to have the DUID generated from the interface's default MAC address.
ZyWALL USG FLEX Series User's Guide
288
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL
DESC RIPTIO N
Customized DUID If you want to use a customized DUID, enter it here for the interface.
Enable Rapid Commit
Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.
Information Refresh Time Request Address
DHCPv6 Request Options / DHCPv6 Lease Options
Add
Remove References
# Name Type Value
Interface
Relay Server
IPv6 Router Advertisement Setting
Enable Router Advertisement Advertised Hosts Get Network Configuration From DHCPv6
Advertised Hosts Get Other Configuration From DHCPv6
Router Preference
Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Enter the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6.
This field is available if you set this interface to DHCPv6 C lie nt. Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6.
If this interface is a DHCPv6 client, use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.
If this interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings that determine what to offer to the DHCPv6 clients.
Click this to create an entry in this table. See Section 9.4.5 on page 256 for more information.
Select an entry and click this to delete it from this table.
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
This field is a sequential value, and it is not associated with any entry.
This field displays the name of the DHCPv6 request or lease object.
This field displays the type of the object.
This field displays the IPv6 prefix that the Zyxel Device obtained from an uplink router (Se rve r is selected) or will advertise to its clients (C lie nt is selected).
When Re la y is selected, select this check box and an interface from the drop-down list if you want to use it as the relay server.
When Re la y is selected, select this check box and enter the IP address of a DHCPv6 server as the relay server.
Select this to enable this interface to send router advertisement messages periodically. See IPv6 Router Advertisement on page 232 for more information.
Select this to have the Zyxel Device indicate to hosts to obtain network settings (such as prefix and DNS settings) through DHCPv6.
Clear this to have the Zyxel Device indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message.
Select this to have the Zyxel Device indicate to hosts to obtain DNS information through DHCPv6.
Clear this to have the Zyxel Device indicate to hosts that DNS information is not available in this network.
Select the router preference (Lo w, Me dium or Hig h) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the Zyxel Device. This helps hosts to choose their default router especially when there are multiple IPv6 router on the network.
Note: Make sure the hosts also support router preference to make this function work.
ZyWALL USG FLEX Series User's Guide
289
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL MTU
Hop Limit
Advertised Prefix Table Add Edit Remove # IPv6 Address/ Prefix Length
Advertised Prefix from DHCPv6 Prefix Delegation Add Edit Remove References
# Delegated Prefix Suffix Address
DESC RIPTIO N
The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Enter the maximum number of network segments that a packet can cross before reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0. Configure this table only if you want the Zyxel Device to advertise a fixed prefix to the network. Click this to create an IPv6 prefix address. Select an entry in this table and click this to modify it. Select an entry in this table and click this to delete it. This field is a sequential value, and it is not associated with any entry. Enter the IPv6 network prefix address and the prefix length.
The prefix length indicates what the left-most part of the IP address is the same for all computers on the network, that is, the network address. Use this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix.
Click this to create an entry in this table. Select an entry in this table and click this to modify it. Select an entry in this table and click this to delete it. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example. This field is a sequential value, and it is not associated with any entry. Select the DHCPv6 request object to use for generating the network prefix for the network.
Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The Zyxel Device will append it to the selected delegated prefix. The combined address is the network prefix for the network.
Address
For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for another interface. You can use ::1111/64 and ::2222/64 for the suffix address respectively. But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.
This is the final network prefix combined by the delegated prefix and the suffix.
Note: This field displays the combined address after you click O K and reopen this screen.
Interface Parameters
Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576.
Ingress Bandwidth
This is reserved for future use.
Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576.
MTU
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.
ZyWALL USG FLEX Series User's Guide
290
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL Connectivity Check
Enable Connectivity Check Check Method
DESC RIPTIO N The Zyxel Device can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often to check the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. Select this to turn on the connection check.
Select the method that the gateway allows.
Select ic m p to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Check Period Check Timeout Check Fail Tolerance Check Default Gateway Check this address Check Port
Check these addresses Probe Succeeds When
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Enter the number of seconds between connection check attempts. Enter the number of seconds to wait for a response before the attempt is a failure. Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. Select this to use the default gateway for the connectivity check.
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. This field only displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check. Type one or two domain names or IP addresses for the connectivity check.
This field applies when you specify two domain names or IP addresses for the connectivity check.
Select a ny o ne if you want the check to pass if at least one of the domain names or IP addresses responds.
DHCP Setting DHCP
Select a ll if you want the check to pass only if both domain names or IP addresses respond. The DHCP settings are available for the OPT, LAN and DMZ interfaces. Select what type of DHCP service the Zyxel Device provides to the network. Choices are:
No ne - the Zyxel Device does not provide any DHCP services. There is already a DHCP server on the network.
DHC P Re la y - the Zyxel Device routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.
Relay Server 1 Relay Server 2
IP Pool Start Address
DHC P Se rve r - the Zyxel Device assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The Zyxel Device is the DHCP server for the network.
These fields appear if the Zyxel Device is a DHC P Re la y.
Enter the IP address of a DHCP server for the network.
This field is optional. Enter the IP address of another DHCP server for the network.
These fields appear if the Zyxel Device is a DHC P Se rve r.
Enter the IP address from which the Zyxel Device begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Sta tic DHC P.
If this field is blank, the Po o l Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface's IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface's IP address.
ZyWALL USG FLEX Series User's Guide
291
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL Pool Size
DESC RIPTIO N
Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface's Sub ne t Ma sk. For example, if the Sub ne t Ma sk is 255.255.255.0 and IP Po o l Sta rt Addre ss is 10.10.10.10, the Zyxel Device can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
First DNS Server Second DNS Server Third DNS Server
If this field is blank, the IP Po o l Sta rt Addre ss must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface's IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface's IP address.
Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses.
C usto m De fine d - enter a static IP address.
Fro m ISP - select the DNS server that another interface received from its DHCP server.
First WINS Server, Second WINS Server Default Router
Zyxe l De vic e - the DHCP clients use the IP address of this interface and the Zyxel Device works as a DNS relay.
Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
If you set this interface to DHC P Se rve r, you can select to use either the interface's IP address or another IP address as the default router. This default router will become the DHCP clients' default gateway.
Lease time
To use another IP address as the default router, select C usto m De fine d and enter the IP address.
Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are:
infinite - select this if IP addresses never expire
Extended Options
Add Edit Remove # Name Code Type Value Enable IP/MAC Binding
Enable Logs for IP/MAC Binding Violation Static DHCP Table
da ys, ho urs, a nd m inute s - select this to enter how long IP addresses are valid. The default is 2 days.
This table is available if you selected DHC P se rve r.
Configure this table if you want to send more information to DHCP clients through DHCP packets.
Click this to create an entry in this table. See Section 9.4.6 on page 257.
Select an entry in this table and click this to modify it.
Select an entry in this table and click this to delete it.
This field is a sequential value, and it is not associated with any entry.
This is the option's name.
This is the option's code number.
This is the option's type.
This is the option's value.
Select this option to have the Zyxel Device enforce links between specific IP addresses and specific MAC addresses for this VLAN. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.
Select this option to have the Zyxel Device generate a log if a device connected to this VLAN attempts to use an IP address that is bound to another device's MAC address.
Configure a list of static IP addresses the Zyxel Device assigns to computers connected to the interface. Otherwise, the Zyxel Device assigns an IP address dynamically using the interface's IP Po o l Sta rt Addre ss and Po o l Size .
ZyWALL USG FLEX Series User's Guide
292
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL Add Edit Remove # IP Address MAC Address Description
RIP Setting Enable RIP Direction
DESC RIPTIO N Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific entry. Enter the IP address to assign to a device with this entry's MAC address. Enter the MAC address to which to assign this entry's IP address. Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. See Section 10.6 on page 337 for more information about RIP. Select this to enable RIP on this interface. This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box.
BiDir - This interface sends and receives routing information.
In- O nly - This interface receives routing information.
Send Version Receive Version V2-Broadcast OSPF Setting Area Priority
Link Cost Passive Interface Authentication
O ut- O nly - This interface sends routing information.
This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 a nd 2.
This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 a nd 2.
This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Zyxel Device uses multicasting.
See Section 10.7 on page 339 for more information about OSPF.
Select the area in which this interface belongs. Select No ne to disable OSPF in this interface.
Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR. Set the priority to zero if the interface can not be the DR or BDR.
Enter the cost (between 1 and 65,535) to route packets through this interface.
Select this to stop forwarding OSPF routing information from the selected interface. As a result, this interface only receives routing information.
Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use. Choices are:
Sa m e - a s- Are a - use the default authentication method in the area
No ne - disable authentication
Te xt - authenticate OSPF routing information using a plain-text password
MD5 - authenticate OSPF routing information using MD5 encryption
Text Authentication Key
This field is available if the Authe ntic a tio n is Te xt. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
MD5
This field is available if the Authe ntic a tio n is MD5. Type the ID for MD5 authentication. The ID
Authentication ID can be between 1 and 255.
MD5 Authentication Key
This field is available if the Authe ntic a tio n is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
ZyWALL USG FLEX Series User's Guide
293
Chapter 9 Interfaces
Table 114 Configuration > Network > Interface > VLAN > Add / Edit (continued)
LA BEL
DESC RIPTIO N
MAC Address Setting This section appears when Inte rfa c e Pro pe rtie s is Exte rna l or G e ne ra l. Have the interface use either the factory assigned default MAC address, a manually specified MAC address, or clone the MAC address of another device or computer.
Use Default MAC Select this option to have the interface use the factory assigned default MAC address. By
Address
default, the Zyxel Device uses the factory assigned MAC address to identify itself.
Overwrite Default MAC Address
Select this option to have the interface use a different MAC address. Either the MAC address in the field. Once it is successfully configured, the address will be copied to the configuration file. It will not change unless you change the setting or upload a different configuration file.
Proxy ARP
Proxy ARP is available for external or general interfaces on the Zyxel Device. See Section on page 244 for more information on Proxy ARP.
Enable Proxy ARP Select this to allow the Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are:
Add
· Ethernet · VLAN · Bridge
See Section 9.4.2 on page 253 for more information.
Click Add to create an IPv4 Addre ss, an IPv4 C IDR (for example, 192.168.1.1/24) or an IPv4 Ra ng e (for example, 192.168.1.2-192.168.1.100) as the target IP address. The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses. For example, if the IPv4 Addre ss is 192.168.1.5, then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address.
Select an existing entry and click Re m o ve to delete that entry.
Related Setting Configure WAN TRUNK Configure Policy Route
OK Cancel
Click WAN TRUNK to go to a screen where you can set this VLAN to be part of a WAN trunk for load balancing.
Click Po lic y Ro ute to go to the screen where you can manually configure a policy route to associate traffic with this VLAN.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
9.9 Bridg e Inte rfa c e s
This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces.
ZyWALL USG FLEX Series User's Guide
294
Chapter 9 Interfaces
Bridg e O ve rvie w
A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments.
When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port. If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received).
In the example above, computer A sends a packet to computer B. Bridge X records the source address 0A:0A:0A:0A:0A:0A and port 2 in the table. It also looks up 0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4.
Table 115 Example: Bridge Table After Computer A Sends a Packet to Computer B
MAC ADDRESS
PO RT
0A:0A:0A:0A:0A:0A
2
If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly.
Table 116 Example: Bridge Table After Computer B Responds to Computer A
MAC ADDRESS
PO RT
0A:0A:0A:0A:0A:0A
2
0B:0B:0B:0B:0B:0B
4
Bridg e Inte rfa c e O ve rvie w
A bridge interface creates a software bridge between the members of the bridge interface. It also becomes the Zyxel Device's interface for the resulting network.
Unlike the device-wide bridge mode in ZyNOS-based Zyxel Devices, this Zyxel Device can bridge traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole Zyxel Device as a transparent bridge, add all of the Zyxel Device's interfaces to a bridge interface.
ZyWALL USG FLEX Series User's Guide
295
Chapter 9 Interfaces
A bridge interface may consist of the following members:
· Zero or one VLAN interfaces (and any associated virtual VLAN interfaces) · Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces)
When you create a bridge interface, the Zyxel Device removes the members' entries from the routing table and adds the bridge interface's entries to the routing table. For example, this table shows the routing table before and after you create bridge interface br0 (250.250.250.0/23) between lan1 and vlan1.
Table 117 Example: Routing Table Before and After Bridge Interface br0 Is Created
IP ADDRESS(ES)
DESTINATIO N
IP ADDRESS(ES)
DESTINATIO N
210.210.210.0/24
lan1
221.221.221.0/24
vlan0
210.211.1.0/24
lan1:1
230.230.230.192/26
wan2
221.221.221.0/24
vlan0
241.241.241.241/32
dmz
222.222.222.0/24
vlan1
242.242.242.242/32
dmz
230.230.230.192/26
wan2
250.250.250.0/23
br0
241.241.241.241/32
dmz
242.242.242.242/32
dmz
In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed.
9.9.1 Bridg e Sum m a ry
This screen lists every bridge interface and virtual interface created on top of bridge interfaces. If you enabled IPv6 on the C o nfig ura tio n > Syste m > IPv6 screen, you can also configure bridge interfaces used for your IPv6 network on this screen. To access this screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > Bridg e .
Fig ure 208 Configuration > Network > Interface > Bridge
ZyWALL USG FLEX Series User's Guide
296
Chapter 9 Interfaces
Each field is described in the following table.
Table 118 Configuration > Network > Interface > Bridge
LA BEL Configuration / IPv6 Configuration
Add Edit
Remove
Activate Inactivate Create Virtual Interface References
# Status Name Description IP Address
DESC RIPTIO N
Use the C o nfig ura tio n section for IPv4 network settings. Use the IPv6 C o nfig ura tio n section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below.
Click this to create a new entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To open the screen where you can create a virtual interface, select an interface and click C re a te Virtua l Inte rfa c e .
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
This field is a sequential value, and it is not associated with any interface.
This icon is lit when the entry is active and dimmed when the entry is inactive.
This field displays the name of the interface.
This field displays the description of the interface.
This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet.
Member
Apply Reset
This screen also shows whether the IP address is a static IP address (STATIC ) or dynamically assigned (DHC P). IP addresses are always static in virtual interfaces.
This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
9.9.2 Bridg e Add/ Edit
This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add or Edit icon on the Bridg e Sum m a ry screen. The following screen appears.
ZyWALL USG FLEX Series User's Guide
297
Chapter 9 Interfaces Fig ure 209 Configuration > Network > Interface > Bridge > Add / Edit
ZyWALL USG FLEX Series User's Guide
298
Chapter 9 Interfaces
ZyWALL USG FLEX Series User's Guide
299
Chapter 9 Interfaces
Each field is described in the table below.
Table 119 Configuration > Network > Interface > Bridge > Add / Edit
LA BEL IPv4/IPv6 View / IPv4 View / IPv6 View Show Advanced Settings / Hide Advanced Settings Create New Object
General Settings Enable Interface
General IPv6 Setting Enable IPv6
Interface Properties Interface Type
DESC RIPTIO N Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Click this button to display a greater or lesser number of configuration fields.
Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen.
Select this to enable this interface. Clear this to disable this interface.
Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.
Select one of the following option depending on the type of network to which the Zyxel Device is connected or if you want to additionally manually configure some related settings.
inte rna l is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The Zyxel Device automatically adds default SNAT settings for traffic flowing from this interface to an external interface.
e xte rna l is for connecting to an external network (like the Internet). The Zyxel Device automatically adds this interface to the default WAN trunk.
Interface Name Zone Description
Member Configuration
For g e ne ra l, the rest of the screen's options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface.
This field is read-only if you are editing the interface. Enter the name of the bridge interface. The format is brx, where x is 0 - 11. For example, br0, br3, and so on.
Select the zone to which the interface is to belong. You use zones to apply security settings such as security policy, IDP, remote management, anti-malware, and application patrol.
Enter a description of this interface. You can use alphanumeric and ()+/:=?!*#@$_%-
characters, and it can be up to 60 characters long. Spaces are allowed, but the string can't start with a space.
ZyWALL USG FLEX Series User's Guide
300
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL Available
DESC RIPTIO N
This field displays Ethernet interfaces and VLAN interfaces that can become part of the bridge interface. An interface is not available in the following situations:
Member
IP Address Assignment
Get Automatically DHCP Option 60
· There is a virtual interface on top of it · It is already used in a different bridge interface Select one, and click the >> arrow to add it to the bridge interface. Each bridge interface can only have one VLAN interface. This field displays the interfaces that are part of the bridge interface. Select one, and click the << arrow to remove it from the bridge interface.
Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP address, subnet mask, and gateway automatically. DHCP Option 60 is used by the Zyxel Device for identification to the DHCP server using the VCI (Vendor Class Identifier) on the DHCP server. The Zyxel Device adds it in the initial DHCP discovery message that a DHCP client broadcasts in search of an IP address. The DHCP server can assign different IP addresses or options to clients with the specific VCI or reject the request from clients without the specific VCI.
Use Fixed IP Address IP Address
Type a string using up to 63 of these characters [a-zA-Z0-9!\"#$%&\'()*+,-./ :;<=>?@\[\\\]^_`{}] to identify this Zyxel Device to the DHCP server. For example, Zyxel-TW. Select this if you want to specify the IP address, subnet mask, and gateway manually.
This field is enabled if you select Use Fixe d IP Addre ss.
Subnet Mask
Enter the IP address for this interface. This field is enabled if you select Use Fixe d IP Addre ss.
Gateway
Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.
This field is enabled if you select Use Fixe d IP Addre ss.
Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.
Metric
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface.
IGMP Upstream
Enable IG MP Upstre a m on the interface which connects to a router running IGMP that is closer to the multicast server.
IGMP Downstream
Enable IG MP Do wnstre a m on the interface which connects to the multicast hosts.
IPv6 Address Assignment
These IP address fields configure an IPv6 IP address on the interface itself.
Enable Stateless Address Autoconfiguration (SLAAC)
Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router on the network.
Link-Local address
This displays the IPv6 link-local address and the network prefix that the Zyxel Device generates itself for the interface.
ZyWALL USG FLEX Series User's Guide
301
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL IPv6 Address/ Prefix Length
DESC RIPTIO N
Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional.
Gateway Metric
Address from DHCPv6 Prefix Delegation
The prefix length indicates what the left-most part of the IP address is the same for all computers on the network, that is, the network address.
Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal notation.
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Use this table to have the Zyxel Device obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 232 for more information.
To use prefix delegation, you must:
Add Edit Remove References
# Delegated Prefix Suffix Address
· Create at least one DHCPv6 request object before configuring this table. · The external interface must be a DHCPv6 client. You must configure the DHCPv6
request options using a DHCPv6 request object with the type of prefix-delegation. · Assign the prefix delegation to an internal interface and enable router advertisement
on that interface. Click this to create an entry. Select an entry and click this to change the settings. Select an entry and click this to delete it from this table. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example. This field is a sequential value, and it is not associated with any entry. Select the DHCPv6 request object to use from the drop-down list.
Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Zyxel Device will append it to the delegated prefix.
Address
For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111:1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field.
This field displays the combined IPv6 IP address for this interface.
DHCPv6 Setting DHCPv6
DUID DUID as MAC
Note: This field displays the combined address after you click O K and reopen this screen.
Select N/ A to not use DHCPv6.
Select C lie nt to set this interface to act as a DHCPv6 client.
Select Se rve r to set this interface to act as a DHCPv6 server which assigns IP addresses and provides subnet mask, gateway, and DNS server information to clients.
Select Re la y to set this interface to route DHCPv6 requests to the DHCPv6 relay server you specify. The DHCPv6 server(s) may be on another network. This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 233 for more information. Select this if you want the DUID is generated from the interface's default MAC address.
ZyWALL USG FLEX Series User's Guide
302
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL
DESC RIPTIO N
Customized DUID If you want to use a customized DUID, enter it here for the interface.
Enable Rapid Commit
Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.
Information Refresh Time Request Address
DHCPv6 Request Options / DHCPv6 Lease Options
Add
Edit Remove References
# Name Type Value
Interface
Relay Server
IPv6 Router Advertisement Setting
Enable Router Advertisement Advertised Hosts Get Network Configuration From DHCPv6
Advertised Hosts Get Other Configuration From DHCPv6
Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Enter the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6. This field is available if you set this interface to DHCPv6 C lie nt. Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6. If this interface is a DHCPv6 client, use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.
If the interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings that determine what to offer to the DHCPv6 clients. Click this to create an entry in this table. See Section 9.4.5 on page 256 for more information. Select an entry and click this to change the settings. Select an entry and click this to delete it from this table. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example. This field is a sequential value, and it is not associated with any entry. This field displays the name of the DHCPv6 request or lease object. This field displays the type of the object. This field displays the IPv6 prefix that the Zyxel Device obtained from an uplink router (Se rve r is selected) or will advertise to its clients (C lie nt is selected). When Re la y is selected, select this check box and an interface from the drop-down list if you want to use it as the relay server. When Re la y is selected, select this check box and enter the IP address of a DHCPv6 server as the relay server.
Select this to enable this interface to send router advertisement messages periodically. See IPv6 Router Advertisement on page 232 for more information. Select this to have the Zyxel Device indicate to hosts to obtain network settings (such as prefix and DNS settings) through DHCPv6.
Clear this to have the Zyxel Device indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message. Select this to have the Zyxel Device indicate to hosts to obtain DNS information through DHCPv6.
Clear this to have the Zyxel Device indicate to hosts that DNS information is not available in this network.
ZyWALL USG FLEX Series User's Guide
303
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL
DESC RIPTIO N
Router Preference
Select the router preference (Lo w, Me dium or Hig h) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the Zyxel Device. This helps hosts to choose their default router especially when there are multiple IPv6 router on the network.
Note: Make sure the hosts also support router preference to make this function work.
MTU
The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments.
Hop Limit
Enter the maximum number of network segments that a packet can cross before reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.
Advertised Prefix Configure this table only if you want the Zyxel Device to advertise a fixed prefix to the
Table
network.
Add
Click this to create an IPv6 prefix address.
Edit
Select an entry in this table and click this to modify it.
Remove
Select an entry in this table and click this to delete it.
#
This field is a sequential value, and it is not associated with any entry.
IPv6 Address/ Prefix Length
Enter the IPv6 network prefix address and the prefix length.
The prefix length indicates what the left-most part of the IP address is the same for all computers on the network, that is, the network address.
Advertised Prefix Use this table to configure the network prefix if you want to use a delegated prefix as the
from DHCPv6
beginning part of the network prefix.
Prefix Delegation
Add
Click this to create an entry in this table.
Edit
Select an entry in this table and click this to modify it.
Remove
Select an entry in this table and click this to delete it.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
#
This field is a sequential value, and it is not associated with any entry.
Delegated Prefix
Select the DHCPv6 request object to use for generating the network prefix for the network.
Suffix Address
Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The Zyxel Device will append it to the selected delegated prefix. The combined address is the network prefix for the network.
Address
For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for another interface. You can use ::1111/64 and ::2222/64 for the suffix address respectively. But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.
This is the final network prefix combined by the selected delegated prefix and the suffix.
Note: This field displays the combined address after you click O K and reopen this screen.
Interface Parameters
Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576.
ZyWALL USG FLEX Series User's Guide
304
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL Ingress Bandwidth
MTU
DHCP Setting DHCP
DESC RIPTIO N This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576. Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.
Select what type of DHCP service the Zyxel Device provides to the network. Choices are:
No ne - the Zyxel Device does not provide any DHCP services. There is already a DHCP server on the network.
DHC P Re la y - the Zyxel Device routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.
Relay Server 1 Relay Server 2
IP Pool Start Address
DHC P Se rve r - the Zyxel Device assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The Zyxel Device is the DHCP server for the network.
These fields appear if the Zyxel Device is a DHC P Re la y.
Enter the IP address of a DHCP server for the network.
This field is optional. Enter the IP address of another DHCP server for the network.
These fields appear if the Zyxel Device is a DHC P Se rve r.
Enter the IP address from which the Zyxel Device begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Sta tic DHC P.
Pool Size
If this field is blank, the Po o l Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface's IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface's IP address.
Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface's Sub ne t Ma sk. For example, if the Sub ne t Ma sk is 255.255.255.0 and IP Po o l Sta rt Addre ss is 10.10.10.10, the Zyxel Device can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
First DNS Server Second DNS Server Third DNS Server
If this field is blank, the IP Po o l Sta rt Addre ss must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface's IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface's IP address.
Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses.
C usto m De fine d - enter a static IP address.
Fro m ISP - select the DNS server that another interface received from its DHCP server.
First WINS Server, Second WINS Server Default Router
Zyxe l De vic e - the DHCP clients use the IP address of this interface and the Zyxel Device works as a DNS relay.
Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
If you set this interface to DHC P Se rve r, you can select to use either the interface's IP address or another IP address as the default router. This default router will become the DHCP clients' default gateway.
To use another IP address as the default router, select C usto m De fine d and enter the IP address.
ZyWALL USG FLEX Series User's Guide
305
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL Lease time
DESC RIPTIO N
Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are:
infinite - select this if IP addresses never expire
Extended Options
Add Edit Remove # Name Code Type Value PXE Server
da ys, ho urs, a nd m inute s - select this to enter how long IP addresses are valid. This table is available if you selected DHC P se rve r.
Configure this table if you want to send more information to DHCP clients through DHCP packets. Click this to create an entry in this table. See Section 9.4.6 on page 257. Select an entry in this table and click this to modify it. Select an entry in this table and click this to delete it. This field is a sequential value, and it is not associated with any entry. This is the option's name. This is the option's code number. This is the option's type. This is the option's value. PXE (Preboot eXecution Environment) allows a client computer to use the network to boot up and install an operating system via a PXE-capable Network Interface Card (NIC).
PXE is available for computers on internal interfaces to allow them to boot up using boot software on a PXE server. The Zyxel Device acts as an intermediary between the PXE server and the computers that need boot software.
PXE Boot Loader File
Enable IP/MAC Binding
Enable Logs for IP/MAC Binding Violation Static DHCP Table
Add Edit Remove # IP Address MAC Address Description
The PXE server must have a public IPv4 address. You must enable DHC P Se rve r on the Zyxel Device so that it can receive information from the PXE server.
A boot loader is a computer program that loads the operating system for the computer. Type the exact file name of the boot loader software file, including filename extension, that is on the PXE server. If the wrong filename is typed, then the client computers cannot boot.
Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.
Select this option to have the Zyxel Device generate a log if a device connected to this interface attempts to use an IP address that is bound to another device's MAC address.
Configure a list of static IP addresses the Zyxel Device assigns to computers connected to the interface. Otherwise, the Zyxel Device assigns an IP address dynamically using the interface's IP Po o l Sta rt Addre ss and Po o l Size .
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This field is a sequential value, and it is not associated with a specific entry.
Enter the IP address to assign to a device with this entry's MAC address.
Enter the MAC address to which to assign this entry's IP address.
Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
ZyWALL USG FLEX Series User's Guide
306
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL Connectivity Check
Enable Connectivity Check Check Method
DESC RIPTIO N The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. Select this to turn on the connection check.
Select the method that the gateway allows.
Select ic m p to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Check Period Check Timeout Check Fail Tolerance Check Default Gateway Check this address Check Port
Check these addresses Probe Succeeds When
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Enter the number of seconds between connection check attempts. Enter the number of seconds to wait for a response before the attempt is a failure. Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. Select this to use the default gateway for the connectivity check.
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. This field only displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check. Type one or two domain names or IP addresses for the connectivity check.
This field applies when you specify two domain names or IP addresses for the connectivity check.
Select a ny o ne if you want the check to pass if at least one of the domain names or IP addresses responds.
Select a ll if you want the check to pass only if both domain names or IP addresses respond.
Proxy ARP
Proxy ARP is available for external or general interfaces on the Zyxel Device. See Section on page 244 for more information on Proxy ARP.
Enable Proxy ARP Select this to allow the Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are:
Add
· Ethernet · VLAN · Bridge
See Section 9.4.2 on page 253 for more information.
Click Add to create an IPv4 Addre ss, an IPv4 C IDR (for example, 192.168.1.1/24) or an IPv4 Ra ng e (for example, 192.168.1.2-192.168.1.100) as the target IP address. The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses. For example, if the IPv4 Addre ss is 192.168.1.5, then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address.
Select an existing entry and click Re m o ve to delete that entry.
ZyWALL USG FLEX Series User's Guide
307
Chapter 9 Interfaces
Table 119 Configuration > Network > Interface > Bridge > Add / Edit (continued)
LA BEL
DESC RIPTIO N
Related Setting
Configure WAN TRUNK
Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing.
Configure Policy Click Po lic y Ro ute to go to the screen where you can manually configure a policy route to
Route
associate traffic with this bridge interface.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
9.10 VTI
IPSec VPN Tunnel Interface (VTI) encrypts or decrypts IPv4 traffic from or to the interface according to the IP routing table.
VTI allows static routes to send traffic over the VPN. The IPSec tunnel endpoint is associated with an actual (virtual) interface. Therefore many interface capabilities such as Policy Route, Static Route, Trunk, and BWM can be applied to the IPSec tunnel as soon as the tunnel is active
IPSec VTI simplifies network management and load balancing. Create a trunk using VPN tunnel interfaces for load balancing. In the following example configure VPN tunnels with static IP addresses or DNS on both Zyxel Devices (or IPSec routers at the end of the tunnel). Also configure VTI and a trunk on both Zyxel Devices.
Fig ure 210 VTI and Trunk for VPN Load Balancing
9.10.1 Re stric tio ns fo r IPSe c Virtua l Tunne l Inte rfa c e
· IPv4 traffic only · IPSec tunnel mode only. A shared keyword must not be configured when using tunnel mode. · With a VTI VPN you do not add local or remote LANs to your VPN configuration. · For a VTI VPN you should only have one local and one remote WAN. · A dynamic peer is not supported · The IPSec VTI is limited to IP unicast and multicast traffic only.
ZyWALL USG FLEX Series User's Guide
308
Chapter 9 Interfaces
9.10.2 VTI Sc re e n
To access this screen, click C o nfig ura tio n > Ne two rk > Inte rfa c e > VTI. Fig ure 211 Configuration > Network > Interface > VTI
The following table describes the fields in this screen.
Table 120 Configuration > Network > Interface > VTI
LA BEL
DESC RIPTIO N
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with any interface.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the name of the VTI interface.
IP Address
This field displays the current IP address of the virtual interface and subnet mask in bits. If the IP address is 0.0.0.0, the interface does not have an IP address yet.
vpn-rule
This shows the name of the associated IPSec VPN rule with VPN Tunne l Inte rfa c e application scenario.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
9.10.3 VTI Add/ Edit
This screen lets you configure IP address assignment and interface parameters for VTI.
Note: You should have created a VPN tunnel for a VPN Tunne l Inte rfa c e scenario first. To access this screen, click the Add or Edit icon in Ne two rk > Inte rfa c e > VTI. The following screen appears.
ZyWALL USG FLEX Series User's Guide
309
Chapter 9 Interfaces Fig ure 212 Configuration > Network > Interface > VTI > Add
Each field is described in the table below.
Table 121 Configuration > Network > Interface > VTI > Add
LA BEL
DESC RIPTIO N
General Settings
Enable
Select this to enable VTI. Clear this to disable it.
Interface Properties
Interface Name
This field is read-only if you are editing an existing VPN tunnel interface. For a new VPN tunnel interface, enter the name of the VPN tunnel interface in vtix format, where x is a number from 0 to the maximum number of VPN connections allowed for this model. For example, enter vti10.
ZyWALL USG FLEX Series User's Guide
310
Chapter 9 Interfaces
Table 121 Configuration > Network > Interface > VTI > Add (continued)
LA BEL
DESC RIPTIO N
Zone
Select a zone. Make sure that the zone you select does not have traffic blocked by a security feature such as a security policy.
vpn-rule
You should have created a VPN tunnel first for a VPN Tunne l Inte rfa c e scenario. Select one of the VPN Tunne l Inte rfa c e scenario rules that you created.
IP Address Assignment
IP Address
Enter the IP address for this interface.
Subnet Mask
Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.
Metric
Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface.
IGMP Upstream
Enable IG MP Upstre a m on the interface which connects to a router running IGMP that is closer to the multicast server.
IGMP Downstream
Enable IG MP Do wnstre a m on the interface which connects to the multicast hosts.
Interface Parameters
Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576.
Ingress Bandwidth
This is reserved for future use.
Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576.
Connectivity Check These fields appear when you select a vpn- rule .
Enable Connectivity Check Check Method
The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. Select this to turn on the connection check.
Select the method that the gateway allows.
Select ic m p to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Check Period Check Timeout Check Fail Tolerance Check this address Check Port
RIP Setting
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available.
Enter the number of seconds between connection check attempts.
Enter the number of seconds to wait for a response before the attempt is a failure.
Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway.
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.
This field only displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check.
See Section 10.6 on page 337 for more information about RIP.
ZyWALL USG FLEX Series User's Guide
311
Chapter 9 Interfaces
Table 121 Configuration > Network > Interface > VTI > Add (continued)
LA BEL Enable RIP Direction
DESC RIPTIO N
Select this to enable RIP in this interface.
This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box.
BiDir - This interface sends and receives routing information.
In- O nly - This interface receives routing information.
Send Version Receive Version V2-Broadcast OSPF Setting Area Priority
Link Cost Passive Interface Authentication
O ut- O nly - This interface sends routing information.
This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 a nd 2.
This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 a nd 2.
This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Zyxel Device uses multicasting.
See Section 10.7 on page 339 for more information about OSPF.
Select the area in which this interface belongs. Select No ne to disable OSPF in this interface.
Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR. Set the priority to zero if the interface can not be the DR or BDR.
Enter the cost (between 1 and 65,535) to route packets through this interface.
Select this to stop forwarding OSPF routing information from the selected interface. As a result, this interface only receives routing information.
Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use. Choices are:
Sa m e - a s- Are a - use the default authentication method in the area
No ne - disable authentication
Te xt - authenticate OSPF routing information using a plain-text password
MD5 - authenticate OSPF routing information using MD5 encryption
Text Authentication Key
This field is available if the Authe ntic a tio n is Te xt. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
MD5
This field is available if the Authe ntic a tio n is MD5. Type the ID for MD5 authentication. The ID
Authentication ID can be between 1 and 255.
MD5 Authentication Key
This field is available if the Authe ntic a tio n is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
Related Setting
Configure WAN TRUNK
Click WA N TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing.
Configure Policy Click Po lic y Ro ute to go to the screen where you can manually configure a policy route to
Route
associate traffic with this bridge interface.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
312
Chapter 9 Interfaces
9.11 Trunk O ve rvie w
Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links.
Maybe you have two Internet connections with different bandwidths. You could set up a trunk that uses spillover or weighted round robin load balancing so time-sensitive traffic (like video) usually goes through the higher-bandwidth interface. For other traffic, you might want to use least load first load balancing to even out the distribution of the traffic load.
Suppose ISP A has better connections to Europe while ISP B has better connections to Australia. You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B.
Or maybe one of the Zyxel Device's interfaces is connected to an ISP that is also your Voice over IP (VoIP) service provider. You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP service provider set to active and another interface (connected to another ISP) set to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface's connection is up.
· Use the Trunk summary screen (Section 9.12 on page 316) to view the list of configured trunks and which load balancing algorithm each trunk uses.
· Use the Add Trunk screen (Section 9.12.1 on page 317) to configure the member interfaces for a trunk and the load balancing algorithm the trunk uses.
· Use the Add Syste m De fa ult screen (Section 9.12.2 on page 319) to configure the load balancing algorithm for the system default trunk.
9.11.1 Wha t Yo u Ne e d to Kno w
· Add WAN interfaces to trunks to have multiple connections share the traffic load. · If one WAN interface's connection goes down, the Zyxel Device sends traffic through another
member of the trunk. · For example, you connect one WAN interface to one ISP and connect a second WAN interface to a
second ISP. The Zyxel Device balances the WAN traffic load between the connections. If one interface's connection goes down, the Zyxel Device can automatically send its traffic through another interface.
You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic.
· If that interface's connection goes down, the Zyxel Device can still send its traffic through another interface.
· You can define multiple trunks for the same physical interfaces.
1 LAN user A logs into server B on the Internet. The Zyxel Device uses wan1 to send the request to server B.
2 The Zyxel Device is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through wan2.
3 The server finds that the request comes from wan2's IP address instead of wan1's IP address and rejects the request.
ZyWALL USG FLEX Series User's Guide
313
Chapter 9 Interfaces
If link sticking had been configured, the Zyxel Device would have still used wan1 to send LAN user A's request to the server and server would have given the user A access.
Lo a d Ba la nc ing Alg o rithm s
The following sections describe the load balancing algorithms the Zyxel Device can use to decide which interface the traffic (from the LAN) should use for a session. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. The available bandwidth you configure on the Zyxel Device refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using.
Le a st Lo a d First
The least load first algorithm uses the current (or recent) outbound bandwidth utilization of each trunk member interface as the load balancing index(es) when making decisions about to which interface a new session is to be distributed. The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth.
Here the Zyxel Device has two WAN interfaces connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively.
Fig ure 213 Load Balancing Least Load First Example
The outbound bandwidth utilization is used as the load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The Zyxel Device calculates the load balancing index as shown in the table below.
Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the Zyxel Device will send the subsequent new session traffic through WAN 2.
Table 122 Least Load First Example
INTERFAC E
O UTBO UND AVAILABLE (A)
WAN 1
512 K
WAN 2
256 K
MEASURED (M) 412 K 198 K
LO AD BALANC ING INDEX (M/ A)
0.8 0.77
We ig hte d Ro und Ro b in
Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming
ZyWALL USG FLEX Series User's Guide
314
Chapter 9 Interfaces
traffic on that interface. This queue then moves to the back of the list. The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. The Weighted Round Robin (WRR) algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the Zyxel Device to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K. You can set the Zyxel Device to distribute the network traffic between the two interfaces by setting the weight of wan1 and wan2 to 2 and 1 respectively. The Zyxel Device assigns the traffic of two sessions to wan1 and one session's traffic to wan2 in each round of 3 new sessions. Fig ure 214 Weighted Round Robin Algorithm Example
Spillo ve r
The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface's maximum allowable load is reached, then sends the excess network traffic of new sessions to the next interface in the trunk member list. This continues as long as there are more member interfaces and traffic to be sent through them. Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage. Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface. In this example figure, the upper threshold of the first interface is set to 800K. The Zyxel Device sends network traffic of new sessions that exceed this limit to the secondary WAN interface. Fig ure 215 Spillover Algorithm Example
ZyWALL USG FLEX Series User's Guide
315
Chapter 9 Interfaces
9.12 The Trunk Sum m a ry Sc re e n
Click C o nfig ura tio n > Ne two rk > Inte rfa c e > Trunk to open the Trunk screen. The Trunk Summary screen lists the configured trunks and the load balancing algorithm that each is configured to use. Fig ure 216 Configuration > Network > Interface > Trunk
The following table describes the items in this screen.
Table 123 Configuration > Network > Interface > Trunk
LA BEL
DESC RIPTIO N
Show Advanced Settings / Hide Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Configuration
Configure what to do with existing passive mode interface connections when an interface set to active mode in the same trunk comes back up.
Disconnect
Select this to terminate existing connections on an interface which is set to passive mode
Connections Before Falling Back
when any interface set to active mode in the same trunk comes back up.
Enable Default SNAT
Select this to have the Zyxel Device use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks. The Zyxel Device automatically adds SNAT settings for traffic it routes from internal interfaces to external interfaces.
Default Trunk Selection
Select whether the Zyxel Device is to use the default system WAN trunk or one of the user configured WAN trunks as the default trunk for routing traffic from internal interfaces to external interfaces.
ZyWALL USG FLEX Series User's Guide
316
Chapter 9 Interfaces
Table 123 Configuration > Network > Interface > Trunk (continued)
LA BEL
DESC RIPTIO N
User Configuration / System Default
The Zyxel Device automatically adds all external interfaces into the pre-configured system default SYSTEM_DEFAULT_WAN_TRUNK. You cannot delete it. You can create your own Use r C o nfig ura tio n trunks and customize the algorithm, member interfaces and the active/passive mode.
Add
Click this to create a new user-configured trunk.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify
the entry's settings.
Remove
To remove a user-configured trunk, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
#
This field is a sequential value, and it is not associated with any interface.
Name
This field displays the label that you specified to identify the trunk.
Algorithm
This field displays the load balancing method the trunk is set to use.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
9.12.1 C o nfig uring a Use r- De fine d Trunk
Click C o nfig ura tio n > Ne two rk > Inte rfa c e > Trunk, in the Use r C o nfig ura tio n table click the Add (or Edit) icon to open the fo llo wing screen. Use this screen to create or edit a WAN trunk entry.
Fig ure 217 Configuration > Network > Interface > Trunk > Add (or Edit)
ZyWALL USG FLEX Series User's Guide
317
Chapter 9 Interfaces
Each field is described in the table below.
Table 124 Configuration > Network > Interface > Trunk > Add (or Edit)
LA BEL Name
Load Balancing Algorithm
DESC RIPTIO N
This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores
(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Select a load balancing method to use from the drop-down list box.
Select We ig hte d Ro und Ro bin to balance the traffic load between interfaces based on their respective weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces is 2:1, the Zyxel Device chooses wan1 for 2 sessions' traffic and wan2 for 1 session's traffic in each round of 3 new sessions.
Select Le a st Lo a d First to send new session traffic through the least utilized trunk member.
Load Balancing Index(es)
Add Edit Remove Move # Member
Select Spillo ve r to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used (and so on).
This field is available if you selected to use the Le a st Lo a d First or Spillo ve r method.
Select O utb o und, Inb o und, or O utb o und + Inb o und to set the traffic to which the Zyxel Device applies the load balancing method. Outbound means the traffic traveling from an internal interface (ex. LAN) to an external interface (ex. WAN). Inbound means the opposite.
The table lists the trunk's member interfaces. You can add, edit, remove, or move entries for user configured trunks.
Click this to add a member interface to the trunk. Select an interface and click Add to add a new member interface after the selected member interface.
Select an entry and click Edit to modify the entry's settings.
To remove a member interface, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To move an interface to a different number in the list, click the Mo ve icon. In the field that appears, specify the number to which you want to move the interface.
This column displays the priorities of the group's interfaces. The order of the interfaces in the list is important since they are used in the order they are listed.
Click this table cell and select an interface to be a group member.
Mode
If you select an interface that is part of another Ethernet interface, the Zyxel Device does not send traffic through the interface as part of the trunk. For example, if you have physical port 5 in the ge2 representative interface, you must select interface ge2 in order to send traffic through port 5 as part of the trunk. If you select interface ge5 as a member here, the Zyxel Device will not send traffic through port 5 as part of the trunk.
Click this table cell and select Ac tive to have the Zyxel Device always attempt to use this connection.
Weight
Select Pa ssive to have the Zyxel Device only use this connection when all of the connections set to active are down. You can only set one of a group's interfaces to passive mode.
This field displays with the weighted round robin load balancing algorithm. Specify the weight (1~10) for the interface. The weights of the different member interfaces form a ratio. This ratio determines how much traffic the Zyxel Device assigns to each member interface. The higher an interface's weight is (relative to the weights of the interfaces), the more sessions that interface should handle.
ZyWALL USG FLEX Series User's Guide
318
Chapter 9 Interfaces
Table 124 Configuration > Network > Interface > Trunk > Add (or Edit) (continued)
LA BEL Ingress Bandwidth
DESC RIPTIO N This is reserved for future use.
This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the Zyxel Device is to allow to come in through the interface per second.
Egress Bandwidth
Note: You can configure the bandwidth of an interface on the corresponding interface edit screen.
This field displays with the least load first or spillover load balancing algorithm. It displays the maximum number of kilobits of data the Zyxel Device is to send out through the interface per second.
Spillover
OK Cancel
Note: You can configure the bandwidth of an interface on the corresponding interface edit screen.
This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface. When this spillover bandwidth limit is exceeded, the Zyxel Device sends new session traffic through the next interface. The traffic of existing sessions still goes through the interface on which they started.
The Zyxel Device uses the group member interfaces in the order that they are listed.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
9.12.2 C o nfig uring the Syste m De fa ult Trunk
on the C o nfig ura tio n > Ne two rk > Inte rfa c e > Trunk screen and the Syste m De fa ult section, select the default trunk entry and click Edit to open the fo llo wing screen. Use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface.
Note: The available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk.
Fig ure 218 Configuration > Network > Interface > Trunk > Edit (System Default)
ZyWALL USG FLEX Series User's Guide
319
Chapter 9 Interfaces
Each field is described in the table below.
Table 125 Configuration > Network > Interface > Trunk > Edit (System Default)
LA BEL
Name
Load Balancing Algorithm
DESC RIPTIO N
This field displays the name of the selected system default trunk.
Select the load balancing method to use for the trunk.
Select We ig hte d Ro und Ro b in to balance the traffic load between interfaces based on their respective weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces is 2:1, the Zyxel Device chooses wan1 for 2 sessions' traffic and wan2 for 1 session's traffic in each round of 3 new sessions.
Select Le a st Lo a d First to send new session traffic through the least utilized trunk member.
#
Member Mode
Select Spillo ve r to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used (and so on).
The table lists the trunk's member interfaces. This table is read-only.
This column displays the priorities of the group's interfaces. The order of the interfaces in the list is important since they are used in the order they are listed.
This column displays the name of the member interfaces.
This field displays Ac tive if the Zyxel Device always attempt to use this connection.
Weight Ingress Bandwidth
This field displays Pa ssive if the Zyxel Device only use this connection when all of the connections set to active are down. Only one of a group's interfaces can be set to passive mode.
This field displays with the weighted round robin load balancing algorithm. Specify the weight (1~10) for the interface. The weights of the different member interfaces form a ratio. s
This is reserved for future use.
Egress Bandwidth Spillover
This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the Zyxel Device is to allow to come in through the interface per second.
This field displays with the least load first or spillover load balancing algorithm. It displays the maximum number of kilobits of data the Zyxel Device is to send out through the interface per second.
This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface. When this spillover bandwidth limit is exceeded, the Zyxel Device sends new session traffic through the next interface. The traffic of existing sessions still goes through the interface on which they started.
OK Cancel
The Zyxel Device uses the group member interfaces in the order that they are listed. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
9.13 Inte rfa c e Te c hnic a l Re fe re nc e
Here is more detailed information about interfaces on the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
320
Chapter 9 Interfaces
IP Addre ss Assig nm e nt
Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. Fig ure 219 Example: Entry in the Routing Table Derived from Interfaces
lan1
wan1
Table 126 Example: Routing Table Entries for Interfaces
IP ADDRESS(ES)
DESTINATIO N
100.100.1.1/16
lan1
200.200.200.1/24
wan1
For example, if the Zyxel Device gets a packet with a destination address of 100.100.25.25, it routes the packet to interface lan1. If the Zyxel Device gets a packet with a destination address of 200.200.200.200, it routes the packet to interface wan1.
In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP/L2TP interfaces, however, the subnet mask is always 255.255.255.255 because it is a point-to-point interface. For these interfaces, you can only enter the IP address.
In many interfaces, you can also let the IP address and subnet mask be assigned by an external DHCP server on the network. In this case, the interface is a DHCP client. Virtual interfaces, however, cannot be DHCP clients. You have to assign the IP address and subnet mask manually.
In general, the IP address and subnet mask of each interface should not overlap, though it is possible for this to happen with DHCP clients.
In the example above, if the Zyxel Device gets a packet with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the Zyxel Device should send this packet, you can specify it as a gateway in one of the interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on ge2. In this case, the Zyxel Device creates the following entry in the routing table.
Table 127 Example: Routing Table Entry for a Gateway
IP ADDRESS(ES)
DESTINATIO N
0.0.0.0/0
200.200.200.100
The gateway is an optional setting for each interface. If there is more than one gateway, the Zyxel Device uses the gateway with the lowest metric, or cost. If two or more gateways have the same metric, the Zyxel Device uses the one that was set up first (the first entry in the routing table). In PPPoE/PPTP/L2TP interfaces, the other computer is the gateway for the interface by default. In this case, you should specify the metric.
ZyWALL USG FLEX Series User's Guide
321
Chapter 9 Interfaces
If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any.
Inte rfa c e Pa ra m e te rs
The Zyxel Device restricts the amount of traffic into and out of the Zyxel Device through each interface. · Egress bandwidth sets the amount of traffic the Zyxel Device sends out through the interface to the
network. · Ingress bandwidth sets the amount of traffic the Zyxel Device allows in through the interface from the
network.At the time of writing, the Zyxel Device does not support ingress bandwidth management. If you set the bandwidth restrictions very high, you effectively remove the restrictions. The Zyxel Device also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum transmission unit (MTU). If a packet is larger than the MTU, the Zyxel Device divides it into smaller fragments. Each fragment is sent separately, and the original packet is reassembled later. The smaller the MTU, the more fragments sent, and the more work required to reassemble packets correctly. On the other hand, some communication channels, such as Ethernet over ATM, might not be able to handle large data packets.
DHC P Se tting s
Dynamic Host Configuration Protocol (DHCP, RFC 2131, RFC 2132) provides a way to automatically set up and maintain IP addresses, subnet masks, gateways, and some network information (such as the IP addresses of DNS servers) on computers on the network. This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently. In DHCP, every network has at least one DHCP server. When a computer (a DHCP client) joins the network, it submits a DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client. In the Zyxel Device, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server. As a DHCP relay, the interface routes DHCP requests to DHCP servers on different networks. You can specify more than one DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously. As a DHCP server, the interface provides the following information to DHCP clients.
ZyWALL USG FLEX Series User's Guide
322
Chapter 9 Interfaces
· IP address - If the DHCP client's MAC address is in the Zyxel Device's static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.
Table 128 Example: Assigning IP Addresses from a Pool
STARTIP ADDRESS
PO O L SIZE
RANG E O F ASSIG NED IP ADDRESS
50.50.50.33
5
50.50.50.33 - 50.50.50.37
75.75.75.1
200
75.75.75.1 - 75.75.75.200
99.99.1.1
1023
99.99.1.1 - 99.99.4.255
120.120.120.100
100
120.120.120.100 - 120.120.120.199
The Zyxel Device cannot assign the first address (network address) or the last address (broadcast address) on the subnet defined by the interface's IP address and subnet mask. For example, in the first entry, if the subnet mask is 255.255.255.0, the Zyxel Device cannot assign 50.50.50.0 or 50.50.50.255. If the subnet mask is 255.255.0.0, the Zyxel Device cannot assign 50.50.0.0 or 50.50.255.255. Otherwise, it can assign every IP address in the range, except the interface's IP address.
If you do not specify the starting address or the pool size, the interface the maximum range of IP addresses allowed by the interface's IP address and subnet mask. For example, if the interface's IP address is 9.9.9.1 and subnet mask is 255.255.255.0, the starting IP address in the pool is 9.9.9.2, and the pool size is 253.
· Subnet mask - The interface provides the same subnet mask you specify for the interface. See IP Address Assignment on page 321.
· Gateway - The interface provides the same gateway you specify for the interface. See IP Address Assignment on page 321.
· DNS servers - The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients. You can specify each IP address manually (for example, a company's own DNS server), or you can refer to DNS servers that other interfaces received from DHCP servers (for example, a DNS server at an ISP). These other interfaces have to be DHCP clients.
It is not possible for an interface to be the DHCP server and a DHCP client simultaneously.
WINS
WINS (Windows Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network's computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name's IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server.
PPPo E/ PPTP/ L2TP O ve rvie w
Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages:
· The access and authentication method works with existing systems, including RADIUS. · You can access one of several network services. This makes it easier for the service provider to offer
the service · PPPoE does not usually require any special configuration of the modem.
ZyWALL USG FLEX Series User's Guide
323
Chapter 9 Interfaces PPTP is used to set up virtual private networks (VPN) in unsecured TCP/IP environments. It sets up two sessions. 1 The first one runs on TCP port 1723. It is used to start and manage the second one. 2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. Layer 2 Tunneling Protocol (L2TP) was taken from PPTP of Microsoft and Cisco's L2F (Layer 2 Forwarding technology), so LT2P combines PPTP's control and runs over a faster transport protocol, UDP, although it may be a bit more complicated to set up. It supports up to 256 bit session keys using the IPSec protocol. When security is a priority, L2TP is a good option as it requires certificates unlike PPTP. It uses the following ports: UDP 500, Protocol 50, UDP 1701 and UDP 4500.
ZyWALL USG FLEX Series User's Guide
324
C HA PTER 1 0 Ro uting
10.1 Po lic y a nd Sta tic Ro ute s O ve rvie w
Use policy routes and static routes to override the Zyxel Device's default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the Zyxel Device's LAN interface. The Zyxel Device routes most traffic from A to the Internet through the Zyxel Device's default gateway (R1). You create one policy route to connect to services offered by your ISP behind router R2. You create another policy route to communicate with a separate network behind another router (R3) connected to the LAN. Fig ure 220 Example of Policy Routing Topology
Note: You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers.
10.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Po lic y Ro ute screens (see Section 10.2 on page 327) to list and configure policy routes. · Use the Sta tic Ro ute screens (see Section 10.3 on page 334) to list and configure static routes.
ZyWALL USG FLEX Series User's Guide
325
Chapter 10 Routing
10.1.2 Wha t Yo u Ne e d to Kno w
Po lic y Ro uting
Traditionally, routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
Ho w Yo u C a n Use Po lic y Ro uting
· Source-Based Routing Network administrators can use policy-based routing to direct traffic from different users through different connections.
· Bandwidth Shaping You can allocate bandwidth to traffic that matches routing policies and prioritize traffic (however the application patrol's bandwidth management is more flexible and recommended for TCP and UDP traffic). You can also use policy routes to manage other types of traffic (like ICMP traffic) and send traffic through VPN tunnels.
Note: Bandwidth management in policy routes has priority over application patrol bandwidth management.
· Cost Savings IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
· Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths. · NAT - The Zyxel Device performs NAT by default for traffic going to or from the WAN interfaces. A
routing policy's SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.
Note: The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic.
Sta tic Ro ute s
The Zyxel Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the Zyxel Device send data to devices not reachable through the default gateway, use static routes. Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 10 on page 336 for more on RIP and OSPF.
Po lic y Ro ute s Ve rsus Sta tic Ro ute s
· Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management.
· Policy routes are only used within the Zyxel Device itself. Static routes can be propagated to other routers using RIP or OSPF.
· Policy routes take priority over static routes. If you need to use a routing policy on the Zyxel Device and propagate it to other routers, you could configure a policy route and an equivalent static route.
DiffSe rv
QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of
ZyWALL USG FLEX Series User's Guide
326
Chapter 10 Routing
traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.
DSC P Ma rking a nd Pe r- Ho p Be ha vio r
DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field.
DSCP (6 bits)
Unused (2 bits)
DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.
The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.
10.2 Po lic y Ro ute Sc re e n
Click C o nfig ura tio n > Ne two rk > Ro uting to open the Po lic y Ro ute screen. Use this screen to see the configured policy routes and turn policy routing based bandwidth management on or off.
A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.
The actions that can be taken include:
· Routing the packet to a different gateway, outgoing interface, VPN tunnel, or trunk. · Limiting the amount of bandwidth available and setting a priority for traffic.
IPPR follows the existing packet filtering facility of RAS in style and in implementation.
If you enabled IPv6 in the C o nfig ura tio n > Syste m > IPv6 screen, you can also configure policy routes used for your IPv6 networks on this screen.
Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information.
ZyWALL USG FLEX Series User's Guide
327
Chapter 10 Routing Fig ure 221 Configuration > Network > Routing > Policy Route
The following table describes the labels in this screen.
Table 129 Configuration > Network > Routing > Policy Route
LA BEL Show Filter / Hide Filter IPv4 Configuration / IPv6 Configuration
Use IPv4/IPv6 Policy Route to Override Direct Route Add
Edit
Remove
Activate Inactivate Move
DESC RIPTIO N
Click this button to display a greater or lesser number of configuration fields.
Use the IPv4 C o nfig ura tio n section for IPv4 network settings. Use the IPv6 C o nfig ura tio n section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below.
Select this to have the Zyxel Device forward packets that match a policy route according to the policy route instead of sending the packets directly to a connected network.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To change a rule's position in the numbered list, select the rule and click Mo ve to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their numbering.
ZyWALL USG FLEX Series User's Guide
328
Chapter 10 Routing
Table 129 Configuration > Network > Routing > Policy Route (continued)
LA BEL # Status
User
Schedule
Incoming Source
Destination
DSCP Code
DESC RIPTIO N
This is the number of an individual policy route.
This icon is lit when the entry is active, red when the next hop's connection is down, and dimmed when the entry is inactive.
This is the name of the user (group) object from which the packets are sent. a ny means all users.
This is the name of the schedule object. no ne means the route is active at all times if enabled.
This is the interface on which the packets are received.
This is the name of the source IP address (group) object, including geographic address and FQDN (group) objects. a ny means all IP addresses.
This is the name of the destination IP address (group) object, including geographic and FQDN (group) address objects. a ny means all IP addresses.
This is the DSCP value of incoming packets to which this policy route applies.
a ny means all DSCP values or no DSCP marker.
de fa ult means traffic with a DSCP value of 0. This is usually best effort traffic
Service Source Port
Next-Hop
DSCP Marking
The "a f" entries stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details.
This is the name of the service object. a ny means all services.
This is the name of a service object. The Zyxel Device applies the policy route to the packets sent from the corresponding service port. a ny means all service ports.
This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel, outgoing interface or trunk.
This is how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. If this field displays a DSCP value, the Zyxel Device applies that DSCP value to the route's outgoing packets.
pre se rve means the Zyxel Device does not modify the DSCP value of the route's outgoing packets.
de fa ult means the Zyxel Device sets the DSCP value of the route's outgoing packets to 0.
SNAT
The "a f" choices stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details.
This is the source IP address that the route uses.
Apply Reset
It displays no ne if the Zyxel Device does not perform NAT for this route. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
10.2.1 Po lic y Ro ute Edit Sc re e n
Click C o nfig ura tio n > Ne two rk > Ro uting to open the Po lic y Ro ute screen. Then click the Add or Edit icon in the IPv4 C o nfig ura tio n or IPv6 C o nfig ura tio n section. The Add Po lic y Ro ute or Po lic y Ro ute Edit screen opens. Use this screen to configure or edit a policy route. Both IPv4 and IPv6 policy route have similar settings except the Addre ss Tra nsla tio n (SNAT) settings.
ZyWALL USG FLEX Series User's Guide
329
Chapter 10 Routing Fig ure 222 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration)
ZyWALL USG FLEX Series User's Guide
330
Chapter 10 Routing Fig ure 223 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration)
The following table describes the labels in this screen.
Table 130 Configuration > Network > Routing > Policy Route > Add/Edit
LA BEL
DESC RIPTIO N
Show Advanced Settings / Hide Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Create new Object Use this to configure any new settings objects that you need to use in this screen.
Configuration
Enable
Select this to activate the policy.
Description
Enter a descriptive name of up to 31 printable ASCII characters for the policy.
Criteria
User
Select a user name or user group from which the packets are sent.
Incoming
Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the Zyxel Device itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection.
Source Address
Select a source IP address object, including geographic address and FQDN (group) objects, from which the packets are sent.
Destination Address
Select a destination IP address object, including geographic address and FQDN (group) objects, to which the traffic is being sent. If the next hop is a dynamic VPN tunnel and you enable Auto De stina tio n Addre ss, the Zyxel Device uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here.
ZyWALL USG FLEX Series User's Guide
331
Chapter 10 Routing
Table 130 Configuration > Network > Routing > Policy Route > Add/Edit (continued)
LA BEL DSCP Code
DESC RIPTIO N
Select a DSCP code point value of incoming packets to which this policy route applies or select Use r De fine to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.
a ny means all DSCP value or no DSCP marker.
de fa ult means traffic with a DSCP value of 0. This is usually best effort traffic
User-Defined DSCP Code Schedule
Service
Source Port
Next-Hop Type
The "a f" choices stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details.
Use this field to specify a custom DSCP code point when you select Use r De fine in the previous field.
Select a schedule to control when the policy route is active. no ne means the route is active at all times if enabled.
Select a service or service group to identify the type of traffic to which this policy route applies.
Select a service or service group to identify the source port of packets to which the policy route applies.
Select Auto to have the Zyxel Device use the routing table to find a next-hop and forward the matched packets automatically.
Select G a te wa y to route the matched packets to the next-hop router or switch you specified in the G a te wa y field. You have to set up the next-hop router or switch as a HOST address object first.
Select VPN Tunne l to route the matched packets via the specified VPN tunnel.
Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm.
Gateway VPN Tunnel
Auto Destination Address
Select Inte rfa c e to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface).
This field displays when you select G a te wa y in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your Zyxel Device that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your Zyxel Device's interface(s).
This field displays when you select VPN Tunne l in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the Zyxel Device directly.
This field displays when you select VPN Tunne l in the Type field. Select this to have the Zyxel Device use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy.
Trunk Interface
Leave this cleared if you want to manually specify the destination address.
This field displays when you select Trunk in the Type field. Select a trunk group to have the Zyxel Device send the packets via the interfaces in the group.
This field displays when you select Inte rfa c e in the Type field. Select an interface to have the Zyxel Device send traffic that matches the policy route through the specified interface.
ZyWALL USG FLEX Series User's Guide
332
Chapter 10 Routing
Table 130 Configuration > Network > Routing > Policy Route > Add/Edit (continued)
LA BEL DSCP Marking
DESC RIPTIO N
Set how the Zyxel Device handles the DSCP value of the outgoing packets that match this route.
Select one of the pre-defined DSCP values to apply or select Use r De fine to specify another DSCP value. The "a f" choices stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details.
Select pre se rve to have the Zyxel Device keep the packets' original DSCP value.
User-Defined DSCP Marking Address Translation
Source Network Address Translation
Select de fa ult to have the Zyxel Device set the DSCP value of the packets to 0. Use this field to specify a custom DSCP value.
Use this section to configure NAT for the policy route. This section does not apply to policy routes that use a VPN tunnel as the next hop. Select no ne to not use NAT for the route.
Select o utg o ing - inte rfa c e to use the IP address of the outgoing interface as the source IP address of the packets that matches this route.
To use SNAT for a virtual interface that is in the same WAN trunk as the physical interface to which the virtual interface is bound, the virtual interface and physical interface must be in different subnets.
Otherwise, select a pre-defined address (group) to use as the source IP address(es) of the packets that match this route.
Healthy Check
Disable policy route automatically while Interface link down Enable Connectivity Check Check Method:
Use C re a te ne w O b je c t if you need to configure a new address (group) to use as the source IP address(es) of the packets that match this route. Use this part of the screen to configure a route connectivity check and disable the policy if the interface is down. Select this to disable the policy if the interface is down or disabled. This is available for Inte rfa c e and Trunk in the Type field above.
Select this to turn on the connection check. This is available for Inte rfa c e and G a te wa y in the Type field above. Select the method that the gateway allows.
Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available.
Select tcp to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available.
Check Period:
Enter the number of seconds between connection check attempts (5-600 seconds).
Check Timeout:
Enter the number of seconds to wait for a response before the attempt is a failure (1-10 seconds).
Check Fail Tolerance: Enter the number of consecutive failures before the Zyxel Device stops routing using this policy (1-10).
Check Port:
This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check (1-65535).
Check this address:
Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
333
Chapter 10 Routing
10.3 IP Sta tic Ro ute Sc re e n
Click C o nfig ura tio n > Ne two rk > Ro uting > Sta tic Ro ute to open the Sta tic Ro ute screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. If you enabled IPv6 in the C o nfig ura tio n > Syste m > IPv6 screen, you can also configure static routes used for your IPv6 networks on this screen. Fig ure 224 Configuration > Network > Routing > Static Route
The following table describes the labels in this screen.
Table 131 Configuration > Network > Routing > Static Route
LA BEL
DESC RIPTIO N
IPv4 Configuration / IPv6 Configuration
Use the IPv4 C o nfig ura tio n section for IPv4 network settings. Use the IPv6 C o nfig ura tio n section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below.
Add
Click this to create a new static route.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
#
This is the number of an individual static route.
Destination
This is the destination IP address.
Subnet Mask
This is the IP subnet mask.
Prefix
This is the IPv6 prefix for the destination IP address.
Next-Hop
This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations.
Metric
This is the route's priority among the Zyxel Device's routes. The smaller the number, the higher priority the route has.
10.3.1 Sta tic Ro ute Add/ Edit Sc re e n
Select a static route index number and click Add or Edit. The screen shown next appears. Use this screen to configure the required information for a static route.
ZyWALL USG FLEX Series User's Guide
334
Chapter 10 Routing Fig ure 225 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration)
Fig ure 226 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration)
The following table describes the labels in this screen.
Table 132 Configuration > Network > Routing > Static Route > Add
LA BEL Destination IP
DESC RIPTIO N
This parameter specifies the IP network address of the final destination. Routing is always based on network number.
If you need to specify a route to a single host, enter the specific IP address here and use a subnet mask of 255.255.255.255 (for IPv4) in the Sub ne t Ma sk field or a prefix of 128 (for IPv6) in the Pre fix Le ng th field to force the network number to be identical to the host ID.
Subnet Mask Prefix Length
Gateway IP
Interface Metric
OK Cancel
For IPv6, if you want to send all traffic to the gateway or interface specified in the G a te wa y IP or Inte rfa c e field, enter :: in this field and 0 in the Pre fix Le ng th field.
Enter the IP subnet mask here.
Enter the number of left-most digits in the destination IP address, which indicates the network prefix. Enter :: in the De stina tio n IP field and 0 in this field if you want to send all traffic to the gateway or interface specified in the G a te wa y IP or Inte rfa c e field.
Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations.
Select the radio button and a predefined interface through which the traffic is sent.
Metric represents the "cost" of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
335
Chapter 10 Routing
10.4 Po lic y Ro uting Te c hnic a l Re fe re nc e
Here is more detailed information about some of the features you can configure in policy routing.
NATa nd SNAT
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.
Assure d Fo rwa rding (AF) PHB fo r DiffSe rv
Assured Forwarding (AF) behavior is defined in RFC 2597. The AF behavior group defines four AF classes. Inside each class, packets are given a high, medium or low drop precedence. The drop precedence determines the probability that routers on the network will drop packets when congestion occurs. If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.
Table 133 Assured Forwarding (AF) Behavior Group
C LASS 1
C LASS 2
Low Drop Precedence
AF11 (10) AF21 (18)
Medium Drop Precedence
AF12 (12) AF22 (20)
High Drop Precedence
AF13 (14) AF23 (22)
C LASS 3 AF31 (26) AF32 (28) AF33 (30)
C LASS 4 AF41 (34) AF42 (36) AF43 (38)
Ma xim ize Ba ndwidth Usa g e
The maximize bandwidth usage option allows the Zyxel Device to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth.
When you enable maximize bandwidth usage, the Zyxel Device first makes sure that each policy route gets up to its bandwidth allotment. Next, the Zyxel Device divides up an interface's available bandwidth (bandwidth that is unbudgeted or unused by the policy routes) depending on how many policy routes require more bandwidth and on their priority levels. When only one policy route requires more bandwidth, the Zyxel Device gives the extra bandwidth to that policy route.
When multiple policy routes require more bandwidth, the Zyxel Device gives the highest priority policy routes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The Zyxel Device distributes the available bandwidth equally among policy routes with the same priority level.
10.5 Ro uting Pro to c o ls O ve rvie w
Routing protocols give the Zyxel Device routing information about the network from other routers. The Zyxel Device stores this routing information in the routing table it uses to make routing decisions. In turn, the Zyxel Device can also use routing protocols to propagate routing information to other routers.
ZyWALL USG FLEX Series User's Guide
336
Chapter 10 Routing
Routing protocols are usually only used in networks using multiple routers like campuses or large enterprises.
· Use the RIP screen (see Section 10.6 on page 337) to configure the Zyxel Device to use RIP to receive and/or send routing information.
· Use the O SPF screen (see Section 10.7 on page 339) to configure general OSPF settings and manage OSPF areas.
· Use the O SPF Are a Add/ Edit screen (see Section 10.7.2 on page 343) to create or edit an OSPF area. · Use the BG P screen (see Section 10.8 on page 346) to configure eBGP (exterior Border Gate Protocol).
10.5.1 Wha t Yo u Ne e d to Kno w
The Zyxel Device supports two standards, RIP and OSPF, for routing protocols. RIP and OSPF are compared here and discussed further in the rest of the chapter.
Table 134 RIP vs. OSPF
RIP
Network Size Small (with up to 15 routers)
Metric
Hop count
Convergence Slow
O SPF
Large Bandwidth, hop count, throughput, round trip time and reliability. Fast
10.6 The RIP Sc re e n
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers).
· In the Zyxel Device, you can configure two sets of RIP settings before you can use it in an interface. · First, the Authe ntic a tio n field specifies how to verify that the routing information that is received is the
same routing information that is sent. · Second, the Zyxel Device can also re distribute routing information from non-RIP networks, specifically
OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Me tric field to specify the cost in RIP terms. · RIP uses UDP port 520.
Use the RIP screen to specify the authentication method and maintain the policies for redistribution.
Click C o nfig ura tio n > Ne two rk > Ro uting > RIP to open the following screen.
ZyWALL USG FLEX Series User's Guide
337
Chapter 10 Routing Fig ure 227 Configuration > Network > Routing > RIP
The following table describes the labels in this screen.
Table 135 Configuration > Network > Routing Protocol > RIP
LA BEL Authentication
DESC RIPTIO N The transmitting and receiving routers must have the same key.
Authentication
For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces.
Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates.
Text Authentication Key
MD5 Authentication ID MD5 Authentication Key
Redistribute Active OSPF Metric
Apply Reset
· No ne uses no authentication. · Te xt uses a plain text password that is sent over the network (not very secure). · MD5 uses an MD5 password and authentication ID (most secure).
This field is available if the Authe ntic a tio n is Te xt. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
This field is available if the Authe ntic a tio n is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255.
This field is available if the Authe ntic a tio n is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
Select this to use RIP to advertise routes that were learned through OSPF.
Type the cost for routes provided by OSPF. The metric represents the "cost" of transmission for routing purposes. RIP routing uses hop count as the measurement of cost, with 1 usually used for directly connected networks. The number does not have to be precise, but it must be between 0 and 16. In practice, 2 or 3 is usually used.
Click this button to save your changes to the Zyxel Device.
Click this button to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
338
Chapter 10 Routing
10.7 The O SPF Sc re e n
OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. · OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more
efficiently. · OSPF filters and summarizes routing information, which reduces the size of routing tables throughout
the network. · OSPF responds to changes on the network, such as the loss of a router, more quickly. · OSPF considers several factors, including bandwidth, hop count, throughput, round trip time, and
reliability, when it calculates the shortest path. · OSPF converges more quickly than RIP. Naturally, OSPF is also more complicated than RIP, so OSPF is usually more suitable for large networks. OSPF uses IP protocol 89.
O SPF Are a s
An OSPF Autonomous System (AS) is divided into one or more areas. Each area represents a group of adjacent networks and is identified by a 32-bit ID. In OSPF, this number may be expressed as an integer or as an IP address. There are several types of areas. · The backbone is the transit area that routes packets between other areas. All other areas are
connected to the backbone. · A normal area is a group of adjacent networks. A normal area has routing information about the
OSPF AS, any networks outside the OSPF AS to which it is directly connected, and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS. · A stub area has routing information about the OSPF AS. It does not have any routing information about any networks outside the OSPF AS, including networks to which it is directly connected. It relies on a default route to send information outside the OSPF AS. · A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. Each type of area is illustrated in the following figure.
ZyWALL USG FLEX Series User's Guide
339
Chapter 10 Routing Fig ure 228 OSPF: Types of Areas
This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y. Area 3 is a NSSA. It has routing information about the OSPF AS and network Y but not about network X.
O SPF Ro ute rs
Every router in the same area has the same routing information. They do this by exchanging Hello messages to confirm which neighbor (layer-3) devices exist, and then they exchange database descriptions (DDs) to create a synchronized link-state database. The link-state database contains records of router IDs, their associated links and path costs. The link-state database is then constantly updated through Link State Advertisements (LSA). Each router uses the link state database and the Dijkstra algorithm to compute the least cost paths to network destinations.
Like areas, each router has a unique 32-bit ID in the OSPF AS, and there are several types of routers. Each type is really just a different role, and it is possible for one router to play multiple roles at one time.
· An internal router (IR) only exchanges routing information with other routers in the same area.
· An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them.
· An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF.
Table 136 OSPF: Redistribution from Other Sources to Each Type of Area
SO URC E \ TYPE O F AREA
NO RMAL
NSSA
STUB
Static routes
Yes
Yes
No
RIP
Yes
Yes
Yes
· A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR.
Each type of router is illustrated in the following example.
ZyWALL USG FLEX Series User's Guide
340
Chapter 10 Routing Fig ure 229 OSPF: Types of Routers
In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR). All of the routers only exchange information with the DR and the BDR, instead of exchanging information with all of the other routers in the group. The DR and BDR are selected by priority; if two routers have the same priority, the highest router ID is used. The DR and BDR are selected in each group of routers that are directly connected to each other. If a router is directly connected to several groups, it might be a DR in one group, a BDR in another group, and neither in a third group all at the same time.
Virtua l Links
In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example. Fig ure 230 OSPF: Virtual Link
In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. You cannot create a virtual link to a router in a different area.
O SPF C o nfig ura tio n
Follow these steps when you configure OSPF on the Zyxel Device. ZyWALL USG FLEX Series User's Guide
341
Chapter 10 Routing
1 Enable OSPF. 2 Set up the OSPF areas. 3 Configure the appropriate interfaces. See Section 9.4.1 on page 237. 4 Set up virtual links, as needed.
10.7.1 C o nfig uring the O SPF Sc re e n
Use the first OSPF screen to specify the OSPF router the Zyxel Device uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the O SPF Add/ Edit screen to add or edit them. Click C o nfig ura tio n > Ne two rk > Ro uting > O SPF to open the following screen. Fig ure 231 Configuration > Network > Routing > OSPF
The following table describes the labels in this screen. See Section 10.7.2 on page 343 for more information as well.
Table 137 Configuration > Network > Routing Protocol > OSPF
LA BEL OSPF Router ID
DESC RIPTIO N Select the 32-bit ID the Zyxel Device uses in the OSPF AS.
De fa ult - the first available interface IP address is the Zyxel Device's ID.
Redistribute Active RIP
Type
Use r De fine d - enter the ID (in IP address format) in the field that appears when you select
Use r De fine .
Select this to advertise routes that were learned from RIP. The Zyxel Device advertises routes learned from RIP to No rm a l and NSSA areas but not to Stub areas. Select how OSPF calculates the cost associated with routing information from RIP. Choices are: Type 1 and Type 2.
Type 1 - cost = OSPF AS cost + external cost (Me tric )
Type 2 - cost = external cost (Me tric ); the OSPF AS cost is ignored.
ZyWALL USG FLEX Series User's Guide
342
Chapter 10 Routing
Table 137 Configuration > Network > Routing Protocol > OSPF (continued)
LA BEL
DESC RIPTIO N
Metric
Type the external cost for routes provided by RIP. The metric represents the "cost" of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214.
Area
This section displays information about OSPF areas in the Zyxel Device.
Add
Click this to create a new OSPF area.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify
the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. Click Re fre sh to update information on this screen.
#
This field is a sequential value, and it is not associated with a specific area.
Area
This field displays the 32-bit ID for each area in IP address format.
Type
This field displays the type of area. This type is different from the Type field above.
Authentication
This field displays the default authentication method in the area.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
10.7.2 O SPF Are a Add/ Edit Sc re e n
The O SPF Are a Add/ Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the O SPF summary screen (see Section 10.7 on page 339), and click either the Add icon or an Edit icon.
Fig ure 232 Configuration > Network > Routing > OSPF > Add
ZyWALL USG FLEX Series User's Guide
343
Chapter 10 Routing
The following table describes the labels in this screen.
Table 138 Configuration > Network > Routing > OSPF > Add
LA BEL Area ID Type
DESC RIPTIO N Type the unique, 32-bit identifier for the area in IP address format. Select the type of OSPF area.
No rm a l - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS.
Stub - This area is an stub area. It has routing information about the OSPF AS but not about networks outside the OSPF AS. It depends on a default route to send information outside the OSPF AS.
Authentication
NSSA - This area is a Not So Stubby Area (NSSA), per RFC 1587. It has routing information about the OSPF AS and networks that are outside the OSPF AS and are directly connected to the NSSA. It does not have information about other networks outside the OSPF AS.
Select the default authentication method used in the area. This authentication protects the integrity, but not the confidentiality, of routing updates.
No ne uses no authentication.
Te xt uses a plain text password that is sent over the network (not very secure).
Text Authentication Key
MD5 Authentication ID MD5 Authentication Key
Virtual Link
Add Edit
Remove
# Peer Router ID
MD5 uses an MD5 password and authentication ID (most secure).
This field is available if the Authe ntic a tio n is Te xt. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
This field is available if the Authe ntic a tio n is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255.
This field is available if the Authe ntic a tio n is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
This section is displayed if the Type is No rm a l. Create a virtual link if you want to connect a different area (that does not have a direct connection to the backbone) to the backbone. You should set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone.
Click this to create a new virtual link.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
This field is a sequential value, and it is not associated with a specific area.
This is the 32-bit ID (in IP address format) of the other ABR in the virtual link.
ZyWALL USG FLEX Series User's Guide
344
Chapter 10 Routing
Table 138 Configuration > Network > Routing > OSPF > Add (continued)
LA BEL Authentication
DESC RIPTIO N
This is the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates.
For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Sa m e a s Are a . As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information.
No ne uses no authentication.
Te xt uses a plain text password that is sent over the network (not very secure). Hover your cursor over this label to display the password.
MD5 uses an MD5 password and authentication ID (most secure). Hover your cursor over this label to display the authentication ID and key.
OK Cancel
Sa m e a s Are a has the virtual link also use the Authe ntic a tio n settings above. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
10.7.3 Virtua l Link Add/ Edit Sc re e n
The Virtua l Link Add/ Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 10.7.2 on page 343) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following.
Fig ure 233 Configuration > Network > Routing > OSPF > Add > Add
ZyWALL USG FLEX Series User's Guide
345
Chapter 10 Routing
The following table describes the labels in this screen.
Table 139 Configuration > Network > Routing > OSPF > Add > Add
LA BEL Peer Router ID Authentication
DESC RIPTIO N
Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link.
Select the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates.
For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Sa m e a s Are a . As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information.
No ne uses no authentication.
Te xt uses a plain text password that is sent over the network (not very secure).
MD5 uses an MD5 password and authentication ID (most secure).
Text Authentication Key
MD5 Authentication ID MD5 Authentication Key
OK Cancel
Sa m e a s Are a has the virtual link also use the Authe ntic a tio n settings above.
This field is available if the Authe ntic a tio n is Te xt. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
This field is available if the Authe ntic a tio n is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255.
This field is available if the Authe ntic a tio n is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
10.8 BG P (Bo rde r G a te wa y Pro to c o l)
The Zyxel Device supports eBGP (exterior Border Gate Protocol) to route IPv4 traffic between routers in different Autonomous Systems (AS). An AS number is a number from 1 to 4294967295), that identifies an autonomous system. 4200000000 4294967294 are private AS numbers.
See Section 10.7 on page 339 for more information on autonomous systems.
Fig ure 234 eBGP Concept
ZyWALL USG FLEX Series User's Guide
346
Chapter 10 Routing
10.8.1 Allo w BG P Pa c ke ts to Ente r the Zyxe l De vic e
You must first allow BGP packets to enter the Zyxel Device from the WAN. 1 Go to C o nfig ura tio n > O b je c t > Se rvic e > Se rvic e G ro up 2 Select the De fa ult_Allo w_WAN_To _ZyWALLrule and click Edit. 3 Move BGP from Ava ila b le to Me m b e r. 4 Click O K.
Fig ure 235 Allow BGP to the Zyxel Device
10.8.2 C o nfig uring the BG P Sc re e n
Use this screen to configure BGP information about the Zyxel Device and its peer BGP routers. Click C o nfig ura tio n > Ne two rk > Ro uting > BG P to open the following screen.
ZyWALL USG FLEX Series User's Guide
347
Chapter 10 Routing Fig ure 236 Configuration > Network > Routing > BGP
The following table describes the labels in this screen.
Table 140 Configuration > Network > Routing Protocol > BGP
LA BEL
DESC RIPTIO N
AS Number
Type a number from 1 to 4294967295 in this field.
Router ID Redistribute
Neighbors
Note: The Zyxel Device can only belong to one AS at a time.
Type the IP address of the interface on the Zyxel Device. This field is optional. Select C o nne c te d to redistribute routes of directly attached devices to the Zyxel Device into the BGP Routing Information Base (RIB). This section displays information about peer BGP routers in neighboring AS'.
Add Edit
Remove
# IP Address AS Number Network
Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5.
Click this to configure BGP criteria for a new peer BGP router.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
This field is a sequential value, and it is not associated with a specific area.
This displays the IPv4 address of the peer BGP router in a neighboring AS.
This displays the AS Number of the peer BGP router in a neighboring AS.
Use this section to add routes that will be announced to all BGP neighbors.
Add Edit
Note: You may configure up to 16 network routes.
Click this to configure network information for a new route.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
ZyWALL USG FLEX Series User's Guide
348
Chapter 10 Routing
Table 140 Configuration > Network > Routing Protocol > BGP (continued)
LA BEL
DESC RIPTIO N
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
#
This field is a sequential value, and it is not associated with a specific area.
Network
This displays the IP address and the number of subnet mask bits for the peer BGP route.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
10.8.3 The BG P Ne ig hb o rs Sc re e n
Use this screen to configure BGP information about a peer BGP router. Click C o nfig ura tio n > Ne two rk > Ro uting > BG P > Add Ne ig hb o rs to open the following screen. Fig ure 237 Configuration > Network > Routing > BGP > Add Neighbors
The following table describes the labels in this screen.
Table 141 Configuration > Network > Routing Protocol > BGP
LA BEL
DESC RIPTIO N
IP Address
Type the IP address of the interface on the peer BGP router.
AS Number
Type a number from 1 to 4294967295 in this field. Get the number from your service provider.
Enable EBGP Multihop
Select this to allow the Zyxel Device to attempt BGP connections to external peers on indirectly connected networks. eBGP neighbors must also perform multihop. Multihop is not established if the only route to the multihop peer is a default route. This avoids loop formation.
EBGP Maximum Hops
Enter a maximum hop count from <1-255>. The default is 255.
ZyWALL USG FLEX Series User's Guide
349
Chapter 10 Routing
Table 141 Configuration > Network > Routing Protocol > BGP (continued)
LA BEL Update Source
DESC RIPTIO N Use this to allow BGP sessions use the selected interface for TCP connections.
MD5 authentication key Weight Keepalive Time
Hold Time Maximum Prefix
OK Cancel
· Choose G a te wa y and then enter the gateway IP address · Choose Inte rfa c e and then select a Zyxel Device interface. · Choose No ne to use the closest interface.
Type the default password for MD5 authentication of communication between the Zyxel Device and the peer BGP router. The password can consist of alphanumeric characters and the underscore, and it can be up to 63 characters long.
Specify a weight value for all routes learned from this peer BGP router in the specified network. The route with the highest weight gets preference.
Keepalive messages are sent by the Zyxel Device to a peer BGP router to inform it that the BGP connection between the two is still active. The Ke e pa live Tim e is the interval between each Keepalive message sent by the Zyxel Device. We recommend Ke e pa live Tim e is 1/3 of the Ho ld Tim e time.
This is the maximum time the Zyxel Device waits to receive a Keepalive message from a peer BGP router before it declares that the peer BGP router is dead. Ho ld Tim e must be greater than the Ke e pa live Tim e .
A prefix is a network address (IP/subnet mask) that a BGP router can reach and that it shares with its neighbors. Set the maximum number, from 1 to 4294967295, of prefixes that can be received from a neighbor. This limits the number of prefixes that the Zyxel Device is allowed to receive from a neighbor. If extra prefixes are received, the Zyxel Device ends the connection with the peer BGP router. You need to edit the peer BGP router configuration to bring the connection back.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
10.8.4 Exa m ple Sc e na rio
This is an example scenario for using BGP on the Zyxel Device.
10.8.4.1 Sc e na rio : C E - PE (MLPS)
In this scenario, you want to transmit BGP packets from a C E router (Zyxel Device) to a peer BGP PE router in an MPLS network.
· C E: The Zyxel Device is the customer edge router located on the customer premises and connects to a PE router in the service provider MPLS network.
· PE: The provider edge router is located at the edge of the service provider MPLS network. · MPLS: MultiProtocol Label Switching (MPLS) forwards data from one network node to the next based
on path labels rather than network addresses.
ZyWALL USG FLEX Series User's Guide
350
Chapter 10 Routing Fig ure 238 Scenario 1: CE Router - to - MPLS
10.8.4.2 C E - PE C o nfig ura tio n Pro c e ss
The process for configuring BGP in this scenario is: 1 Configure the AS number for BGP on the Zyxel Device (CE) in C o nfig ura tio n > Ne two rk > Ro uting > BG P.
Note: The Zyxel Device can only belong to one AS at a time. 2 Configure the AS number and BGP criteria of the peer BGP routers (PE) in the neighboring AS in
C o nfig ura tio n > Ne two rk > Ro uting > BG P > Add Ne ig hb o rs. Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. 3 Configure the network for BGP routes in the neighboring AS. Note: You may configure up to 16 network routes.
ZyWALL USG FLEX Series User's Guide
351
C HA PTER 1 1 DDNS
11.1 DDNS O ve rvie w
Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address.
11.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the DDNS screen (see Section 11.2 on page 353) to view a list of the configured DDNS domain names and their details.
· Use the DDNS Add/ Edit screen (see Section 11.2.1 on page 354) to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name.
11.1.2 Wha t Yo u Ne e d to Kno w
DNS maps a a FQDN (Fully Qualified Domain Name) to a corresponding IP address and vice versa. Similarly, Dynamic DNS (DDNS) maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current (dynamic) IP address.
Note: You must have a public WAN IP address to use Dynamic DNS.
You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the Zyxel Device. When registration is complete, the DNS service provider gives you a password or key. At the time of writing, the Zyxel Device supports the following DNS service providers. See the listed websites for details about the DNS services offered by each.
Table 142 DDNS Service Providers
PRO VIDER
SERVIC E TYPES SUPPO RTED
DynDNS
Dynamic DNS, Static DNS, and Custom DNS
Dynu
Basic, Premium
No-IP
No-IP
Peanut Hull
Peanut Hull
3322
3322 Dynamic DNS, 3322 Static DNS
Selfhost
Selfhost
WEBSITE www.dyndns.com www.dynu.com www.no-ip.com www.oray.cn www.3322.org selfhost.de
Note: Record your DDNS account's user name, password, and domain name to use to configure the Zyxel Device.
After you configure the Zyxel Device, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly.
ZyWALL USG FLEX Series User's Guide
352
Chapter 11 DDNS
11.2 The DDNS Sc re e n
The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click C o nfig ura tio n > Ne two rk > DDNS to open the following screen. Fig ure 239 Configuration > Network > DDNS
The following table describes the labels in this screen.
Table 143 Configuration > Network > DDNS
LA BEL Add Edit
Remove
Activate Inactivate # Status Profile Name DDNS Type Domain Name Primary Interface/IP
DESC RIPTIO N
Click this to create a new entry. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . This is the number of an individual DDNS profile. This icon is lit when the entry is active and dimmed when the entry is inactive. This field displays the descriptive profile name for this entry. This field displays which DDNS service you are using. This field displays each domain name the Zyxel Device can route. This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Zyxel Device determines the IP address for the domain name.
fro m inte rfa c e - The IP address comes from the specified interface.
a uto de te c te d -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name.
Backup Interface/IP
c usto m - The IP address is static.
This field displays the alternate interface to use for updating the IP address mapped to the domain name followed by how the Zyxel Device determines the IP address for the domain name. The Zyxel Device uses the backup interface and IP address when the primary interface is disabled, its link is down or its connectivity check fails.
fro m inte rfa c e - The IP address comes from the specified interface.
a uto de te c te d -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name.
c usto m - The IP address is static.
ZyWALL USG FLEX Series User's Guide
353
Chapter 11 DDNS
Table 143 Configuration > Network > DDNS (continued)
LA BEL
DESC RIPTIO N
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
11.2.1 The Dyna m ic DNS Add/ Edit Sc re e n
The DDNS Add/ Edit screen allows you to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name. Click C o nfig ura tio n > Ne two rk > DDNS and then an Add or Edit icon to open this screen.
Fig ure 240 Configuration > Network > DDNS > Add
ZyWALL USG FLEX Series User's Guide
354
Chapter 11 DDNS Fig ure 241 Configuration > Network > DDNS > Add - Custom
The following table describes the labels in this screen.
Table 144 Configuration > Network > DDNS > Add
LA BEL
Show Advanced Settings / Hide Advanced Settings
Enable DDNS Profile
Profile Name
DESC RIPTIO N Click this button to display a greater or lesser number of configuration fields.
Select this check box to use this DDNS entry. When you are adding a DDNS entry, type a descriptive name for this DDNS entry in the
Zyxel Device. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-),
but the first character cannot be a number. This value is case-sensitive.
DDNS Type
This field is read-only when you are editing an entry. Select the type of DDNS service you are using.
HTTPS Username
Select Use r c usto m to create your own DDNS service and configure the DYNDNS Se rve r, URL, and Additio na l DDNS O ptio ns fields below.
Select this to encrypt traffic using SSL (port 443), including traffic with username and password, to the DDNS server. Not all DDNS providers support this option.
Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed.
For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website.
ZyWALL USG FLEX Series User's Guide
355
Chapter 11 DDNS
Table 144 Configuration > Network > DDNS > Add (continued)
LA BEL Password
Retype to Confirm DDNS Settings Domain name Primary Binding Address
Interface
IP Address
DESC RIPTIO N Type the password provided by the DDNS provider. You can use up to 64 alphanumeric characters and the underscore. Spaces are not allowed. Type the password again to confirm it.
Type the domain name you registered. You can use up to 255 characters. Use these fields to set how the Zyxel Device determines the IP address that is mapped to your domain name in the DDNS server. The Zyxel Device uses the Ba c kup Binding Addre ss if the interface specified by these settings is not available. Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. The options available in this field vary by DDNS provider.
Inte rfa c e -The Zyxel Device uses the IP address of the specified interface. This option appears when you select a specific interface in the Prim a ry Binding Addre ss Inte rfa c e field.
Auto - If the interface has a dynamic IP address, the DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the Zyxel Device and the DDNS server.
Note: The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server.
Custom IP
Backup Binding Address
Interface
IP Address
C usto m - If you have a static IP address, you can select this to use it for the domain name. The Zyxel Device still sends the static IP address to the DDNS server.
This field is only available when the IP Addre ss is C usto m . Type the IP address to use for the domain name.
Use these fields to set an alternate interface to map the domain name to when the interface specified by the Prim a ry Binding Inte rfa c e settings is not available.
Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select No ne to not use a backup address.
The options available in this field vary by DDNS provider.
Inte rfa c e -The Zyxel Device uses the IP address of the specified interface. This option appears when you select a specific interface in the Ba c kup Binding Addre ss Inte rfa c e field.
Auto -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the Zyxel Device and the DDNS server.
Note: The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server.
Custom IP Enable Wildcard
C usto m - If you have a static IP address, you can select this to use it for the domain name. The Zyxel Device still sends the static IP address to the DDNS server.
This field is only available when the IP Addre ss is C usto m . Type the IP address to use for the domain name.
This option is only available with a DynDNS account.
Enable the wildcard feature to alias subdomains to be aliased to the same IP address as your (dynamic) domain name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.
ZyWALL USG FLEX Series User's Guide
356
Chapter 11 DDNS
Table 144 Configuration > Network > DDNS > Add (continued)
LA BEL Mail Exchanger
DESC RIPTIO N This option is only available with a DynDNS account.
DynDNS can route email for your domain name to a mail server (called a mail exchanger). For example, DynDNS routes email for john-doe@yourhost.dyndns.org to the host record specified as the mail exchanger.
If you are using this service, type the host record of your mail server here. Otherwise leave the field blank.
Backup Mail Exchanger
DYNDNS Server URL Additional DDNS Options
See www.dyndns.org for more information about mail exchangers.
This option is only available with a DynDNS account.
Select this check box if you are using DynDNS's backup service for email. With this service, DynDNS holds onto your email if your mail server is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service.
This field displays when you select Use r c usto m from the DDNS Type field above. Type the IP address of the server that will host the DDSN service.
This field displays when you select Use r c usto m from the DDNS Type field above. Type the URL that can be used to access the server that will host the DDSN service.
This field displays when you select Use r c usto m from the DDNS Type field above. These are the options supported at the time of writing:
OK Cancel
· dyndns_system to specify the DYNDNS Server type - for example, dyndns@dyndns.org · ip_server_name which should be the URL to get the server's public IP address - for
example, http://myip.easylife.tw/ Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
357
C HA PTER 1 2 NA T
12.1 O ve rvie w
· Use the Ne two rk > NATscreen (Section 12.2 on page 358) to enable and configure network address translation.
· Use the Ne two rk > NAT> Virtua l Se rve r Lo a d Ba la nc ing screen (Section 12.5 on page 366) to distribute local user connections over multiple servers, in order to reduce each server's workload and to decrease overall response times.
12.2 NATO ve rvie w
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the Zyxel Device available outside the private network. If the Zyxel Device has only one public IP address, you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address. Suppose you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Fig ure 242 Multiple Servers Behind NAT Example
12.2.1 Wha t Yo u C a n Do in this C ha pte r
Use the NATscreens (see Section 12.3 on page 360) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones.
ZyWALL USG FLEX Series User's Guide
358
Chapter 12 NAT
12.2.2 Wha t Yo u Ne e d to Kno w
NAT is also known as virtual server, port forwarding, or port translation.
We ll- kno wn Po rts
Port numbers range from 0 to 65535, but only port numbers 0 to 1023 are reserved for privileged services and designated as well-known ports. The following list specifies the ports used by the server process as its contact ports. See Section 39.7 on page 774 (Configuration > Object > Service) for more information about service objects.
· Well-known ports range from 0 to 1023.
· Registered ports range from 1024 to 49151.
· Dynamic ports (also called private ports) range from 49152 to 65535. Table 145 Well-known Ports
PO RT TC P/ UDP DESC RIPTIO N
1
TCP
TCP Port Service Multiplexer (TCPMUX)
20
TCP
FTP - Data
21
TCP
FTP - Control
22
TCP
SSH Remote Login Protocol
23
TCP
Telnet
25
TCP
Simple Mail Transfer Protocol (SMTP)
42
UDP
Host Name Server (Nameserv)
43
TCP
WhoIs
53
TCP/UDP Domain Name System (DNS)
67
UDP
BOOTP/DHCP server
68
UDP
BOOTP/DHCP client
69
UDP
Trivial File Transfer Protocol (TFTP)
79
TCP
Finger
80
TCP
HTTP
110
TCP
POP3
119
TCP
Newsgroup (NNTP)
123
UDP
Network Time Protocol (NTP)
135
TCP/UDP RPC Locator service
137
TCP/UDP NetBIOS Name Service
138
UDP
NetBIOS Datagram Service
139
TCP
NetBIOS Datagram Service
143
TCP
Interim Mail Access Protocol (IMAP)
161
UDP
SNMP
179
TCP
Border Gateway Protocol (BGP)
389
TCP/UDP Lightweight Directory Access Protocol (LDAP)
443
TCP
HTTPS
445
TCP
Microsoft - DS
636
TCP
LDAP over TLS/SSL (LDAPS)
953
TCP
BIND DNS
ZyWALL USG FLEX Series User's Guide
359
Chapter 12 NAT
Table 145 Well-known Ports
PO RT TC P/ UDP DESC RIPTIO N
990
TCP
FTP over TLS/SSL (FTPS)
995
TCP
POP3 over TLS/SSL (POP3S)
12.3 The NATSc re e n
The NATsummary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules. To access this screen, login to the Web Configurator and click C o nfig ura tio n > Ne two rk > NAT. The following screen appears, providing a summary of the existing NAT rules.
Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information.
Fig ure 243 Configuration > Network > NAT
The following table describes the labels in this screen.
Table 146 Configuration > Network > NAT
LA BEL
DESC RIPTIO N
Use Static-Dynamic Route to Control 1-1 NAT Route
Add Edit
Remove
Activate Inactivate Move
If you are using Site To Site VPN and 1- 1 SNAT, it's recommended that you select this check box. Otherwise, you'll need to create policy route rules for VPN and Destination NAT traffic.
Note that the selection of this check box will change the priority of the routing flow (Site To Site VPN, Sta tic - Dyna m ic Ro ute , and 1- 1 SNAT). See Chapter 46 on page 952 for more information about the routing flow.
Click this to create a new entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To change a rule's position in the numbered list, select the rule and click Mo ve to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their numbering.
ZyWALL USG FLEX Series User's Guide
360
Chapter 12 NAT
Table 146 Configuration > Network > NAT (continued)
LA BEL
DESC RIPTIO N
#
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Priority
This field displays the priority for the entry. The smaller the number, the higher the priority.
Name
This field displays the name of the entry.
Mapping Type
This field displays what kind of NAT this entry performs: Virtua l Se rve r, 1:1 NAT, or Ma ny 1:1 NA T.
Interface
This field displays the interface on which packets for the NAT entry are received.
Source IP
This field displays the source IP address (or address object) of traffic that matches this NAT entry. It displays a ny if there is no restriction on the source IP address.
External IP
This field displays the original destination IP address (or address object) of traffic that matches this NAT entry. It displays a ny if there is no restriction on the original destination IP address.
Internal IP
This field displays the new destination IP address for the packet.
Protocol
This field displays the service used by the packets for this NAT entry. It displays a ny if there is no restriction on the services.
External Port
This field displays the original destination port(s) of packets for the NAT entry. This field is blank if there is no restriction on the original destination port.
Internal Port
This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
12.3.1 The NATAdd/ Edit Sc re e n
The NATAdd/ Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NATsummary screen. (See Section 12.3 on page 360.) Then, click on an Add icon or Edit icon to open the following screen.
ZyWALL USG FLEX Series User's Guide
361
Chapter 12 NAT Fig ure 244 Configuration > Network > NAT > Add
The following table describes the labels in this screen.
Table 147 Configuration > Network > NAT > Add
LA BEL Create new Object Enable Rule Rule Name
Classification
DESC RIPTIO N
Use to configure any new settings objects that you need to use in this screen.
Use this option to turn the NAT rule on or off.
Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-
31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot
be a number. This value is case-sensitive.
Select what kind of NAT this rule is to perform.
Virtua l Se rve r - This makes computers on a private network behind the Zyxel Device available to a public network outside the Zyxel Device (like the Internet).
1:1 NAT- If the private network server will initiate sessions to the outside clients, select this to have the Zyxel Device translate the source IP address of the server's outgoing traffic to the same public IP address that the outside clients use to access the server.
Ma ny 1:1 NAT- If you have a range of private network servers that will initiate sessions to the outside clients and a range of public IP addresses, select this to have the Zyxel Device translate the source IP address of each server's outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server. The private and public ranges must have the same number of IP addresses.
Incoming Interface
One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule.
Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface.
ZyWALL USG FLEX Series User's Guide
362
Chapter 12 NAT
Table 147 Configuration > Network > NAT > Add (continued)
LA BEL Source IP
DESC RIPTIO N
Specify the source IP address of the packets received by this NAT rule's specified incoming interface.
a ny - Select this to use all of the incoming interface's IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface.
Use r De fine d - Select this to manually enter an IP address in the Use r De fine d field. For example, you could enter a static IP address.
External IP
Host address - select a address object to use the IP address it specifies.
Specify the destination IP address of the packets received by this NAT rule's specified incoming interface. The specified IP address will be translated to the Inte rna l IP address.
a ny - Select this to use all of the incoming interface's IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface.
Use r De fine d - Select this to manually enter an IP address in the Use r De fine d field. For example, you could enter a static public IP assigned by the ISP without having to create a virtual interface for it.
User Defined External IP External IP Subnet/ Range
Internal IP
Host address - select a host address object to use the IP address it specifies. The list also includes address objects based on interface IPs. So for example you could select an address object based on a WAN interface even if it has a dynamic IP address.
This field is available if Exte rna l IP is Use r De fine d. Type the destination IP address that this NAT rule supports.
This field displays for Ma ny 1:1 NAT. Select the destination IP address subnet or IP address range that this NAT rule supports. The original and mapped IP address subnets or ranges must have the same number of IP addresses.
Select to which translated destination IP address this NAT rule forwards packets.
Use r De fine d - this NAT rule supports a specific IP address, specified in the Use r De fine d field.
User Defined Internal IP Internal IP Subnet/ Range
Port Mapping Type
HOST address - the drop-down box lists all the HOST address objects in the Zyxel Device. If you select one of them, this NAT rule supports the IP address specified by the address object.
This field is available if Inte rna l IP is Use r De fine d. Type the translated destination IP address that this NAT rule supports.
This field displays for Ma ny 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses.
Use the drop-down list box to select how many original destination ports this NAT rule supports for the selected destination IP address (O rig ina l IP). Choices are:
Any - this NAT rule supports all the destination ports.
Po rt - this NAT rule supports one destination port.
Po rts - this NAT rule supports a range of destination ports. You might use a range of destination ports for unknown services or when one server supports more than one service.
Se rvic e - this NAT rule supports a service such as FTP (see O b je c t > Se rvic e > Se rvic e )
Protocol Type External Port Internal Port
Se rvic e - G ro up - this NAT rule supports a group of services such as all service objects related to DNS (see O b je c t > Se rvic e > Se rvic e G ro up)
This field is available if Ma pping Type is Po rt or Po rts. Select the protocol (TC P, UDP, or Any) used by the service requesting the connection.
This field is available if Ma pping Type is Po rt. Enter the external destination port this NAT rule supports.
This field is available if Ma pping Type is Po rt. Enter the translated destination port if this NAT rule forwards the packet.
ZyWALL USG FLEX Series User's Guide
363
Chapter 12 NAT
Table 147 Configuration > Network > NAT > Add (continued)
LA BEL External Start Port External End Port Internal Start Port Internal End Port
Enable NAT Loopback
DESC RIPTIO N
This field is available if Ma pping Type is Po rts. Enter the beginning of the range of original destination ports this NAT rule supports.
This field is available if Ma pping Type is Po rts. Enter the end of the range of original destination ports this NAT rule supports.
This field is available if Ma pping Type is Po rts. Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet.
This field is available if Ma pping Type is Po rts. Enter the end of the range of translated destination ports if this NAT rule forwards the packet. The original port range and the mapped port range must be the same size.
Enable NAT loopback to allow users connected to any interface (instead of just the specified Inc o m ing Inte rfa c e ) to use the NAT rule's specified Exte rna l IP address to access the Inte rna l IP device. For users connected to the same interface as the Inte rna l IP device, the Zyxel Device uses that interface's IP address as the source address for the traffic it sends from the users to the Inte rna l IP device.
For example, if you configure a NAT rule to forward traffic from the WAN to a LAN server, enabling NAT loopback allows users connected to other interfaces to also access the server. For LAN users, the Zyxel Device uses the LAN interface's IP address as the source address for the traffic it sends to the LAN server. See NAT Loopback on page 364 for more details.
Security Policy
If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule's specified incoming interface.
By default the security policy blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Se c urity Po lic y link to configure a security policy to allow the NAT rule's traffic to come in.
OK Cancel
The Zyxel Device checks NAT rules before it applies To-Zyxel Device security policies, so ToZyxel Device security policies, do not apply to traffic that is forwarded by NAT rules. The Zyxel Device still checks other security policies, according to the source IP address and mapped IP address.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to return to the NATsummary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists).
12.4 NATTe c hnic a l Re fe re nc e
Here is more detailed information about NAT on the Zyxel Device.
NATLo o pb a c k
Suppose an NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP email server to give WAN users access. NAT loopback allows other users to also use the rule's original IP to access the mail server.
For example, a LAN user's computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server's domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server's mapped public IP address of 1.1.1.1.
ZyWALL USG FLEX Series User's Guide
364
Chapter 12 NAT
Fig ure 245 LAN Computer Queries a Public DNS Server
DNS
xxx.LAN-SMTP.com =? 1.1.1.1
xxx.LAN-SMTP.com = 1.1.1.1
LAN
192.168.1.21
192.168.1.89
The LAN user's computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the Zyxel Device's LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server.
Fig ure 246 LAN to LAN Traffic
NAT
Source 192.168.1.1 SMTP
LAN
192.168.1.21
Source 192.168.1.89 SMTP
192.168.1.89
The LAN SMTP server replies to the Zyxel Device's LAN IP address and the Zyxel Device changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic's source matches the original destination address (1.1.1.1). If the SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user's computer to shut down the session.
ZyWALL USG FLEX Series User's Guide
365
Chapter 12 NAT
Fig ure 247 LAN to LAN Return Traffic
NAT
Source 192.168.1.21 SMTP
LAN
Source 1.1.1.1 SMTP
192.168.1.21
192.168.1.89
12.5 Virtua l Se rve r Lo a d Ba la nc ing
Virtual Server Load balancing allows you to distribute incoming connection requests to a virtual server between multiple real (physical) servers. This helps reduce each server's workload and to decrease virtual server response times.
12.5.1 Lo a d Ba la nc ing Exa m ple 1
You are hosting a very popular website on your network, which attracts a lot of traffic and causes problems with your HTTP web server. To resolve this, you set up three identical web servers on the DMZ behind the Zyxel Device (Figure 248 on page 366). The Zyxel Device device then distributes incoming HTTP requests between the three servers. External users only see one virtual web server with IP address 1.1.1.2.
Fig ure 248 Virtual Server on the WAN- Example 1
ZyWALL USG FLEX Series User's Guide
366
Chapter 12 NAT
12.5.2 Lo a d Ba la nc ing Exa m ple 2
You have two internal networks, LAN 1 and LAN 2, that are restricted from accessing each other (Figure 249 on page 367). The LAN 2 network hosts two duplicate SMTP mail servers. You want clients on LAN 1 to be able to access the SMTP servers on LAN 2. You create a virtual server load balancing rule using IP address 10.0.1.100 and port 25, and add two SMTP servers from LAN 2 to the rule. Now clients on LAN 1 can access the virtual server's SMTP service by connecting to 10.0.1.100 port 25. Clients see a single mail server. Fig ure 249 Virtual Server on the LAN - Example 2
12.5.3 Virtua l Se rve r Lo a d Ba la nc ing Pro c e ss
The following is an overview of how the Virtual Server Load Balancing process works.
ZyWALL USG FLEX Series User's Guide
367
Chapter 12 NAT Fig ure 250 Load Balancing Process
1 A client initiates a connection to the virtual server on a specific port. 2 The Zyxel Device matches the request to a set of servers (1, 2, and 3 in Figure 250 on page 368), and
then determines which server will handle the request using a user-specified load balancing algorithm. 3 The Zyxel Device forwards the request to the chosen server using NAT. 4 The server processes the request, and then replies to the Zyxel Device. 5 The Zyxel Device forwards the reply to the client using SNAT.
12.5.4 Lo a d Ba la nc ing Rule s
In order to use load balancing, you must create a load balancing rule. Each load balancing rule consists of an incoming interface, an external IP address, a service type, a load balancing algorithm, and a list of real servers. Note: One real server can belong to multiple load-balancing rules. Note: You can only add one interface, IP address, and port to each load balancing rule. Note: Virtual servers and real servers only support IPv4 addresses.
ZyWALL USG FLEX Series User's Guide
368
Chapter 12 NAT
Only certain Zyxel Device models support virtual server load balancing. There are also limits on the maximum number of rules and real servers per Zyxel Device.
Table 148 Virtual Service Load Balancing Limits
PA RA M ETER
MO DEL
Maximum Number of Load Balancing Rules per Zyxel Device
VPN50, USG FLEX 100, USG FLEX 100W, ATP100, ATP100W
VPN100, USG FLEX 200, ATP200
VPN300, USG FLEX 500, ATP500, USG FLEX 700, ATP700, ATP800, VPN1000
Maximum Number of Real Servers All of the above models Per Load Balancing Rule
LIMIT 5 10 20
4
12.5.5 Virtua l Se rve r Lo a d Ba la nc ing Alg o rithm s
A rule's load balancing algorithm determines which real server is assigned to an incoming connection request. When creating a load balancing rule, you can assign each server a weight, which indicates the server's processing capacity compared to other servers.
Table 149 Virtual Server Load Balancing Algorithms
ALG O RITHM Round-Robin
DESC RIPTIO N
The Zyxel Device assigns servers in the reverse order they were added to the rule (Last In First Out). All servers are considered equal, regardless of their weight and current number of connections.
Weighted Round-Robin
For example, if you have three servers, A, B, C and nine requests, the servers are assigned in the following order: CBACBACBA.
The Zyxel Device assigns servers based on a user-specified weight. Servers with a higher weight are assigned before servers with a lower weight. Each time a server is assigned a request, the server's weight decreases by one point until it finishes processing the request.
The Zyxel Device assigns servers with equal weight in the reverse order they were added to the rule (Last In First Out). Servers with zero connections are given priority over all other servers.
For example, if you have three servers A, B, C with weights 4, 3, 2 and nine requests, the servers are assigned in the following order: CBAABACBA.
C (Weights: A4, B3, C2)
CB (Weights: A4, B3, C1)
CBA (Weights: A3, B2, C1)
CBAA (Weights: A2, B2, C1)
CBAAB (Weights: A2, B1, C1)
CBAABA (Weights: A1, B1, C1)
CBAABAC (Weights: A1, B1, C0)
CBAABACB (Weights: A1, B0, C0)
CBAABACBA (Weights: A0, B0, C0)
ZyWALL USG FLEX Series User's Guide
369
Chapter 12 NAT
Table 149 Virtual Server Load Balancing Algorithms
ALG O RITHM Least-Connection Source Hashing
DESC RIPTIO N
The Zyxel Device assigns the server with the least number of current connections.
The Zyxel Device assigns a server by checking a static hash table, which permanently maps each client IP address to a specific real server.
Servers are mapped to new client IP addresses in the reverse order the servers were added to the rule (Last In First Out). Each server is added N times during each sequence, where N is equal to the server's weight.
For example, if you have two servers A, and B, with weights 1 and 2, the servers are mapped to new client IP addresses in the hash table in the following order:
Source_IP_Hash1 = Server B
Source_IP_Hash2 = Server B
Source_IP_Hash3 = Server A
Source_IP_Hash4 = Server B
Source_IP_Hash5 = Server B
Source_IP_Hash6 = Server A
12.6 The Virtua l Se rve r Lo a d Ba la nc e r Sc re e n
Use this screen to view the summary of your virtual server load balancer rules. Click C o nfig ura tio n> Ne two rk> NAT> Virtua l Se rve r Lo a d Ba la nc e r to open the following screen.
Fig ure 251 Configuration > Network > NAT > Virtual Server Load Balancing
The following table describes the labels in this screen.
Table 150 Configuration > Network > NAT> Virtual Server Load Balancer
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
#
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
ZyWALL USG FLEX Series User's Guide
370
Chapter 12 NAT
Table 150 Configuration > Network > NAT> Virtual Server Load Balancer (continued)
LA BEL
DESC RIPTIO N
Health Status
This field displays whether the real server is reachable for a particular service.
Name
This field displays the name of the entry.
External IP
This field displays the external destination IP address (or address object) of traffic that matches this entry.
Protocol
This field displays the protocol used by the packets for this entry.
External Port
This field displays the external destination port(s) of packets for the entry.
Load Balancing Algorithm
This field displays the load balancing algorithm for the entry. See Section 12.5.5 on page 369 for more information on load balancing algorithm.
Virtual Server(s)
This displays the number of real servers. Use MouseOver to see each real server IP.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
12.6.1 Adding / Editing a Virtua l Se rve r Lo a d Ba la nc ing Rule
Use this screen to configure settings for you virtual server load balancer rules. This screen's option change based on the He a lthy C he c k Me tho d selected. Only the PING method screen is displayed here.
Click C o nfig ura tio n> Ne two rk> NAT> Virtua l Se rve r Lo a d Ba la nc e r> Add/ Edit to open the following screen.
Fig ure 252 Configuration > Network > NAT > Virtual Server Load Balancing > Add/Edit
ZyWALL USG FLEX Series User's Guide
371
Chapter 12 NAT
The following table describes the labels in this screen.
Table 151 Configuration > Network > NAT > Virtual Server Load Balancer> Add/Edit
LA BEL General Settings Create new Object Enable Rule Rule Name
Virtual Server Rule Incoming Interface
External IP
User Defined External IP Port Mapping Type
DESC RIPTIO N
Use to configure any new settings objects that you need to use in this screen. Use this option to turn the virtual server load balancer rule on or off. Type in the name of the virtual server load balancer rule. The name is used to refer to the virtual server load balancer rule. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Select the interface on which packets from the client to the virtual server load balancer rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface. This is the IP address of the virtual server. It may be different to the incoming interface IP address. Select a Ho st, Inte rfa c e IP or Inte rfa c e G a te wa y object already configured in O b je c t> Addre ss/ G e o IP> Addre ss> IPv4 Addre ss. or enter a Use r De fine d IPv4 address for the virtual server. This field is available if Exte rna l IP is Use r De fine d. Type the IPv4 address of the virtual server.
Use the drop-down list box to select how many external destination ports this virtual server load balancer rule supports for the selected destination IP address (Exte rna l IP). Choices are:
Se rvic e - this virtual server load balancer rule supports a service such as FTP (see O b je c t > Se rvic e > Se rvic e ). For this type, you need to fill in Exte rna l Se rvic e .
Exte rna l Se rvic e : Select a service from the drop down list box.
Po rt - this virtual server load balancer rule supports one destination port. For this type, you need to fill in these fields.
· Pro to c o l Type : TCP or UDP · Exte rna l Po rt: specify a port number for this rule
The type of service or port selected automatically updates He a lthy C he c k Me tho d as follows:
Healthy Check Method
· HTTP Re q ue st: 80, 8080 · HTTPS Re q ue st: 443 · SMTP He lo : 25 · DNS Q ue ry: 53(TCP/UDP) · De fa ult TC P if protocol is TCP, PING if protocol is UDP
You can still change the He a lthy C he c k Me tho d in the next field.
Select this to periodically check if the real server is still online. The Zyxel Device periodically sends a request to each real server. This request ensures that the server is available, and optionally ensures that a specific service on the server is running.
Use the drop-down list box to set the type of status request to send to each real server.
For example, select HTTP and the Zyxel Device periodically sends an HTTP request to each real server, ensuring that the server is available and that its HTTP service is running.
· HTTP: Web service · HTTPS: Secure web service · TC P: A general network protocol that shows the server is accepting TCP connections · SMTP: Mail service · DNS: Dynamic Name Service · PING : A general network protocol that shows the server is reachable
ZyWALL USG FLEX Series User's Guide
372
Chapter 12 NAT
Table 151 Configuration > Network > NAT > Virtual Server Load Balancer> Add/Edit (continued)
LA BEL PING
DESC RIPTIO N C he c k Pe rio d- Sets the health check time interval, in seconds. The default is 60.
C o nne c t Tim e o ut- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5.
HTTP Request
Re try- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1.
Pa th- Sets the URL to request when the health check type is set to HTTP or HTTPS.
Note: If an MD5 checksum is set for a real server, the Zyxel Device uses this checksum to verify that each HTTP health check request returns the correct webpage, and not an error page.
HTTPS Request
Ho st- Sets the SNI to send to the real server when the health check type is set to HTTPS. A client sends a Server Name Indication (SNI) when they start an HTTPS session with the server. It allows multiple HTTPS sessions to the same IP address and port number with different certificates with different SNIs.
Ena b le Ha sh C he c k- Enables or disables auto-hashing. When enabled, the Zyxel Device sends a HTTP request to each real server, and then calculates and stores the MD5 checksum of the returned webpage. The Zyxel Device uses this checksum to verify that each HTTP health check request returns the correct webpage, and not an error page.
Sta tus C o de - Sets which status code indicates a successful reply when the health check
type is set to HTTP or HTTPS. The default value is range 200-299.
C he c k Pe rio d- Sets the health check time interval, in seconds. The default is 60.
C o nne c t Tim e o ut- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5.
Re try- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1.
Pa th- Sets the URL to request when the health check type is set to HTTP or HTTPS.
Note: If an MD5 checksum is set for a real server, the Zyxel Device uses this checksum to verify that each HTTPS health check request returns the correct webpage, and not an error page.
Ho st- Sets the SNI to send to the real server when the health check type is set to HTTPS. A client sends a Server Name Indication (SNI) when they start an HTTPS session with the server. It allows multiple HTTPS sessions to the same IP address and port number with different certificates with different SNIs.
Ena b le Ha sh C he c k- Enables or disables auto-hashing. When enabled, the Zyxel Device sends a HTTP request to each real server, and then calculates and stores the MD5 checksum of the returned webpage. The Zyxel Device uses this checksum to verify that each HTTP health check request returns the correct webpage, and not an error page.
Sta tus C o de - Sets which status code indicates a successful reply when the health check
type is set to HTTP or HTTPS. The default value is range 200-299.
Ena b le SNI- Enables or disables sending a Server_Name Indication (SNI) as part of the health check request when health check type is set to HTTPS.
C he c k Pe rio d- Sets the health check time interval, in seconds. The default is 60.
C o nne c t Tim e o ut- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5.
Re try- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1.
ZyWALL USG FLEX Series User's Guide
373
Chapter 12 NAT
Table 151 Configuration > Network > NAT > Virtual Server Load Balancer> Add/Edit (continued)
LA BEL SMTP Helo
DESC RIPTIO N
He lo Na m e - Sets the HELO string to send to the real server, when the health check type is set to SMTP. Typically, the HELO string should contain the fully qualified domain name (FQDN) of the mail server.
C he c k Pe rio d- Sets the health check time interval, in seconds. The default is 60.
C o nne c t Tim e o ut- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5.
DNS Query
Re try- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1.
Q ue ry- Sets the fully qualified domain name (FQDN) to send to the real server when health check type is set to DNS.
C he c k Pe rio d- Sets the health check time interval, in seconds. The default is 60.
C o nne c t Tim e o ut- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5.
TCP Connection
Re try- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1.
C he c k Pe rio d- Sets the health check time interval, in seconds. The default is 60.
C o nne c t Tim e o ut- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5.
Load Balancing Algorithm
Persistence Timeout
Re try- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1.
Sets the load balancing algorithm for this rule. For information about each algorithm, see Section 12.5.5 on page 369.
Sets how long a client/server session with no activity stays open. Timeout is measured in seconds, and the default value is 360.
Multiple requests from a client within a short time period are directed to the same real server, as part of a persistent client/server session.
Real Server Add Edit Remove
# Server IP Port
Weight
OK Cancel
If there are no incoming requests from a client within the specified timeout period, then the persistent client/server session is closed. Further requests from the client might be assigned to a different real server, determined by the load balancing algorithm.
Click this to create a new entry.
Double-click an entry or select it and click Edit to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
This field is a sequential value, and it is not associated with a specific entry.
This field displays the IPv4 address of a server on the LAN.
This field displays the Exte rna l Po rt or the port based on the Exte rna l Se rvic e selected above. You may change the port here.
The weight represents the processing power of this server compared to other servers. A server with a weight of 2 is considered to be able to handle two times more requests than a server with a weight of 1. See Section 12.5.5 on page 369 for more information on weight in each load balancing algorithm.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to return to the Virtua l Se rve r Lo a d Ba la nc e r summary screen without creating the virtual server load balancer rule (if it is new) or saving any changes (if it already exists).
ZyWALL USG FLEX Series User's Guide
374
C HA PTER 1 3 Re dire c t Se rvic e
13.1 O ve rvie w
Redirect Service redirects HTTP and SMTP traffic.
13.1.1 HTTP Re dire c t
HTTP redirect forwards the client's HTTP request (except HTTP traffic destined for the Zyxel Device) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server. Proxy server A then forwards the response to the client. Fig ure 253 HTTP Redirect Example
13.1.2 SMTP Re dire c t
SMTP redirect forwards the authenticated client's SMTP message to a SMTP server, that handles all outgoing email messages. In the following example, SMTP server A is connected to the la n2 interface in the LAN2 zone. When a client connected to the la n1 interface in the LAN1 zone logs into the Zyxel Device and wants to send an email, its SMTP message is redirected to SMTP server A. SMTP server A then sends it to a mail server, where the message will be delivered to the recipient. The Zyxel Device forwards SMTP traffic using TCP port 25.
ZyWALL USG FLEX Series User's Guide
375
Chapter 13 Redirect Service Fig ure 254 SMTP Redirect Example
13.1.3 Wha t Yo u C a n Do in this C ha pte r
Use the Re dire c t Se rvic e screens (see Section 13.2 on page 378) to display and edit the HTTP and SMTP redirect rules.
13.1.4 Wha t Yo u Ne e d to Kno w
We b Pro xy Se rve r
A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a security policy or an ALG (application layer gateway) between the private network and the Internet or other networks. It also keeps hackers from knowing internal IP addresses. A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the requested web resource first. If it is not found, the proxy gets it from the specified server and forwards the response to the client.
HTTP Re dire c t, Se c urity Po lic y a nd Po lic y Ro ute
With HTTP redirect, the relevant packet flow for HTTP traffic is: 1 Security Policy 2 Application Patrol 3 HTTP Redirect 4 Policy Route
ZyWALL USG FLEX Series User's Guide
376
Chapter 13 Redirect Service
Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule, the Zyxel Device checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched. You need to make sure there is no security policy blocking the HTTP requests from the client to the proxy server.
You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet. To make the example in Figure 253 on page 375 work, make sure you have the following settings.
For HTTP traffic between la n1 and dm z:
· a from LAN1 to DMZ security policy (default) to allow HTTP requests from la n1 to dm z. Responses to this request are allowed automatically.
· a application patrol rule to allow HTTP traffic between la n1 and dmz. · a HTTP redirect rule to forward HTTP traffic from la n1 to proxy server A.
For HTTP traffic between dm z and wa n1:
· a from DMZ to WAN security policy (default) to allow HTTP requests from dm z to wa n1. Responses to these requests are allowed automatically.
· a application patrol rule to allow HTTP traffic between dm z and wa n1. · a policy route to forward HTTP traffic from proxy server A to the Internet.
SMTP
Simple Mail Transfer Protocol (SMTP) is the Internet's message transport standard. It controls the sending of email messages between servers. Email clients (also called email applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve email. Email clients also generally use SMTP to send messages to a mail server. The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it. This is why many email applications require you to specify both the SMTP server and the POP or IMAP server (even though they may actually be the same server).
SMTP Re dire c t, Fire wa ll a nd Po lic y Ro ute
With SMTP redirect, the relevant packet flow for SMTP traffic is:
1 Firewall
2 SMTP Redirect
3 Policy Route
Even if you set a policy route to the same incoming interface and service as a SMTP redirect rule, the Zyxel Device checks the SMTP redirect rules first and forwards SMTP traffic to a SMTP server if matched. You need to make sure there is no firewall rule(s) blocking the SMTP traffic from the client to the SMTP server.
You also need to manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet. To make the example in Figure 254 on page 376 work, make sure you have the following settings.
ZyWALL USG FLEX Series User's Guide
377
Chapter 13 Redirect Service
For SMTP traffic between la n1 and la n2: · a from LAN1 to LAN2 firewall rule to allow SMTP messages from la n1 to la n2. Responses to this request
are allowed automatically. · a SMTP redirect rule to forward SMTP traffic from la n1 to SMTP server A. For SMTP traffic between la n2 and wa n1: · a from LAN2 to WAN firewall rule (default) to allow SMTP messages from la n2 to wa n1. Responses to
these requests are allowed automatically. · a policy route to forward SMTP messages from SMTP server A to the Internet.
13.2 The Re dire c t Se rvic e Sc re e n
To configure redirection of a HTTP or SMTP request, click C o nfig ura tio n > Ne two rk > HTTP Re dire c t. This screen displays the summary of the redirect rules. Note: You can configure up to one HTTP redirect rule and one SMTP redirect rule for each
(incoming) interface. Fig ure 255 Configuration > Network > Redirect Service
The following table describes the labels in this screen.
Table 152 Configuration > Network > Redirect Service
LA BEL Add Edit
Remove
Activate Inactivate Move
DESC RIPTIO N
Click this to create a new entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To change a rule's position in the numbered list, select the rule and click Mo ve to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their numbering.
#
This field is a sequential value, and it is not associated with a specific entry.
ZyWALL USG FLEX Series User's Guide
378
Chapter 13 Redirect Service
Table 152 Configuration > Network > Redirect Service (continued)
LA BEL
DESC RIPTIO N
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Service
This is the name of the service: HTTP or SMTP.
Name
This is the descriptive name of a rule.
User/Group
This is the user account or user group name to which this rule is applied.
Interface
This is the interface on which the request must be received.
Source Address
This is the name of the source IP address object from which the traffic should be sent. If a ny displays, the rule is effective for every source.
Server
This is the IP address of the HTTP proxy server or the SMTP server to which the matched traffic is forwarded.
Port
This is the service port number used by the HTTP proxy server or SMTP server.
Apply Reset
Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
13.2.1 The Re dire c t Se rvic e Edit Sc re e n
Click Ne two rk > Re dire c t Se rvic e to open the Re dire c t Se rvic e screen. Then click the Add or Edit icon to open the Re dire c t Se rvic e Edit screen where you can configure the rule.
Fig ure 256 Network > Redirect Service > Edit
ZyWALL USG FLEX Series User's Guide
379
Chapter 13 Redirect Service
The following table describes the labels in this screen.
Table 153 Network > Redirect Service > Edit
LA BEL
DESC RIPTIO N
Enable
Use this option to turn the Redirect Service rule on or off.
Service
Select the service to be redirected: HTTP Re dire c t or SMTP re dire c t.
Name
Enter a name to identify this rule. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value
is case-sensitive.
Criteria
User
Select the user account or user group name to which this rule is applied.
Interface
Select the interface on which the request must be received for the Zyxel Device to forward it to the specified server.
Source Address
Select the name of the source IP address object from which the traffic should be sent. Select a ny for the rule to be effective for every source.
Redirect Settings
Server
Enter the IP address of the HTTP proxy or SMTP server.
Port
Enter the port number that the HTTP proxy or SMTP server uses.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
380
C HA PTER 1 4 A LG
14.1 ALG O ve rvie w
Application Layer Gateway (ALG) allows the following applications to operate properly through the Zyxel Device's NAT. · SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice
and multimedia sessions over Internet. · H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing. · FTP - File Transfer Protocol - an Internet file transfer service. The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server. Fig ure 257 SIP ALG Example
The ALG feature is only needed for traffic that goes through the Zyxel Device's NAT.
14.1.1 Wha t Yo u Ne e d to Kno w
Applic a tio n La ye r G a te wa y (ALG ), NATa nd Se c urity Po lic y
The Zyxel Device can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the Zyxel Device's NAT and security policy. The Zyxel Device dynamically creates an implicit NAT session and security policy session for the application's traffic from the WAN to the LAN. The ALG on the Zyxel Device supports all of the Zyxel Device's NAT mapping types.
ZyWALL USG FLEX Series User's Guide
381
Chapter 14 ALG
FTP ALG
The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and security policies if you want to allow access to the server from the WAN. Bandwidth management can be applied to FTP ALG traffic.
H.323 ALG
· The H.323 ALG supports peer-to-peer H.323 calls. · The H.323 ALG handles H.323 calls that go through NAT or that the Zyxel Device routes. You can also
make other H.323 calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet. · The H.323 ALG allows calls to go out through NAT. For example, you could make a call from a private IP address on the LAN to a peer device on the WAN. · The H.323 ALG operates on TCP packets with a specified port destination. · Bandwidth management can be applied to H.323 ALG traffic. · The Zyxel Device allows H.323 audio connections. · The Zyxel Device can also apply bandwidth management to traffic that goes through the H.323 ALG.
The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B.
Fig ure 258 H.323 ALG Example
SIP ALG
· SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can be in the same network or different networks. The SIP server cannot be on the LAN. It must be on the WAN or the DMZ.
· There should be only one SIP server (total) on the Zyxel Device's private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both.
· Using the SIP ALG allows you to use bandwidth management on SIP traffic. Bandwidth management can be applied to FTP ALG traffic. Use the option in the C o nfig ura tio n > BWM screen to configure the highest bandwidth available for SIP traffic.
· The SIP ALG handles SIP calls that go through NAT or that the Zyxel Device routes. You can also make other SIP calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet.
· The SIP ALG supports peer-to-peer SIP calls. The security policy (by default) allows peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone to the LAN zone.
· The SIP ALG allows UDP packets with a specified port destination to pass through. · The Zyxel Device allows SIP audio connections.
ZyWALL USG FLEX Series User's Guide
382
Chapter 14 ALG
· You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the Zyxel Device when you enable the SIP ALG.
· Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol (see Chapter 31 on page 586) to use the same port numbers for SIP traffic. Likewise, configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic.
Pe e r- to - Pe e r C a lls a nd the Zyxe l De vic e
The Zyxel Device ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You must configure the security policy and NAT (port forwarding) to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN (or DMZ).
Vo IP C a lls fro m the WAN with Multiple O utg o ing C a lls
When you configure the security policy and NAT (port forwarding) to allow calls from the WAN to a specific IP address on the LAN, you can also use policy routing to have H.323 (or SIP) calls from other LAN or DMZ IP addresses go out through a different WAN IP address. The policy routing lets the Zyxel Device correctly forward the return traffic for the calls initiated from the LAN IP addresses. For example, you configure the security policy and NAT to allow LAN IP address A to receive calls from the Internet through WAN IP address 1. You also use a policy route to have LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet. Fig ure 259 VoIP Calls from the WAN with Multiple Outgoing Calls
Vo IP with Multiple WAN IP Addre sse s
With multiple WAN IP addresses on the Zyxel Device, you can configure different security policy and NAT (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ). Use policy routing to have the H.323 (or SIP) calls from each of those LAN or DMZ IP addresses go out through the same WAN IP address that calls come in on. The policy routing lets the Zyxel Device correctly forward the return traffic for the calls initiated from the LAN IP addresses. For example, you configure security policy and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different security policy and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2. You configure corresponding
ZyWALL USG FLEX Series User's Guide
383
Chapter 14 ALG
policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP
address B go out through WAN IP address 2. Fig ure 260 VoIP with Multiple WAN IP Addresses
14.1.2 Be fo re Yo u Be g in
You must also configure the security policy and enable NAT in the Zyxel Device to allow sessions initiated from the WAN.
14.2 The ALG Sc re e n
Click C o nfig ura tio n > Ne two rk > ALG to open the ALG screen. Use this screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs. Note: If the Zyxel Device provides an ALG for a service, you must enable the ALG in order to
use the application patrol on that service's traffic.
ZyWALL USG FLEX Series User's Guide
384
Chapter 14 ALG Fig ure 261 Configuration > Network > ALG
The following table describes the labels in this screen.
Table 154 Configuration > Network > ALG
LA BEL Enable SIP ALG
Enable SIP Transformations
DESC RIPTIO N
Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the Zyxel Device's NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic's bandwidth (see Chapter 31 on page 586).
Select this to have the Zyxel Device modify IP addresses and port numbers embedded in the SIP data payload.
Enable Configure SIP Inactivity Timeout
SIP Media Inactivity Timeout
You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload.
Select this option to have the Zyxel Device apply SIP media and signaling inactivity time out limits. These timeouts will take priority over the SIP session time out "Expires" value in a SIP registration response packet.
Use this field to set how many seconds (1~86400) the Zyxel Device will allow a SIP session to remain idle (without voice traffic) before dropping it.
If no voice packets go through the SIP ALG before the timeout period expires, the Zyxel Device deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation.
ZyWALL USG FLEX Series User's Guide
385
Chapter 14 ALG
Table 154 Configuration > Network > ALG (continued)
LA BEL
SIP Signaling Inactivity Timeout
DESC RIPTIO N
Most SIP clients have an "expire" mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the Zyxel Device.
Restrict Peer to Peer Signaling Connection
Restrict Peer to Peer Media Connection
If the SIP client does not have this mechanism and makes no calls during the Zyxel Device SIP timeout, the Zyxel Device deletes the signaling session after the timeout period. Enter the SIP signaling session timeout value (1~86400).
A signaling connection is used to set up the SIP connection.
Enable this if you want signaling connections to only arrive from the IP address(es) you registered with. Signaling connections from other IP addresses will be dropped.
A media connection is the audio transfer in a SIP connection.
Enable this if you want media connections to only arrive from the IP address(es) you registered with. Media connections from other IP addresses will be dropped.
SIP Signaling Port Enable H.323 ALG
Enable H.323 Transformations
You should disable this if have registered for cloud VoIP services.
If you are using a custom UDP port number (not 5060) for SIP traffic, enter it here. Use the Add icon to add fields if you are also using SIP on additional UDP port numbers.
Turn on the H.323 ALG to detect H.323 traffic (used for audio communications) and help build H.323 sessions through the Zyxel Device's NAT. Enabling the H.323 ALG also allows you to use the application patrol to detect H.323 traffic and manage the H.323 traffic's bandwidth (see Chapter 31 on page 586).
Select this to have the Zyxel Device modify IP addresses and port numbers embedded in the H.323 data payload.
H.323 Signaling Port Additional H.323 Signaling Port for Transformations Enable FTP ALG
Enable FTP Transformations
You do not need to use this if you have a H.323 device or server that will modify IP addresses and port numbers embedded in the H.323 data payload. If you are using a custom TCP port number (not 1720) for H.323 traffic, enter it here. If you are also using H.323 on an additional TCP port number, enter it here.
Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the Zyxel Device's NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic's bandwidth (see Chapter 31 on page 586). Select this option to have the Zyxel Device modify IP addresses and port numbers embedded in the FTP data payload to match the Zyxel Device's NAT environment.
FTP Signaling Port Additional FTP Signaling Port for Transformations Apply Reset
Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the Zyxel Device's NAT environment. If you are using a custom TCP port number (not 21) for FTP traffic, enter it here. If you are also using FTP on an additional TCP port number, enter it here.
Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
14.3 ALG Te c hnic a l Re fe re nc e
Here is more detailed information about the Application Layer Gateway.
ZyWALL USG FLEX Series User's Guide
386
Chapter 14 ALG
A LG
Some applications cannot operate through NAT (are NAT unfriendly) because they embed IP addresses and port numbers in their packets' data payload. The Zyxel Device examines and uses IP address and port number information embedded in the VoIP traffic's data stream. When a device behind the Zyxel Device uses an application for which the Zyxel Device has VoIP pass through enabled, the Zyxel Device translates the device's private IP address inside the data stream to a public IP address. It also records session port numbers and allows the related sessions to go through the security policy so the application's traffic can come in from the WAN to the LAN.
ALG a nd Trunks
If you send your ALG-managed traffic through an interface trunk and all of the interfaces are set to active, you can configure routing policies to specify which interface the ALG-managed traffic uses.
You could also have a trunk with one interface set to active and a second interface set to passive. The Zyxel Device does not automatically change ALG-managed connections to the second (passive) interface when the active interface's connection goes down. When the active interface's connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register.
FTP
File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files.
H. 3 2 3
H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. NetMeeting uses H.323.
SIP
The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-switched telephone networks.
RTP
When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP.
ZyWALL USG FLEX Series User's Guide
387
C HA PTER 1 5 UPnP
15.1 UPnP a nd NAT- PMP O ve rvie w
The Zyxel Device supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use. A gateway that supports UPnP is called Internet Gateway Device (IGD). The standardized Device Control Protocol (DCP) is defined by the UPnP Forum for IGDs to configure port mapping automatically.
NAT Port Mapping Protocol (NAT-PMP), introduced by Apple and implemented in current Apple products, is used as an alternative NAT traversal solution to the UPnP IGD protocol. NAT-PMP runs over UDP port 5351. NAT-PMP is much simpler than UPnP IGD and mainly designed for small home networks. It allows a client behind a NAT router to retrieve the router's public IP address and port number and make them known to the peer device with which it wants to communicate. The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it.
15.2 Wha t Yo u Ne e d to Kno w
UPnP hardware is identified as an icon on the network folder (Windows 7). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device.
15.2.1 NATTra ve rsa l
UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence on the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following: · Dynamic port mapping · Learning public IP addresses · Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP.
See the NAT chapter for more information on NAT.
ZyWALL USG FLEX Series User's Guide
388
Chapter 15 UPnP
15.2.2 C a utio ns with UPnP a nd NAT- PMP
The automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP or NAT-PMP device joins a network, it announces its presence with a multicast message. For security reasons, the Zyxel Device allows multicast messages on the LAN only. All UPnP-enabled or NAT-PMP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP or NAT-PMP if this is not your intention.
15.3 UPnP Sc re e n
Use this screen to enable UPnP and NAT-PMP on your Zyxel Device. Click C o nfig ura tio n > Ne two rk > UPnP to display the screen shown next. Fig ure 262 Configuration > Network > UPnP
ZyWALL USG FLEX Series User's Guide
389
Chapter 15 UPnP
The following table describes the fields in this screen.
Table 155 Configuration > Network > UPnP
LA BEL Enable UPnP
Enable NAT-PMP
DESC RIPTIO N
Select this check box to activate UPnP on the Zyxel Device. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Zyxel Device's IP address (although you must still enter the password to access the web configurator).
NAT Port Mapping Protocol (NAT-PMP) automates port forwarding to allow a computer in a private network (behind the Zyxel Device) to automatically configure the Zyxel Device to allow computers outside the private network to contact it.
Select this check box to activate NAT-PMP on the Zyxel Device. Be aware that anyone could use a NAT-PMP application to open the web configurator's login screen without entering the Zyxel Device's IP address (although you must still enter the password to access the web configurator).
Allow UPnP or NAT-PMP to pass through Firewall
Select this check box to allow traffic from UPnP-enabled or NAT-PMP-enabled applications to bypass the security policy. Clear this check box to have the security policy block all UPnP or NAT-PMP application packets (for example, MSN packets).
Outgoing WAN Interface
Select through which WAN interface(s) you want to send out traffic from UPnP-enabled or NAT-PMP-enabled applications. If the WAN interface you select loses its connection, the Zyxel Device attempts to use the other WAN interface. If the other WAN interface also does not work, the Zyxel Device drops outgoing packets from UPnP-enabled or NAT-PMP-enabled applications.
Support LAN List
The Ava ila b le list displays the name(s) of the internal interface(s) on which the Zyxel Device supports UPnP and/or NAT-PMP.
Apply Reset
To enable UPnP and/or NAT-PMP on an interface, you can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and click the right arrow button to add to the Me m b e r list. To remove an interface, select the name(s) in the Me m b e r list and click the left arrow button.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
15.4 Te c hnic a l Re fe re nc e
The sections show examples of using UPnP.
15.4.1 Turning o n UPnP in Windo ws 7 Exa m ple
This section shows you how to use the UPnP feature in Windows 7. UPnP server is installed in Windows 7. Activate UPnP on the Zyxel Device. Make sure the computer is connected to a LAN port of the Zyxel Device. Turn on your computer and the Zyxel Device.
1 Click the start icon, C o ntro l Pa ne l and then the Ne two rk a nd Sha ring C e nte r.
ZyWALL USG FLEX Series User's Guide
390
Chapter 15 UPnP
2 Click C ha ng e Adva nc e d Sha ring Se tting s.
3 Select Turn o n ne two rk disc o ve ry and click Sa ve C ha ng e s. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers.
ZyWALL USG FLEX Series User's Guide
391
Chapter 15 UPnP
15.4.1.1 Auto - disc o ve r Yo ur UPnP- e na b le d Ne two rk De vic e
Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer. Make sure your computer is connected to a LAN port of the Zyxel Device. 1 Open the Windo ws Explo re r and click Ne two rk. 2 Right-click the device icon and select Pro pe rtie s. Fig ure 263 Network Connections
3 In the Inte rne t C o nne c tio n Pro pe rtie s window, click Se tting s to see port mappings.
ZyWALL USG FLEX Series User's Guide
392
Chapter 15 UPnP Fig ure 264 Internet Connection Properties
4 You may edit or delete the port mappings or click Add to manually add port mappings. Fig ure 265 Internet Connection Properties: Advanced Settings
ZyWALL USG FLEX Series User's Guide
393
Chapter 15 UPnP Fig ure 266 Internet Connection Properties: Advanced Settings: Add
Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.
5 Click O K. Check the network icon on the system tray to see your Internet connection status. Fig ure 267 System Tray Icon
6 To see more details about your current Internet connection status, right click on the network icon in the system tray and click O pe n Ne two rk a nd Sha ring C e nte r. Click Lo c a l Are a Ne two rk. Fig ure 268 Internet Connection Status
15.4.2 Turn o n UPnP in Windo ws 10 Exa m ple
This section shows you how to use the UPnP feature in Windows 10. UPnP server is installed in Windows 10. Activate UPnP on the Zyxel Device by clicking Ne two rk Se tting > Ho m e Ne two rking > UPnP. Make sure the computer is connected to the LAN port of the Zyxel Device. Turn on your computer and the Zyxel Device. 1 Click the start icon, Se tting s and then Ne two rk & Inte rne t.
ZyWALL USG FLEX Series User's Guide
394
Chapter 15 UPnP
2 Click Ne two rk a nd Sha ring C e nte r.
3 Click C ha ng e a dva nc e d sha ring se tting s. ZyWALL USG FLEX Series User's Guide
395
Chapter 15 UPnP
4 Under Do m a in, select Turn o n ne two rk disc o ve ry and click Sa ve C ha ng e s. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers.
15.4.3 Auto - disc o ve r Yo ur UPnP- e na b le d Ne two rk De vic e
Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer.
ZyWALL USG FLEX Series User's Guide
396
Chapter 15 UPnP Make sure your computer is connected to the LAN port of the Zyxel Device. 1 Open File Explo re r and click Ne two rk. 2 Right-click the Zyxel Device icon and select Pro pe rtie s. Fig ure 269 Network Connections
3 In the Inte rne t C o nne c tio n Pro pe rtie s window, click Se tting s to see port mappings. Fig ure 270 Internet Connection Properties
4 You may edit or delete the port mappings or click Add to manually add port mappings. ZyWALL USG FLEX Series User's Guide
397
Chapter 15 UPnP Fig ure 271 Internet Connection Properties: Advanced Settings
Fig ure 272 Internet Connection Properties: Advanced Settings: Add
Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.
5 Click O K. Check the network icon on the system tray to see your Internet connection status. Fig ure 273 System Tray Icon
6 To see more details about your current Internet connection status, right click the network icon in the system tray and click O pe n Ne two rk & Inte rne t se tting s. Click Ne two rk a nd Sha ring C e nte r and click the C o nne c tio ns.
ZyWALL USG FLEX Series User's Guide
398
Chapter 15 UPnP Fig ure 274 Internet Connection Status
15.4.4 We b C o nfig ura to r Ea sy Ac c e ss in Windo ws 7
With UPnP, you can access the web-based configurator on the Zyxel Device without finding out the IP address of the Zyxel Device first. This comes helpful if you do not know the IP address of the Zyxel Device. Follow the steps below to access the web configurator. 1 Open Windo ws Explo re r. 2 Click Ne two rk.
ZyWALL USG FLEX Series User's Guide
399
Chapter 15 UPnP Fig ure 275 Network Connections
3 An icon with the description for each UPnP-enabled device displays under Ne two rk Infra struc ture . 4 Right-click on the icon for your Zyxel Device and select Vie w de vic e we b pa g e . The web configurator
login screen displays. Fig ure 276 Network Connections: My Network Places
5 Right-click on the icon for your Zyxel Device and select Pro pe rtie s. Click the Ne two rk De vic e tab. A window displays with information about the Zyxel Device. ZyWALL USG FLEX Series User's Guide
400
Chapter 15 UPnP Fig ure 277 Network Connections: My Network Places: Properties: Example
15.4.5 We b C o nfig ura to r Ea sy Ac c e ss in Windo ws 10
Follow the steps below to access the Web Configurator. 1 Open File Explo re r. 2 Click Ne two rk.
Fig ure 278 Network Connections
ZyWALL USG FLEX Series User's Guide
401
Chapter 15 UPnP 3 An icon with the description for each UPnP-enabled device displays under Ne two rk Infra struc ture . 4 Right-click the icon for your Zyxel Device and select Vie w de vic e we b pa g e . The Web Configurator login
screen displays. Fig ure 279 Network Connections: Network Infrastructure
5 Right-click the icon for your Zyxel Device and select Pro pe rtie s. Click the Ne two rk De vic e tab. A window displays information about the Zyxel Device. Fig ure 280 Network Connections: Network Infrastructure: Properties: Example
ZyWALL USG FLEX Series User's Guide
402
C HA PTER 1 6 IP/ MAC Binding
16.1 IP/ MAC Binding O ve rvie w
IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The Zyxel Device uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address. The Zyxel Device then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the Zyxel Device.
Suppose you configure access privileges for IP address 192.168.1.27 and use static DHCP to assign it to Tim's computer's MAC address of 12:34:56:78:90:AB. IP/MAC binding drops traffic from any computer trying to use IP address 192.168.1.27 with another MAC address.
Fig ure 281 IP/MAC Binding Example
MAC: 12:34:56:78:90:AB
Tim
IP: 192.168.1.27
Jim
MAC: AB:CD:EF:12:34:56
IP: 192.168.1.27
16.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Summ a ry and Edit screens (Section 16.2 on page 404) to bind IP addresses to MAC addresses. · Use the Exe mpt List screen (Section 16.3 on page 407) to configure ranges of IP addresses to which
the Zyxel Device does not apply IP/MAC binding.
16.1.2 Wha t Yo u Ne e d to Kno w
DHC P
IP/MAC address bindings are based on the Zyxel Device's dynamic and static DHCP entries.
ZyWALL USG FLEX Series User's Guide
403
Chapter 16 IP/MAC Binding
Inte rfa c e s Use d With IP/ MAC Binding
IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface's configuration screen.
16.2 IP/ MAC Binding Sum m a ry
Click C o nfig ura tio n > Ne two rk > IP/ MAC Binding to open the IP/ MAC Binding Sum m a ry screen. This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface. Fig ure 282 Configuration > Network > IP/MAC Binding > Summary
The following table describes the labels in this screen.
Table 156 Configuration > Network > IP/MAC Binding > Summary
LA BEL
DESC RIPTIO N
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
#
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Interface
This is the name of an interface that supports IP/MAC binding.
Number of Binding
This field displays the interface's total number of IP/MAC bindings and IP addresses that the interface has assigned by DHCP.
ZyWALL USG FLEX Series User's Guide
404
Chapter 16 IP/MAC Binding
Table 156 Configuration > Network > IP/MAC Binding > Summary (continued)
LA BEL
DESC RIPTIO N
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
16.2.1 IP/ MAC Binding Edit
Click C o nfig ura tio n > Ne two rk > IP/ MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Use this screen to configure an interface's IP to MAC address binding settings.
Fig ure 283 Configuration > Network > IP/MAC Binding > Edit
The following table describes the labels in this screen.
Table 157 Configuration > Network > IP/MAC Binding > Edit
LA BEL
DESC RIPTIO N
IP/MAC Binding Settings
Interface Name
This field displays the name of the interface within the Zyxel Device and the interface's IP address and subnet mask.
Enable IP/MAC Binding
Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.
Enable Logs for IP/
Select this option to have the Zyxel Device generate a log if a device connected to
MAC Binding Violation this interface attempts to use an IP address not assigned by the Zyxel Device.
Static DHCP Bindings
This table lists the bound IP and MAC addresses. The Zyxel Device checks this table when it assigns IP addresses. If the computer's MAC address is in the table, the Zyxel Device assigns the corresponding IP address. You can also access this table from the interface's edit screen.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry's settings.
ZyWALL USG FLEX Series User's Guide
405
Chapter 16 IP/MAC Binding
Table 157 Configuration > Network > IP/MAC Binding > Edit (continued)
LA BEL
DESC RIPTIO N
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
#
This is the index number of the static DHCP entry.
IP Address
This is the IP address that the Zyxel Device assigns to a device with the entry's MAC address.
MAC Address
This is the MAC address of the device to which the Zyxel Device assigns the entry's IP address.
Description
This helps identify the entry.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
16.2.2 Sta tic DHC P Edit
Click C o nfig ura tio n > Ne two rk > IP/ MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Click the Add or Edit icon to open the following screen. Use this screen to configure an interface's IP to MAC address binding settings.
Fig ure 284 Configuration > Network > IP/MAC Binding > Edit > Add
The following table describes the labels in this screen.
Table 158 Configuration > Network > IP/MAC Binding > Edit > Add
LA BEL
DESC RIPTIO N
Interface Name
This field displays the name of the interface within the Zyxel Device and the interface's IP address and subnet mask.
IP Address
Enter the IP address that the Zyxel Device is to assign to a device with the entry's MAC address.
MAC Address
Enter the MAC address of the device to which the Zyxel Device assigns the entry's IP address.
Description
Enter up to 64 printable ASCII characters to help identify the entry. For example, you may want to list the computer's owner.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
406
Chapter 16 IP/MAC Binding
16.3 IP/ MAC Binding Exe m pt List
Click C o nfig ura tio n > Ne two rk > IP/ MAC Binding > Exe m pt List to open the IP/ MAC Binding Exe m pt List screen. Use this screen to configure ranges of IP addresses to which the Zyxel Device does not apply IP/ MAC binding. Fig ure 285 Configuration > Network > IP/MAC Binding > Exempt List
The following table describes the labels in this screen.
Table 159 Configuration > Network > IP/MAC Binding > Exempt List
LA BEL
DESC RIPTIO N
Add Edit Remove
Click this to create a new entry.
Click an entry or select it and click Edit to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
#
This is the index number of the IP/MAC binding list entry.
Name
Enter a name to help identify this entry.
Start IP
Enter the first IP address in a range of IP addresses for which the Zyxel Device does not apply IP/ MAC binding.
End IP
Enter the last IP address in a range of IP addresses for which the Zyxel Device does not apply IP/ MAC binding.
Add icon
Click the Add icon to add a new entry.
Apply
Click the Re m o ve icon to delete an entry. A window displays asking you to confirm that you want to delete it.
Click Apply to save your changes back to the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
407
C HA PTER 1 7 La ye r 2 Iso la tio n
17.1 O ve rvie w
Layer-2 isolation is used to prevent connected devices from communicating with each other in the Zyxel Device's local network(s), except for the devices in the white list, when layer-2 isolation is enabled on the Zyxel Device and the local interface(s). Note: The security policy control must be enabled before you can use layer-2 isolation. In the following example, layer-2 isolation is enabled on the Zyxel Device's interface Vlan1. A printer, PC and AP are in the Vlan1. The IP address of network printer (C) is added to the white list. With this setting, the connected AP then cannot communicate with the PC (D), but can access the network printer (C ), server (B), wireless client (A) and the Internet. Fig ure 286 Layer-2 Isolation Application
17.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the G e ne ra l screen (Section 17.2 on page 408) to enable layer-2 isolation on the Zyxel Device and the internal interface(s).
· Use the White List screen (Section 17.3 on page 409) to enable and configures the white list.
17.2 La ye r- 2 Iso la tio n G e ne ra l Sc re e n
This screen allows you to enable Layer-2 isolation on the Zyxel Device and specific internal interface(s). To access this screen click C o nfig ura tio n > Ne two rk > La ye r 2 Iso la tio n.
ZyWALL USG FLEX Series User's Guide
408
Chapter 17 Layer 2 Isolation Fig ure 287 Configuration > Network > Layer 2 Isolation
The following table describes the labels in this screen.
Table 160 Configuration > Network > Layer 2 Isolation
LA BEL
Enable Layer2 Isolation
DESC RIPTIO N Select this option to turn on the layer-2 isolation feature on the Zyxel Device.
Note: You can enable this feature only when the security policy is enabled.
Member List
The Ava ila b le list displays the name(s) of the internal interface(s) on which you can enable layer-2 isolation.
Apply Reset
To enable layer-2 isolation on an interface, you can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and click the right arrow button to add to the Me m b e r list. To remove an interface, select the name(s) in the Me m b e r list and click the left arrow button.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
17.3 White List Sc re e n
IP addresses that are not listed in the white list are blocked from communicating with other devices in the layer-2-isolation-enabled internal interface(s) except for broadcast packets.
To access this screen click C o nfig ura tio n > Ne two rk > La ye r 2 Iso la tio n > White List.
ZyWALL USG FLEX Series User's Guide
409
Chapter 17 Layer 2 Isolation Fig ure 288 Configuration > Network > Layer 2 Isolation > White List
The following table describes the labels in this screen.
Table 161 Configuration > Network > Layer 2 Isolation > White List
LA BEL
DESC RIPTIO N
Enable White List Select this option to turn on the white list on the Zyxel Device.
Add Edit Remove Activate Inactivate # Status IP Address
Description Apply Reset
Note: You can enable this feature only when the security policy is enabled.
Click this to add a new rule. Click this to edit the selected rule. Click this to remove the selected rule. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . This field is a sequential value, and it is not associated with a specific rule. This icon is lit when the rule is active and dimmed when the rule is inactive. This field displays the IP address of device that can be accessed by the devices connected to an internal interface on which layer-2 isolation is enabled. This field displays the description for the IP address in this rule. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
17.3.1 Add/ Edit White List Rule
This screen allows you to create a new rule in the white list or edit an existing one. To access this screen, click the Add button or select an entry from the list and click the Edit button.
Note: You can configure up to 100 white list rules on the Zyxel Device.
Note: You need to know the IP address of each connected device that you want to allow to be accessed by other devices when layer-2 isolation is enabled.
ZyWALL USG FLEX Series User's Guide
410
Chapter 17 Layer 2 Isolation Fig ure 289 Configuration > Network > Layer 2 Isolation > White List > Add/Edit
The following table describes the labels in this screen.
Table 162 Configuration > Network > Layer 2 Isolation > White List > Add/Edit
LA BEL
DESC RIPTIO N
Enable
Select this option to turn on the rule.
Host IP Address Enter an IPv4 address associated with this rule.
Description
Specify a description for the IP address associated with this rule. Enter up to 60 characters, spaces and underscores allowed.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
411
C HA PTER 1 8 DNS Inb o und LB
18.1 DNS Inb o und Lo a d Ba la nc ing O ve rvie w
Inbound load balancing enables the Zyxel Device to respond to a DNS query message with a different IP address for DNS name resolution. The Zyxel Device checks which member interface has the least load and responds to the DNS query message with the interface's IP address.
In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in order to resolve a domain name of www.example.com. DNS server D redirects it to the Zyxel Device (Z)'s WAN1 with an IP address of 1.1.1.1. The Zyxel Device receives the DNS query message and responds to it with the WAN2's IP address, 2.2.2.2, because the WAN2 has the least load at that moment.
Another Internet host (B) also sends a DNS query message to ask where www.example.com is. The Zyxel Device responds to it with the WAN1's IP address, 1.1.1.1, since WAN1 has the least load this time.
Fig ure 290 DNS Load Balancing Example
A: Where is
D
www.example.com?
Z: It's 2.2.2.2.
A: Where is www.example.com?
2
1.1.1.1 W
1
D: Ask 1.1.1.1.
A
2.2.2.2
3
Z
B: Where is
D
www.example.com?
Z: It's 1.1.1.1
B: Where is www.example.com?
1
D: Ask 1.1.1.1.
2
W
1.1.1.1
3
B
2.2.2.2 Z
18.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Inbo und LB screen (see Section 18.2 on page 413) to view a list of the configured DNS load balancing rules.
· Use the Inb o und LB Add/ Edit screen (see Section 18.2.1 on page 414) to add or edit a DNS load balancing rule.
ZyWALL USG FLEX Series User's Guide
412
Chapter 18 DNS Inbound LB
18.2 The DNS Inb o und LB Sc re e n
The Inbo und LB screen provides a summary of all DNS load balancing rules and the details. You can also use this screen to add, edit, or remove the rules. Click C o nfig ura tio n > Ne two rk > Inbo und LB to open the following screen.
Note: After you finish the inbound load balancing settings, go to security policy and NAT screens to configure the corresponding rule and virtual server to allow the Internet users to access your internal servers.
Fig ure 291 Configuration > Network > DNS Inbound LB
The following table describes the labels in this screen.
Table 163 Configuration > Network > DNS Inbound LB
LA BEL
DESC RIPTIO N
Global Setting
Enable DNS Load Balancing
Select this to enable DNS load balancing.
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify
the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
Move
To move an entry to a different number in the list, click the Mo ve icon. In the field that appears, specify the number to which you want to move the entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Priority
This field displays the order in which the Zyxel Device checks the member interfaces of this DNS load balancing rule.
Query Domain Name
This field displays the domain name for which the Zyxel Device manages load balancing between the specified interfaces.
ZyWALL USG FLEX Series User's Guide
413
Chapter 18 DNS Inbound LB
Table 163 Configuration > Network > DNS Inbound LB (continued)
LA BEL Query From Address
Query From Zone
Load Balancing Member Algorithm
DESC RIPTIO N
This field displays the source IP address of the DNS query messages to which the Zyxel Device applies the DNS load balancing rule.
The Zyxel Device applies the DNS load balancing rule to the query messages received from this zone.
This field displays the member interfaces which the Zyxel Device manages for load balancing.
This field displays the load balancing method the Zyxel Device uses for this DNS load balancing rule.
We ig hte d Ro und Ro b in - Each member interface is assigned a weight. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces is 2:1, the Zyxel Device chooses wan1 for 2 sessions' traffic and wan2 for 1 session's traffic in each round of 3 new sessions.
Le a st C o nne c tio n - The Zyxel Device chooses choose a member interface which is handling the least number of sessions.
Le a st Lo a d - O utb o und - The Zyxel Device chooses a member interface which is handling the least amount of outgoing traffic.
Le a st Lo a d - Inb o und - The Zyxel Device chooses a member interface which is handling the least amount of incoming traffic.
Apply Reset
Le a st Lo a d - To ta l - The Zyxel Device chooses a member interface which is handling the least amount of outgoing and incoming traffic.
Click this button to save your changes to the Zyxel Device.
Click this button to return the screen to its last-saved settings.
18.2.1 The DNS Inb o und LB Add/ Edit Sc re e n
The Add DNS Lo a d Ba la nc ing screen allows you to add a domain name for which the Zyxel Device manages load balancing between the specified interfaces. You can configure the Zyxel Device to apply DNS load balancing to some specific hosts only by configuring the Q ue ry Fro m settings. Click C o nfig ura tio n > Ne two rk > Inb o und LB and then the Add or Edit icon to open this screen.
ZyWALL USG FLEX Series User's Guide
414
Chapter 18 DNS Inbound LB Fig ure 292 Configuration > Network > DNS Inbound LB > Add
The following table describes the labels in this screen.
Table 164 Configuration > Network > DNS Inbound LB > Add/Edit
LA BEL Create New Object General Settings Enable DNS Settings Query Domain Name
Time to Live
Query From Setting IP Address
DESC RIPTIO N Use this to configure any new setting objects that you need to use in this screen.
Select this to enable this DNS load balancing rule.
Type up to 255 characters for a domain name for which you want the Zyxel Device to manage DNS load balancing. You can use a wildcard (*) to let multiple domains match the name. For example, use *.example.com to specify any domain name that ends with "example.com" would match. Enter the number of seconds the Zyxel Device recommends DNS request hosts to keep the DNS entry in their caches before removing it. Enter 0 to have the Zyxel Device not recommend this so the DNS request hosts will follow their DNS server's TTL setting.
Select the name of an P address object, including geographic address object, of a computer or a DNS server which makes the DNS queries upon which to apply this rule.
DNS servers process client queries using recursion or iteration:
· In recursion, DNS servers make recursive queries on behalf of clients. So you have to configure this field to the DNS server's IP address when recursion is used.
· In iteration, a client asks the DNS server and expects the best and immediate answer without the DNS server contacting other DNS servers. If the primary DNS server cannot provide the best answer, the client makes iteration queries to other configured DNS servers to resolve the name. You have to configure this field to the client's IP address when iteration is used.
ZyWALL USG FLEX Series User's Guide
415
Chapter 18 DNS Inbound LB
Table 164 Configuration > Network > DNS Inbound LB > Add/Edit (continued)
LA BEL
Zone
Load Balancing Member
Load Balancing Algorithm
DESC RIPTIO N Select the zone of DNS query messages upon which to apply this rule.
Select a load balancing method to use from the drop-down list box. Select We ig hte d Ro und Ro b in to balance the traffic load between interfaces based on their respective weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces is 2:1, the Zyxel Device chooses wan1 for 2 sessions' traffic and wan2 for every session's traffic in each round of 3 new sessions.
Select Le a st C o nne c tio n to have the Zyxel Device choose the member interface which is handling the least number of sessions.
Select Le a st Lo a d - O utb o und to have the Zyxel Device choose the member interface which is handling the least amount of outgoing traffic.
Select Le a st Lo a d - Inb o und to have the Zyxel Device choose the member interface which is handling the least amount of incoming traffic.
Failover IP Address Add Edit Remove # IP Address Monitor Interface Weight
OK Cancel
Select Le a st Lo a d - To ta l to have the Zyxel Device choose the member interface which is handling the least amount of outgoing and incoming traffic.
Enter an alternate IP address with which the Zyxel Device will respond to a DNS query message when the load balancing algorithm cannot find any available interface.
Click this to create a new member interface for this rule.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
This field displays the order in which the Zyxel Device checks this rule's member interfaces.
This field displays the IP address of the member interface.
This field displays the name of the member interface. The Zyxel Device manages load balancing between the member interfaces.
This field is available if you selected We ig hte d Ro und Ro b in as the load balancing algorithm. This field displays the weight of the member interface. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
18.2.2 The DNS Inb o und LB Add/ Edit Me m b e r Sc re e n
The Add Lo a d Ba la nc ing Me m b e r screen allows you to add a member interface for the DNS load balancing rule. Click C o nfig ura tio n > Ne two rk > DNS Inb o und LB > Add o r Edit and then an Add or Edit icon to open this screen.
ZyWALL USG FLEX Series User's Guide
416
Chapter 18 DNS Inbound LB Fig ure 293 Configuration > Network > DNS Inbound LB > Add/Edit > Add
The following table describes the labels in this screen.
Table 165 Configuration > Network > DNS Inbound LB > Add/Edit > Add/Edit
LA BEL Member Monitor Interface
Weight
DESC RIPTIO N
The Zyxel Device checks each member interface's loading in the order displayed here.
Select an interface to associate it with the DNS load balancing rule. This field also displays whether the IP address is a static IP address (Sta tic ), dynamically assigned (Dyna m ic ) or obtained from a DHCP server (DHC P C lie nt), as well as the IP address and subnet mask.
This field is available if you selected We ig hte d Ro und Ro b in for the load balancing algorithm.
IP Address Same as Monitor Interface Custom OK Cancel
Specify the weight of the member interface. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight.
Select this to send the IP address displayed in the Mo nito r Inte rfa c e field to the DNS query senders. Select this and enter another IP address to send to the DNS query senders. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
417
C HA PTER 1 9 IPSe c VPN
19.1 Virtua l Priva te Ne two rks (VPN) O ve rvie w
A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
IPSe c VPN
Internet Protocol Security (IPSec) VPN connects IPSec routers or remote users using IPSec client software. This standards-based VPN offers flexible solutions for secure data communications across a public network. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer. The Zyxel Device can also combine multiple IPSec VPN connections into one secure network. Here local Zyxel Device X uses an IPSec VPN tunnel to remote (peer) Zyxel Device Y to connect the local (A) and remote (B) networks. Fig ure 294 IPSec VPN Example
Inte rne t Ke y Exc ha ng e (IKE): IKEv1 a nd IKEv2
The Zyxel Device supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely. IKE uses certificates or pre-shared keys for authentication and a DiffieHellman key exchange to set up a shared session secret from which encryption keys are derived. A security policy for each peer must be manually created. IPSec VPN consists of two phases: Phase 1 and Phase 2. Phase 1's purpose is to establish a secure authenticated communication channel by using the DiffieHellman key exchange algorithm to generate a shared secret key to encrypt IKE communications. This negotiation results in one single bidirectional ISAKMP Security Association (SA). The authentication can be performed using either pre-
ZyWALL USG FLEX Series User's Guide
418
Chapter 19 IPSec VPN
shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Ma in Mo de or Ag g re ssive Mo de . Ma in Mo de protects the identity of the peers, but Ag g re ssive Mo de does not.
During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate Security Associations for IPSec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 uses Quick Mode (only). Quick mode occurs after IKE has established the secure tunnel in Phase 1. It negotiates a shared IPSec policy, derives shared secret keys used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires.
In the Zyxel Device, use the VPN C o nne c tio n tab to set up Phase 2 and the VPN G a te wa y tab to set up Phase 1.
Some differences between IKEv1 and IKEv2 include:
· IKEv2 uses less bandwidth than IKEv1. IKEv2 uses one exchange procedure with 4 messages. IKEv1 uses two phases with Main Mode (9 messages) or Aggressive Mode (6 messages) in phase 1.
· IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
· IKEv2 always uses NAT traversal and Dead Peer Detection (DPD), but they can be disabled in IKEv1 using Zyxel Device firmware (the default is on).
· Configuration payload (includes the IP address pool in the VPN setup data) is supported in IKEv2 (off by default), but not in IKEv1.
· Narrowed is supported in IKEv2, but not in IKEv1. Narrowed has the SA apply only to IP addresses in common between the Zyxel Device and the remote IPSec router.
· The IKEv2 protocol supports connectivity checks which is used to detect whether the tunnel is still up or not. If the check fails (the tunnel is down), IKEv2 can re-establish the connection automatically. The Zyxel Device uses firmware to perform connectivity checks when using IKEv1.
SSL VPN
SSL VPN uses remote users' web browsers to provide the easiest-to-use of the Zyxel Device's VPN solutions. A user just browses to the Zyxel Device's web address and enters his user name and password to securely connect to the Zyxel Device's network. Remote users do not need to configure security settings. Here a user uses his browser to securely connect to network resources in the same way as if he were part of the internal network. See Chapter 20 on page 454 for more on SSL VPN.
Fig ure 295 SSL VPN
LAN (192.168.1.X)
https://
Web Mail File Share Non-Web
Web-based Application Application Server
ZyWALL USG FLEX Series User's Guide
419
Chapter 19 IPSec VPN
L2TP VPN
L2TP VPN uses the L2TP and IPSec client software included in remote users' Android, iOS, or Windows operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software. For example, configure sales representatives' laptops, tablets, or smartphones to securely connect to the Zyxel Device's network. See Chapter 21 on page 460 for more on L2TP over IPSec. Fig ure 296 L2TP VPN
19.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the VPN C o nne c tio n screens (see Section 19.2 on page 423) to specify which IPSec VPN gateway an IPSec VPN connection policy uses, which devices behind the IPSec routers can use the VPN tunnel, and the IPSec SA settings (phase 2 settings). You can also activate or deactivate and connect or disconnect each VPN connection (each IPSec SA).
· Use the VPN G a te wa y screens (see Section 19.2.1 on page 425) to manage the Zyxel Device's VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway.
· Use the VPN C o nc e ntra to r screens (see Section 19.4 on page 440) to combine several IPSec VPN connections into a single secure network.
· Use the C o nfig ura tio n Pro visio ning screen (see Section 19.5 on page 442) to set who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client.
19.1.2 Wha t Yo u Ne e d to Kno w
An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the Zyxel Device and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the Zyxel Device and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the Zyxel Device and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure.
ZyWALL USG FLEX Series User's Guide
420
Chapter 19 IPSec VPN Fig ure 297 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first.
ZyWALL USG FLEX Series User's Guide
421
Chapter 19 IPSec VPN
Applic a tio n Sc e na rio s
The Zyxel Device's application scenarios make it easier to configure your VPN connection settings.
Table 166 IPSec VPN Application Scenarios
SITE- TO - SITE
SITE- TO - SITE WITH DYNAMIC PEER
REMO TE AC C ESS (SERVER RO LE)
REMO TE AC C ESS VPN TUNNEL
(C LIENTRO LE)
INTERFAC E
Choose this if the remote IPSec router has a static IP address or a domain name.
This Zyxel Device can initiate the VPN tunnel.
The remote IPSec router can also initiate the VPN tunnel if this Zyxel Device has a static IP address or a domain name.
Choose this if the remote IPSec router has a dynamic IP address.
You don't specify the remote IPSec router's address, but you specify the remote policy (the addresses of the devices behind the remote IPSec router).
This Zyxel Device must have a static IP address or a domain name.
Only the remote IPSec router can initiate the VPN tunnel.
Choose this to allow incoming connections from IPSec VPN clients.
The clients have dynamic IP addresses and are also known as dial-in users.
You don't specify the addresses of the client IPSec routers or the remote policy.
This creates a dynamic IPSec VPN rule that can let multiple clients connect.
Only the clients can initiate the VPN tunnel.
Choose this to connect to an IPSec server.
This Zyxel Device is the client (dial-in user).
Client role Zyxel Devices initiate IPSec VPN connections to a server role Zyxel Device.
This Zyxel Device can have a dynamic IP address.
The IPSec server doesn't configure this Zyxel Device's IP address or the addresses of the devices behind it.
Choose this to set up a VPN tunnel interface to bind with a VPN connection. The Zyxel Device can use the interface to do load balancing using a specific Trunk. The remote IPSec router should have a static IP address or a domain name.
Only this Zyxel Device can initiate the VPN tunnel.
Finding O ut Mo re
· See Section 19.6 on page 444 for IPSec VPN background information. · See the help in the IPSec VPN quick setup wizard screens.
ZyWALL USG FLEX Series User's Guide
422
Chapter 19 IPSec VPN
19.1.3 Be fo re Yo u Be g in
This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. · In any VPN connection, you have to select address objects to specify the local policy and remote
policy. You should set up the address objects first. · In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or
virtual VLAN interface to specify what address the Zyxel Device uses as its IP address when it establishes the IKE SA. You should set up the interface first. · In a VPN gateway, you can enable extended authentication. If the Zyxel Device is in server mode, you should set up the authentication method (AAA server) first. The authentication method specifies how the Zyxel Device authenticates the remote IPSec router. · In a VPN gateway, the Zyxel Device and remote IPSec router can use certificates to authenticate each other. Make sure the Zyxel Device and the remote IPSec router will trust each other's certificates.
19.2 The VPN C o nne c tio n Sc re e n
Click C o nfig ura tio n > VPN > IPSe c VPN to open the VPN C o nne c tio n screen. The VPN C o nne c tio n screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. In addition, it also lets you activate or deactivate and connect or disconnect each VPN connection (each IPSec SA). Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information.
ZyWALL USG FLEX Series User's Guide
423
Chapter 19 IPSec VPN Fig ure 298 Configuration > VPN > IPSec VPN > VPN Connection
Each field is discussed in the following table.
Table 167 Configuration > VPN > IPSec VPN > VPN Connection
LA BEL Global Setting
DESC RIPTIO N The following two fields are for all IPSec VPN policies.
Use Policy Route to control dynamic IPSec rules
Ignore "Don't Fragment" setting in packet header IPv4 / IPv6 Configuration Add Edit
Remove
Activate Inactivate Connect Disconnect
Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website. Select this to be able to use policy routes to manually specify the destination addresses of dynamic IPSec rules. You must manually create these policy routes. The Zyxel Device automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes. Clear this to have the Zyxel Device automatically obtain source and destination addresses for all dynamic IPSec rules. Select this to fragment packets larger than the MTU (Maximum Transmission Unit) that have the "Don't Fragment" bit in the IP header turned on. When you clear this the Zyxel Device drops packets larger than the MTU that have the "Don't Fragment" bit in the header turned on.
Click this to create a new entry. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . To connect an IPSec SA, select it and click C o nne c t. To disconnect an IPSec SA, select it and click Disc o nne c t.
ZyWALL USG FLEX Series User's Guide
424
Chapter 19 IPSec VPN
Table 167 Configuration > VPN > IPSec VPN > VPN Connection (continued)
LA BEL References
# Status
DESC RIPTIO N
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
This field is a sequential value, and it is not associated with a specific connection.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Name VPN Gateway Gateway IP Version Policy Apply Reset
The connect icon is lit when the interface is connected and dimmed when it is disconnected. This field displays the name of the IPSec SA. This field displays the VPN gateway in use for this VPN connection. This field displays what IP version the associated VPN gateway(s) is using. An IPv4 gateway may use an IKEv1 or IKEv2 SA. An IPv6 gateway may use IKEv2 only. This field displays the local policy and the remote policy, respectively. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
19.2.1 The VPN C o nne c tio n Add/ Edit Sc re e n
The VPN C o nne c tio n Add/ Edit G a te wa y screen allows you to create a new VPN connection policy or edit an existing one. To access this screen, go to the C o nfig ura tio n > VPN C o nne c tio n screen (see Section 19.2 on page 423), and click either the Add icon or an Edit icon.
ZyWALL USG FLEX Series User's Guide
425
Chapter 19 IPSec VPN Fig ure 299 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit
ZyWALL USG FLEX Series User's Guide
426
Chapter 19 IPSec VPN
Each field is described in the following table.
Table 168 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit
LA BEL Show Advanced Settings / Hide Advanced Settings Create new Object General Settings Enable
Connection Name
Nailed-Up
Enable Replay Detection Enable NetBIOS Broadcast over IPSec
MSS Adjustment
DESC RIPTIO N Click this button to display a greater or lesser number of configuration fields.
Use to configure any new settings objects that you need to use in this screen.
Select this check box to activate this VPN connection. Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric characters,
underscores (_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive. Select this if you want the Zyxel Device to automatically renegotiate the IPSec SA when the SA life time expires. Select this check box to detect and reject old or duplicate packets to protect against Denial-of-Service attacks. Select this check box if you the Zyxel Device to send NetBIOS (Network Basic Input/ Output System) packets through the IPSec SA.
NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa. Select C usto m Size to set a specific number of bytes for the Maximum Segment Size (MSS) meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection.
Some VPN clients may not be able to use a custom MSS size if it is set too small. In that case those VPN clients will ignore the size set here and use the minimum size that they can use.
Narrowed
Select Auto to have the Zyxel Device automatically set the MSS for this VPN connection.
This is visible when you select any options in the VPN G a te wa y section except for VPN Tunne l Inte rfa c e .
If the IP range on the Zyxel Device (local policy) and the local IP range on the remote IPSec router overlap in an IKEv2 SA, then you may select Na rro we d to have the SA only apply to the IP addresses in common.
Here are some examples.
VPN Gateway
Zyxel Device (local policy)
Remote IPSec router
IKEv2 SA-1 192.168.20.0/24
192.168.20.1 ~ 192.168.20.20
Narrowed
192.168.20.1 ~ 192.168.20.20
IKEv2 SA- 2 192.168.30.50 ~ 192.168.30.70
192.168.30.60 ~ 192.168.30.80
Narrowed
192.168.30.60 ~ 192.168.30.70
ZyWALL USG FLEX Series User's Guide
427
Chapter 19 IPSec VPN
Table 168 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued)
LA BEL Application Scenario
DESC RIPTIO N Select the scenario that best describes your intended VPN connection.
Site - to - site - Choose this if the remote IPSec router has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel.
Site - to - site with Dyna m ic Pe e r - Choose this if the remote IPSec router has a dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel.
Re m o te Ac c e ss (Se rve r Ro le ) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.
Re m o te Ac c e ss (C lie nt Ro le ) - Choose this to connect to an IPSec server. This Zyxel Device is the client (dial-in user) and can initiate the VPN tunnel.
VPN Tunne l Inte rfa c e - Choose this to set up a VPN tunnel interface to bind with a VPN connection. The Zyxel Device can use the interface to do load balancing using a specific Trunk. The remote IPSec router should have a static IP address or a domain name. See C o nfig ura tio n > Ne two rk > Inte rfa c e > VTI.
VPN Gateway
Select the VPN gateway this VPN connection is to use or select C re a te O b je c t to add another VPN gateway for this VPN connection to use.
Policy
Local Policy
Select the address corresponding to the local network. Use C re a te ne w O b je c t if you need to configure a new one.
Remote Policy
Select the address corresponding to the remote network. Use C re a te ne w O b je c t if you need to configure a new one.
Enable GRE over IPSec
Select this to allow traffic using the Generic Routing Encapsulation (GRE) tunneling protocol through an IPSec tunnel.
Policy Enforcement Clear this to allow traffic with source and destination IP addresses that do not match the local and remote policy to use the VPN tunnel. Leave this cleared for free access between the local and remote networks.
Mode Config Enable Mode Config IP Address Pool First DNS Server (Optional)
Second DNS Server (Optional) First WINS Server (Optional)
Second WINS Server (Optional) Configuration Payload
Enable Configuration Payload
IP Address Pool:
Selecting this restricts who can use the VPN tunnel. The Zyxel Device drops traffic with source and destination IP addresses that do not match the local and remote policy. This is visible when you select Re m o te Ac c e ss (Se rve r Ro le ) and a VPN G a te wa y. Select this to have the IPSec VPN client receive an IP address, DNS and WINS information from the Zyxel Device. Select an address object from the drop-down list box. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN. Enter a DNS server's IP address. Enter a secondary DNS server's IP address that is checked if the first one is unavailable.
Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Enter a secondary WINS server's IP address that is checked if the first one is unavailable.
This is only available when you have created an IKEv2 Gateway and are using Re m o te Ac c e ss (Se rve r Ro le ). Select this to have at least have the IP address pool included in the VPN setup data.
Select an address object from the drop-down list box.
ZyWALL USG FLEX Series User's Guide
428
Chapter 19 IPSec VPN
Table 168 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued)
LA BEL First DNS Server (optional)
Second DNS Server (Optional) First WINS Server (Optional)
Second WINS Server (Optional) Phase 2 Settings SA Life Time
Active Protocol
DESC RIPTIO N The Domain Name System (DNS) maps a domain name to an IP address and vice versa. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN. Enter a DNS server's IP address. Enter a secondary DNS server's IP address that is checked if the first one is unavailable.
Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Enter a secondary WINS server's IP address that is checked if the first one is unavailable.
Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The Zyxel Device automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption. If you select AH, you must select an Authe ntic a tio n algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. If you select ESP, you must select an Enc ryptio n algorithm and Authe ntic a tio n algorithm.
Both AH and ESP increase processing requirements and latency (delay).
Encapsulation
The Zyxel Device and remote IPSec router must use the same active protocol. Select which type of encapsulation the IPSec SA uses. Choices are
Tunne l - this mode encrypts the IP header information and the data.
Tra nspo rt - this mode only encrypts the data.
Proposal
Add Edit Remove #
The Zyxel Device and remote IPSec router must use the same encapsulation.
Use this section to manage the encryption algorithm and authentication algorithm pairs the Zyxel Device accepts from the remote IPSec router for negotiating the IPSec SA.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly.
ZyWALL USG FLEX Series User's Guide
429
Chapter 19 IPSec VPN
Table 168 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued)
LA BEL Encryption
DESC RIPTIO N
This field is applicable when the Ac tive Pro to c o l is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are:
NULL - no encryption key or algorithm
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The Zyxel Device and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key.
Authentication
Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput.
Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower.
Perfect Forward Secrecy (PFS)
The Zyxel Device and the remote IPSec router must both have a proposal that uses the same authentication algorithm.
Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are:
no ne - disable PFS
DH1 - enable PFS and use a 768-bit random number
DH2 - enable PFS and use a 1024-bit random number
DH5 - enable PFS and use a 1536-bit random number
DH14 - enable PFS and use a 2048 bit random number
PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.
Related Settings Zone
Connectivity Check
Enable Connectivity Check Check Method
PFS is ignored in initial IKEv2 authentication but is used when re-authenticating.
Select the security zone into which to add this VPN connection policy. Any security rules or settings configured for the selected zone apply to this VPN connection policy. The Zyxel Device can regularly check the VPN connection to the gateway you specified to make sure it is still available. Select this to turn on the VPN connection check.
Select how the Zyxel Device checks the connection. The peer must be configured to respond to the method you select.
Select ic m p to have the Zyxel Device regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings.
Select tc p to have the Zyxel Device regularly perform a TCP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP connection.
ZyWALL USG FLEX Series User's Guide
430
Chapter 19 IPSec VPN
Table 168 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued)
LA BEL
DESC RIPTIO N
Check Port
This field displays when you set the C he c k Me tho d to tc p. Specify the port number to use for a TCP connectivity check.
Check Period
Enter the number of seconds between connection check attempts.
Check Timeout
Enter the number of seconds to wait for a response before the attempt is a failure.
Check Fail Tolerance
Enter the number of consecutive failures allowed before the Zyxel Device disconnects the VPN tunnel. The Zyxel Device resumes using the first peer gateway address when the VPN connection passes the connectivity check.
Check this Address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.
Check the First and Select this to have the Zyxel Device check the connection to the first and last IP
Last IP Address in
addresses in the connection's remote policy. Make sure one of these is the peer
the Remote Policy gateway's LAN IP address.
Log
Select this to have the Zyxel Device generate a log every time it checks this VPN
connection.
Inbound/Outbound traffic NAT
Outbound Traffic
Source NAT
This translation hides the source address of computers in the local network. It may also be necessary if you want the Zyxel Device to route packets from computers outside the local network through the IPSec SA.
Source
Select the address object that represents the original source address (or select C re a te O bje c t to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (So urc e ) must be equal to the size of the translated source address range (SNAT).
Destination
Select the address object that represents the original destination address (or select C re a te O b je c t to configure a new one). This is the address object for the remote network.
SNAT
Select the address object that represents the translated source address (or select C re a te O bje c t to configure a new one). This is the address object for the local network. The size of the original source address range (So urc e ) must be equal to the size of the translated source address range (SNAT).
Inbound Traffic
Source NAT
This translation hides the source address of computers in the remote network.
Source
Select the address object that represents the original source address (or select C re a te O bje c t to configure a new one). This is the address object for the remote network. The size of the original source address range (So urc e ) must be equal to the size of the translated source address range (SNAT).
Destination
Select the address object that represents the original destination address (or select C re a te O b je c t to configure a new one). This is the address object for the local network.
SNAT
Select the address object that represents the translated source address (or select C re a te O bje c t to configure a new one). This is the address that hides the original source address. The size of the original source address range (So urc e ) must be equal to the size of the translated source address range (SNAT).
Destination NAT
This translation forwards packets (for example, mail) from the remote network to a specific computer (for example, the mail server) in the local network.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
ZyWALL USG FLEX Series User's Guide
431
Chapter 19 IPSec VPN
Table 168 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued)
LA BEL
DESC RIPTIO N
Move
To change an entry's position in the numbered list, select it and click Mo ve to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
#
This field is a sequential value, and it is not associated with a specific NAT record.
However, the order of records is the sequence in which conditions are checked and
executed.
Original IP
Select the address object that represents the original destination address. This is the address object for the remote network.
Mapped IP
Select the address object that represents the desired destination address. For example, this is the address object for the mail server.
Protocol Original Port Start / Original Port End
Select the protocol required to use this translation. Choices are: TC P, UDP, or All.
These fields are available if the protocol is TC P or UDP. Enter the original destination port or range of original destination ports. The size of the original port range must be the same size as the size of the mapped port range.
Mapped Port Start / These fields are available if the protocol is TC P or UDP. Enter the translated destination Mapped Port End port or range of translated destination ports. The size of the original port range must be
the same size as the size of the mapped port range.
OK
Click O K to save the changes.
Cancel
Click C a nc e l to discard all changes and return to the main VPN screen.
19.3 The VPN G a te wa y Sc re e n
The VPN G a te wa y summary screen displays the IPSec VPN gateway policies in the Zyxel Device, as well as the Zyxel Device's address, remote IPSec router's address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway. To access this screen, click C o nfig ura tio n > VPN > Ne two rk > IPSe c VPN > VPN G a te wa y. The following screen appears.
Fig ure 300 Configuration > VPN > IPSec VPN > VPN Gateway
ZyWALL USG FLEX Series User's Guide
432
Chapter 19 IPSec VPN
Each field is discussed in the following table. See Section 19.3.1 on page 433 for more information.
Table 169 Configuration > VPN > IPSec VPN > VPN Gateway
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. See Section 9.4.4 on page 255 for an example.
#
This field is a sequential value, and it is not associated with a specific VPN gateway.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the name of the VPN gateway
My address
This field displays the interface or a domain name the Zyxel Device uses for the VPN gateway.
Secure Gateway This field displays the IP address(es) of the remote IPSec routers.
VPN Connection This field displays VPN connections that use this VPN gateway.
IKE Version
This field displays whether the gateway is using IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely. See Section 19.1 on page 418 for more information on IKEv1 and IKEv2.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
19.3.1 The VPN G a te wa y Add/ Edit Sc re e n
The VPN G a te wa y Add/ Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN G a te wa y sum m a ry screen (see Section 19.3 on page 432), and click either the Add icon or an Edit icon.
ZyWALL USG FLEX Series User's Guide
433
Chapter 19 IPSec VPN Fig ure 301 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit
ZyWALL USG FLEX Series User's Guide
434
Chapter 19 IPSec VPN
Each field is described in the following table.
Table 170 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit
LA BEL Show Advanced Settings / Hide Advanced Settings Create New Object General Settings
Enable VPN Gateway Name
IKE Version IKEv1 / IKEv2
Gateway Settings My Address
DESC RIPTIO N Click this button to display a greater or lesser number of configuration fields.
Use to configure any new settings objects that you need to use in this screen.
Select this to activate the VPN Gateway policy. Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number. This
value is case-sensitive.
Select IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely. See Section 19.1 on page 418 for more information on IKEv1 and IKEv2.
Select how the IP address of the Zyxel Device in the IKE SA is defined.
If you select Inte rfa c e , select the Ethernet interface, VLAN interface, virtual Ethernet interface, virtual VLAN interface or PPPoE/PPTP interface. The IP address of the Zyxel Device in the IKE SA is the IP address of the interface.
Peer Gateway Address
If you select Do m a in Na m e / IP, enter the domain name or the IP address of the Zyxel Device. The IP address of the Zyxel Device in the IKE SA is the specified IP address or the IP address corresponding to the domain name. 0.0.0.0 is not generally recommended as it has the Zyxel Device accept IPSec requests destined for any interface address on the Zyxel Device.
Select how the IP address of the remote IPSec router in the IKE SA is defined.
Select Sta tic Addre ss to enter the domain name or the IP address of the remote IPSec router. You can provide a second IP address or domain name for the Zyxel Device to try if it cannot establish an IKE SA with the first one.
Authentication
Fa ll b a c k to Prim a ry Pe e r G a te wa y whe n po ssib le : When you select this, if the connection to the primary address goes down and the Zyxel Device changes to using the secondary connection, the Zyxel Device will reconnect to the primary address when it becomes available again and stop using the secondary connection. Users will lose their VPN connection briefly while the Zyxel Device changes back to the primary connection. To use this, the peer device at the secondary address cannot be set to use a nailed-up VPN connection. In the Fa llb a c k C he c k Inte rva l field, set how often to check if the primary address is available.
Select Dyna m ic Addre ss if the remote IPSec router has a dynamic IP address (and does not use DDNS).
Note: The Zyxel Device and remote IPSec router must use the same authentication method to establish the IKE SA.
ZyWALL USG FLEX Series User's Guide
435
Chapter 19 IPSec VPN
Table 170 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LA BEL Pre-Shared Key
DESC RIPTIO N
Select this to have the Zyxel Device and remote IPSec router use a pre-shared key (password) of up to 128 characters to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right. The pre-shared key can be:
· alphanumeric characters or ,;.|`~!@#$%^&*()_+\{}':./<>=-" · pairs of hexadecimal (0-9, A-F) characters, preceded by "0x".
Type "0x" at the beginning of a hexadecimal key. For example, "0x0123456789ABCDEF" is in hexadecimal format; "0123456789ABCDEF" is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs.
The Zyxel Device and remote IPSec router must use the same pre-shared key.
Certificate
Select unm a ske d to see the pre-shared key in readable plain text.
Select this to have the Zyxel Device and remote IPSec router use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the Zyxel Device uses to identify itself to the remote IPSec router.
This certificate is one of the certificates in My C e rtific a te s. If this certificate is self-signed, import it into the remote IPsec router. If this certificate is signed by a CA, the remote IPsec router must trust that CA.
Note: The IPSec routers must trust each other's certificates.
User-based PSK Local ID Type Content
The Zyxel Device uses one of its Truste d C e rtific a te s to authenticate the remote IPSec router's certificate. The trusted certificate can be a self-signed certificate or that of a trusted CA that signed the remote IPSec router's certificate.
User-based PSK (IKEv1 only) generates and manages separate pre-shared keys for every user. This enables multiple users, each with a unique key, to access the same VPN gateway policy with one-to-one authentication and strong encryption. Access can be denied on a per-user basis thus allowing VPN SA user-based policies. Click Use r- Ba se d PSK then select a user or group object who is allowed VPN SA access using this VPN gateway policy. This is for IKEv1 only.
This field is read-only if the Zyxel Device and remote IPSec router use certificates to identify each other. Select which type of identification is used to identify the Zyxel Device during authentication. Choices are:
IPv4 or IPv6 - the Zyxel Device is identified by an IP address
DNS - the Zyxel Device is identified by a domain name
E- m a il - the Zyxel Device is identified by the string specified in this field
This field is read-only if the Zyxel Device and remote IPSec router use certificates to identify each other. Type the identity of the Zyxel Device during authentication. The identity depends on the Lo c a l ID Type .
IP - type an IP address; if you type 0.0.0.0, the Zyxel Device uses the IP address specified in the My Addre ss field. This is not recommended in the following situations:
· There is a NAT router between the Zyxel Device and remote IPSec router. · You want the remote IPSec router to be able to distinguish between IPSec SA requests
that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Lo c a l ID Type .
DNS - type the fully qualified domain name (FQDN). This value is only used for identification and can be any string that matches the peer ID string.
E- m a il - the Zyxel Device is identified by the string you specify here; you can use up to 63 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string.
ZyWALL USG FLEX Series User's Guide
436
Chapter 19 IPSec VPN
Table 170 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LA BEL Peer ID Type
DESC RIPTIO N
Select which type of identification is used to identify the remote IPSec router during authentication. Choices are:
IP - the remote IPSec router is identified by an IP address
DNS - the remote IPSec router is identified by a domain name
E- m a il - the remote IPSec router is identified by the string specified in this field
Any - the Zyxel Device does not check the identity of the remote IPSec router
If the Zyxel Device and remote IPSec router use certificates, there is one more choice.
Content
Subje c t Na m e - the remote IPSec router is identified by the subject name in the certificate
This field is disabled if the Pe e r ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Pe e r ID Type .
If the Zyxel Device and remote IPSec router do not use certificates,
IP - type an IP address; see the note at the end of this description.
DNS - type the fully qualified domain name (FQDN). This value is only used for identification and can be any string that matches the peer ID string.
E- m a il - the remote IPSec router is identified by the string you specify here; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string.
If the Zyxel Device and remote IPSec router use certificates, type the following fields from the certificate used by the remote IPSec router.
IP - subject alternative name field; see the note at the end of this description.
DNS - subject alternative name field
E- m a il - subject alternative name field
Sub je c t Na m e - subject name (maximum 255 ASCII characters, including spaces)
Note: If Pe e r ID Type is IP, please read the rest of this section.
Phase 1 Settings SA Life Time (Seconds) Negotiation Mode
Proposal Add
If you type 0.0.0.0, the Zyxel Device uses the IP address specified in the Se c ure G a te wa y Addre ss field. This is not recommended in the following situations:
· There is a NAT router between the Zyxel Device and remote IPSec router. · You want the remote IPSec router to be able to distinguish between IPSec SA requests
that come from IPSec routers with dynamic WAN IP addresses. In these situations, use a different IP address, or use a different Pe e r ID Type .
Type the maximum number of seconds the IKE SA can last. When this time has passed, the Zyxel Device and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. Select the negotiation mode to use to negotiate the IKE SA. Choices are
Ma in - this encrypts the Zyxel Device's and remote IPSec router's identities but takes more time to establish the IKE SA
Ag g re ssive - this is faster but does not encrypt the identities
The Zyxel Device and the remote IPSec router must use the same negotiation mode. Use this section to manage the encryption algorithm and authentication algorithm pairs the Zyxel Device accepts from the remote IPSec router for negotiating the IKE SA. Click this to create a new entry.
ZyWALL USG FLEX Series User's Guide
437
Chapter 19 IPSec VPN
Table 170 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LA BEL Edit Remove #
Encryption
DESC RIPTIO N Select an entry and click this to be able to modify it. Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
Authentication
The Zyxel Device and the remote IPSec router must use the same key size and encryption algorithm. Longer keys require more processing power, resulting in increased latency and decreased throughput.
Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower.
Key Group
The remote IPSec router must use the same authentication algorithm.
Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
DH5 - use a 1536-bit random number
DH14 - use a 2048 bit random number
NAT Traversal
The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.
Select this if any of these conditions are satisfied.
· This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol. · There are one or more NAT routers between the Zyxel Device and remote IPSec router,
and these routers do not support IPSec pass-thru or a similar feature.
The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged.
Dead Peer Detection (DPD)
This field applies for IKEv1 only. NAT Traversal is always performed when you use IKEv2.
Select this check box if you want the Zyxel Device to make sure the remote IPSec router is there before it transmits data through the IKE SA. The remote IPSec router must support DPD. If there has been no traffic for at least 15 seconds, the Zyxel Device sends a message to the remote IPSec router. If the remote IPSec router responds, the Zyxel Device transmits the data. If the remote IPSec router does not respond, the Zyxel Device shuts down the IKE SA.
If the remote IPSec router does not support DPD, see if you can use the VPN connection connectivity check (see Section 19.2.1 on page 425).
X Auth / Extended Authentication Protocol
This field applies for IKEv1 only. Dead Peer Detection (DPD) is always performed when you use IKEv2.
This part of the screen displays X- Auth when using IKEv1 and Exte nde d Authe ntic a tio n Pro to c o l when using IKEv2.
ZyWALL USG FLEX Series User's Guide
438
Chapter 19 IPSec VPN
Table 170 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LA BEL
DESC RIPTIO N
X-Auth
This displays when using IKEv1. When different users use the same VPN tunnel to connect to the Zyxel Device (telecommuters sharing a tunnel for example), use X-auth to enforce a user name and password check. This way even though telecommuters all know the VPN tunnel's security settings, each still has to provide a unique user name and password.
Enable Extended Select this if one of the routers (the Zyxel Device or the remote IPSec router) verifies a user Authentication name and password from the other router using the local user database and/or an external
server.
Server Mode
Select this if the Zyxel Device authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the Zyxel Device authenticates this information.
AAA Method
Select the authentication method, which specifies how the Zyxel Device authenticates this information.
Allowed User
Extended authentication now supports an allowed user. Select what users should be authenticated.
Client Mode User Name
Select this radio button if the Zyxel Device provides a username and password to the remote IPSec router for authentication. You also have to provide the Use r Na m e and the Pa sswo rd.
This field is required if the Zyxel Device is in C lie nt Mo de for extended authentication. Type the user name the Zyxel Device sends to the remote IPSec router. The user name can be 131 ASCII characters. It is case-sensitive, but spaces are not allowed.
Password
This field is required if the Zyxel Device is in C lie nt Mo de for extended authentication. Type the password the Zyxel Device sends to the remote IPSec router. The password can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
Retype to Confirm
Type the exact same password again here to make sure an error was not made when typing it originally.
Extended Authentication Protocol
This displays when using IKEv2. EAP uses a certificate for authentication.
Enable Extended Select this if one of the routers (the Zyxel Device or the remote IPSec router) verifies a user
Authentication Protocol
name and password from the other router using the local user database and/or an external server or a certificate.
Allowed Auth Method
This field displays the authentication method that is used to authenticate the users.
Server Mode
Select this if the Zyxel Device authenticates the user name and password from the remote IPSec router. You also have to select an AAA method, which specifies how the Zyxel Device authenticates this information and who may be authenticated (Allo we d Use r).
Client Mode
Select this radio button if the Zyxel Device provides a username and password to the remote IPSec router for authentication. You also have to provide the Use r Na m e and the Pa sswo rd.
User Name
This field is required if the Zyxel Device is in C lie nt Mo de for extended authentication. Type the user name the Zyxel Device sends to the remote IPSec router. The user name can be 131 ASCII characters. It is case-sensitive, but spaces are not allowed.
Password
This field is required if the Zyxel Device is in C lie nt Mo de for extended authentication. Type the password the Zyxel Device sends to the remote IPSec router. The password can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
Retype to Confirm
Type the exact same password again here to make sure an error was not made when typing it originally.
OK
Click O K to save your settings and exit this screen.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
439
Chapter 19 IPSec VPN
19.4 VPN C o nc e ntra to r
A VPN concentrator combines several IPSec VPN connections into one secure network.
Fig ure 302 VPN Topologies (Fully Meshed and Hub and Spoke)
1
2
In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers. In a hub-and-spoke VPN topology (2 in the figure), there is a VPN connection between each spoke router (B, C , D, and E) and the hub router (A), which uses the VPN concentrator. The VPN concentrator routes VPN traffic between the spoke routers and itself.
A VPN concentrator reduces the number of VPN connections that you have to set up and maintain on the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke.
However a VPN concentrator is not for every situation. The hub router is a single failure point, so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally (maintenance, for example). There is also more burden on the hub router. It receives VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers.
19.4.1 VPN C o nc e ntra to r Re q uire m e nts a nd Sug g e stio ns
Consider the following when using the VPN concentrator.
· The local IP addresses configured in the VPN rules should not overlap. · The concentrator must have at least one separate VPN rule for each spoke. In the local policy,
specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke. · To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. · Your security policies can still block VPN packets.
ZyWALL USG FLEX Series User's Guide
440
Chapter 19 IPSec VPN
19.4.2 VPN C o nc e ntra to r Sc re e n
The VPN C o nc e ntra to r summary screen displays the VPN concentrators in the Zyxel Device. To access this screen, click C o nfig ura tio n > VPN > IPSe c VPN > C o nc e ntra to r. Fig ure 303 Configuration > VPN > IPSec VPN > Concentrator
Each field is discussed in the following table. See Section 19.4.3 on page 441 for more information.
Table 171 Configuration > VPN > IPSec VPN > Concentrator
LA BEL
DESC RIPTIO N
IPv4/IPv6 Configuration
Choose to configure for IPv4 or IPv6 traffic.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This field is a sequential value, and it is not associated with a specific concentrator.
Name
This field displays the name of the VPN concentrator.
Group Members These are the VPN connection policies that are part of the VPN concentrator.
19.4.3 The VPN C o nc e ntra to r Add/ Edit Sc re e n
Use the VPN C o nc e ntra to r Add/ Edit screen to create or edit a VPN concentrator. To access this screen, go to the VPN C o nc e ntra to r sum m a ry screen (see Section 19.4 on page 440), and click either the Add icon or an Edit icon.
ZyWALL USG FLEX Series User's Guide
441
Chapter 19 IPSec VPN Fig ure 304 Configuration > VPN > IPSec VPN > Concentrator > Add/Edit
Each field is described in the following table.
Table 172 VPN > IPSec VPN > Concentrator > Add/Edit
LA BEL
DESC RIPTIO N
Name
Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores(_), or
dashes (-), but the first character cannot be a number. This value is case-sensitive.
Member Select the concentrator's IPSec VPN connection policies.
Note: You must disable policy enforcement in each member. See Section 19.2.1 on page 425.
OK Cancel
IPSec VPN connection policies that do not belong to a VPN concentrator appear under Ava ila b le . Select any VPN connection policies that you want to add to the VPN concentrator and click the right arrow button to add them.
The VPN concentrator's member VPN connections appear under Me m b e r. Select any VPN connections that you want to remove from the VPN concentrator, and click the left arrow button to remove them.
Click O K to save your changes in the Zyxel Device.
Click C a nc e l to exit this screen without saving.
19.5 Zyxe l De vic e IPSe c VPN C lie nt C o nfig ura tio n Pro visio ning
Use the C o nfig ura tio n > VPN > IPSe c VPN > C o nfig ura tio n Pro visio ning screen to configure who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client. In the Zyxel Device IPSec VPN Client, you just need to enter the IP address of the Zyxel Device to get all the VPN rule settings automatically. You do not need to manually configure all rule settings in the Zyxel Device IPSec VPN client.
VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must no t contain the following settings:
· AH active protocol · NULLencryption · SHA512 authentication
ZyWALL USG FLEX Series User's Guide
442
Chapter 19 IPSec VPN
· A subnet or range remote policy The following VPN Gateway rules configured on the Zyxel Device cannot be provisioned to the IPSec VPN Client: · IPv4 rules with IKEv2 version · IPv4 rules with User-based PSK authentication Note: You must enable IPv6 in System > IPv6 to activate IPv6 VPN tunneling rules. In the Zyxel Device Q uic k Se tup wizard, you can use the VPN Se tting s fo r C o nfig ura tio n Pro visio ning wizard to create a VPN rule that will not violate these restrictions. Fig ure 305 Configuration > VPN > IPSec VPN > Configuration Provisioning
Each field is discussed in the following table.
Table 173 Configuration > VPN > IPSec VPN > Configuration Provisioning
LA BEL
DESC RIPTIO N
Enable Configuration Provisioning
Select this for users to be able to retrieve VPN rule settings using the Zyxel Device IPSec VPN client.
Client Authentication Method
Configuration
Choose how users should be authenticated. They can be authenticated using the local database on the Zyxel Device or an external authentication database such as LDAP, Active Directory or RADIUS. de fa ult is a method you configured in O b je c t > Auth Me tho d. You may configure multiple methods there. If you choose the local database on the Zyxel Device, then configure users using the O b je c t > Use r/ G ro up screen. If you choose LDAP, Active Directory or RADIUS authentication servers, then configure users on the respective server.
When you add or edit a configuration provisioning entry, you are allowed to set the VPN C o nne c tio n and Allo we d Use r fields.
Duplicate entries are not allowed. You cannot select the same VPN C o nne c tio n and Allo we d Use r pair in a new entry if the same pair exists in a previous entry.
You can bind different rules to the same user, but the Zyxel Device will only allow VPN rule setting retrieval for the first match found.
ZyWALL USG FLEX Series User's Guide
443
Chapter 19 IPSec VPN
Table 173 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued)
LA BEL Add
DESC RIPTIO N
Click Add to bind a configured VPN rule to a user or group. Only that user or group may then retrieve the specified VPN rule settings.
Edit Remove
Activate
Inactivate Move
Status
Priority
VPN Connection Allowed User
If you click Add without selecting an entry in advance then the new entry appears as the first entry. Entry order is important as the Zyxel Device searches entries in the order listed here to find a match. After a match is found, the Zyxel Device stops searching. If you want to add an entry as number three for example, then first select entry 2 and click Add. To reorder an entry, use Move .
Select an existing entry and click Edit to change its settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te . Make sure that Ena b le C o nfig ura tio n Pro visio ning is also selected.
To turn off an entry, select it and click Ina c tiva te .
Use Mo ve to reorder a selected entry. Select an entry, click Mo ve , type the number where the entry should be moved, press <ENTER>, then click Apply.
This icon shows if the entry is active (yellow) or not (gray). VPN rule settings can only be retrieved when the entry is activated (and Ena b le C o nfig ura tio n Pro visio ning is also selected).
Priority shows the order of the entry in the list. Entry order is important as the Zyxel Device searches entries in the order listed here to find a match. After a match is found the Zyxel Device stops searching.
This field shows all configured VPN rules that match the rule criteria for the Zyxel Device IPSec
VPN client. Select a rule to bind to the associated user or group.
Select which user or group of users is allowed to retrieve the associated VPN rule settings using the Zyxel Device IPSec VPN client. A user may belong to a number of groups. If entries are configured for different groups, the Zyxel Device will allow VPN rule setting retrieval based on the first match found.
Type
Users of type a dm in or lim ite d- a dm in are not allowed. This field shows how traffic is tunneled from the Zyxel Device to the Zyxel VPN client:
Apply Reset
· 6in4 (tunnel IPv6 traffic from the Zyxel Device to the Zyxel client in an IPv4 network); · 4in6 (tunnel IPv4 traffic from the Zyxel Device to the Zyxel VPN client in an IPv6 network); · 4in4 (tunnel IPv4 traffic from the Zyxel Device to the Zyxel VPN client in an IPv4 network).
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
19.6 IPSe c VPN Ba c kg ro und Info rm a tio n
Here is some more detailed IPSec VPN background information.
IKE SA O ve rvie w
The IKE SA provides a secure connection between the Zyxel Device and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
ZyWALL USG FLEX Series User's Guide
444
Chapter 19 IPSec VPN
Note: Both routers must use the same negotiation mode.
These modes are discussed in more detail in Negotiation Mode. Main mode is used in various examples in the rest of this section.
The Zyxel Device supports IKEv1 and IKEv2. See Section 19.1 on page 418 for more information.
IP Addre sse s o f the Zyxe l De vic e a nd Re m o te IPSe c Ro ute r
To set up an IKE SA, you have to specify the IP addresses of the Zyxel Device and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your Zyxel Device might offer another alternative, such as using the IP address of a port or interface, as well.
You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the remote IPSec router can have any IP address. In this case, only the remote IPSec router can initiate an IKE SA because the Zyxel Device does not know the IP address of the remote IPSec router. This is often used for telecommuters.
IKE SA Pro po sa l
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and DiffieHellman (DH) key group that the Zyxel Device and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next.
Fig ure 306 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
One or more proposals, each one consisting of: - encryption algorithm
- authentication algorithm - Diffie-Hellman key group
1
X
2
Y
The Zyxel Device sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the Zyxel Device wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the Zyxel Device. If the remote IPSec router rejects all of the proposals, the Zyxel Device and remote IPSec router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.
In most Zyxel Devices, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
· Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit key to each 64-bit block of data.
ZyWALL USG FLEX Series User's Guide
445
Chapter 19 IPSec VPN
· Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES.
· Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.
Some Zyxel Devices also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data.
In most Zyxel Devices, you can select one of the following authentication algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
· MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data. · SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data. · SHA256 (Secure Hash Algorithm) produces a 256-bit digest to authenticate packet data. · SHA512 (Secure Hash Algorithm) produces a 512-bit digest to authenticate packet data.
See Diffie-Hellman (DH) Key Exchange on page 446 for more information about DH key groups.
Diffie - He llm a n (DH) Ke y Exc ha ng e
The Zyxel Device and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next.
Fig ure 307 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange
Diffie-Hellman key exchange
3
X
4
Y
DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt.
Authe ntic a tio n
Before the Zyxel Device and remote IPSec router establish an IKE SA, they have to verify each other's identity. This process is based on pre-shared keys and router identities.
In main mode, the Zyxel Device and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the Zyxel Device and remote IPSec router selected in previous steps.
ZyWALL USG FLEX Series User's Guide
446
Chapter 19 IPSec VPN
Fig ure 308 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)
Step 5: pre-shared key Zyxel Device identity, consisting of
- ID type - content
Step 6: pre-shared key Remote IPSec router identity, consisting of
- ID type - content
5
X
6
Y
You have to create (and distribute) a pre-shared key. The Zyxel Device and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.
Note: The Zyxel Device and the remote IPSec router must use the same pre-shared key.
Router identity consists of ID type and content. The ID type can be domain name, IP address, or email address, and the content is a (properly-formatted) domain name, IP address, or email address. The content is only used for identification. Any domain name or email address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the Zyxel Device's or remote IPSec router's properties.
The Zyxel Device and the remote IPSec router have their own identities, so both of them must store two sets of information, one for themselves and one for the other router. Local ID type and content refers to the ID type and content that applies to the router itself, and peer ID type and content refers to the ID type and content that applies to the other router.
Note: The Zyxel Device's local and peer ID type and content must match the remote IPSec router's peer and local ID type and content, respectively.
For example, in the next table, the Zyxel Device and the remote IPSec router authenticate each other successfully. In contrast, in the following table, the Zyxel Device and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA.
Table 174 VPN Example: Matching ID Type and Content
ZYXEL DEVIC E
REMO TE IPSEC RO UTER
Local ID type: E-mail
Local ID type: IP
Local ID content: tom@yourcompany.com
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: tom@yourcompany.com
ZyWALL USG FLEX Series User's Guide
447
Chapter 19 IPSec VPN
Table 175 VPN Example: Mismatching ID Type and Content
ZYXEL DEVIC E
REMO TE IPSEC RO UTER
Local ID type: E-mail
Local ID type: IP
Local ID content: tom@yourcompany.com
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.20
Peer ID content: tom@yourcompany.com
It is also possible to configure the Zyxel Device to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your Zyxel Device provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel.
Additio na l To pic s fo r IKE SA
This section provides more information about IKE SA.
Ne g o tia tio n Mo de
There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The Zyxel Device sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the Zyxel Device.
Steps 3 - 4: The Zyxel Device and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.
Steps 5 - 6: Finally, the Zyxel Device and the remote IPSec router generate an encryption key (from the shared secret), encrypt their identities, and exchange their encrypted identity information for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does not provide as much security because the identity of the Zyxel Device and the identity of the remote IPSec router are not encrypted. It is usually used in remote-access situations, where the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication. For example, the remote IPSec router may be a telecommuter who does not have a static IP address.
VPN, NAT, a nd NATTra ve rsa l
In the following example, there is another router (A) between router X and router Y.
ZyWALL USG FLEX Series User's Guide
448
Chapter 19 IPSec VPN Fig ure 309 VPN/NAT Example
X
A
Y
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 450 for more information about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
· Enable NAT traversal on the Zyxel Device and remote IPSec router. · Configure the NAT router to forward packets with the extra header unchanged. (See the field
description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device and remote IPSec router support.
X- Auth / Exte nde d Authe ntic a tio n
X-Auth / Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the Zyxel Device or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password. If the user name or password is wrong, the routers do not establish an IKE SA.
You can set up the Zyxel Device to provide a user name and password to the remote IPSec router, or you can set up the Zyxel Device to check a user name and password that is provided by the remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode).
ZyWALL USG FLEX Series User's Guide
449
Chapter 19 IPSec VPN
C e rtific a te s
It is possible for the Zyxel Device and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote identity because the certificates provide this information instead.
· Instead of using the pre-shared key, the Zyxel Device and remote IPSec router check the signatures on each other's certificates. Unlike pre-shared keys, the signatures do not have to match.
· The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the Zyxel Device and remote IPSec router first.
IPSe c SA O ve rvie w
Once the Zyxel Device and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore. This section introduces the key components of an IPSec SA.
Lo c a l Ne two rk a nd Re m o te Ne two rk
In an IPSec SA, the local network, the one(s) connected to the Zyxel Device, may be called the local policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be called the remote policy.
Ac tive Pro to c o l
The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406).
Note: The Zyxel Device and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Enc a psula tio n
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the Zyxel Device and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Note: The Zyxel Device and remote IPSec router must use the same encapsulation.
These modes are illustrated below. Fig ure 310 VPN: Transport and Tunnel Mode Encapsulation
O rig ina l Pa c ke t
IP Header TCP Header Data
ZyWALL USG FLEX Series User's Guide
450
Chapter 19 IPSec VPN
Fig ure 310 VPN: Transport and Tunnel Mode Encapsulation
Tra nspo rt Mo de Pa c ke t
IP Header
AH/ESP Header
TCP Header Data
Tunne l Mo de Pa c ke t
IP Header
AH/ESP Header
IP Header TCP Header Data
In tunnel mode, the Zyxel Device uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers:
· Outside header: The outside IP header contains the IP address of the Zyxel Device or remote IPSec router, whichever is the destination.
· Inside header: The inside IP header contains the IP address of the computer behind the Zyxel Device or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the Zyxel Device includes part of the original IP header when it encapsulates the packet. With ESP, however, the Zyxel Device does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address.
IPSe c SA Pro po sa l a nd Pe rfe c t Fo rwa rd Se c re c y
An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal), except that you also have the choice whether or not the Zyxel Device and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS).
If you enable PFS, the Zyxel Device and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
If you do not enable PFS, the Zyxel Device and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not require such security.
PFS is ignored in initial IKEv2 authentication but is used when re-authenticating.
Additio na l To pic s fo r IPSe c SA
This section provides more information about IPSec SA in your Zyxel Device.
Authe ntic a tio n a nd the Se c urity Pa ra m e te r Inde x (SPI)
For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number.
Note: The Zyxel Device and remote IPSec router must use the same SPI.
ZyWALL USG FLEX Series User's Guide
451
Chapter 19 IPSec VPN
NATfo r Inb o und a nd O utb o und Tra ffic
The Zyxel Device can translate the following types of network addresses in IPSec SA. · Source address in outbound packets - this translation is necessary if you want the Zyxel Device to
route packets from computers outside the local network through the IPSec SA. · Source address in inbound packets - this translation hides the source address of computers in the
remote network. · Destination address in inbound packets - this translation is used if you want to forward packets (for
example, mail) from the remote network to a specific computer (like the mail server) in the local network. Each kind of translation is explained below. The following example is used to help explain each one. Fig ure 311 VPN Example: NAT for Inbound and Outbound Traffic
So urc e Addre ss in O utb o und Pa c ke ts (O utb o und Tra ffic , So urc e NAT)
This translation lets the Zyxel Device route packets from computers that are not part of the specified local network (local policy) through the IPSec SA. For example, in Figure 311 on page 452, you have to configure this kind of translation if you want computer M to establish a connection with any computer in the remote network (B). If you do not configure it, the remote IPSec router may not route messages for computer M through the IPSec SA because computer M's IP address is not part of its local policy. To set up this NAT, you have to specify the following information: · Source - the original source address; most likely, computer M's network. · Destination - the original destination address; the remote network (B). · SNAT - the translated source address; the local network (A).
So urc e Addre ss in Inb o und Pa c ke ts (Inb o und Tra ffic , So urc e NAT)
You can set up this translation if you want to change the source address of computers in the remote network. To set up this NAT, you have to specify the following information:
ZyWALL USG FLEX Series User's Guide
452
Chapter 19 IPSec VPN
· Source - the original source address; the remote network (B). · Destination - the original destination address; the local network (A). · SNAT - the translated source address; a different IP address (range of addresses) to hide the original
source address.
De stina tio n Addre ss in Inb o und Pa c ke ts (Inb o und Tra ffic , De stina tio n NAT)
You can set up this translation if you want the Zyxel Device to forward some packets from the remote network to a specific computer in the local network. For example, in Figure 311 on page 452, you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network (A). You have to specify one or more rules when you set up this kind of NAT. The Zyxel Device checks these rules similar to the way it checks rules for a security policy. The first part of these rules define the conditions in which the rule apply. · Original IP - the original destination address; the remote network (B). · Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection. · Original Port - the original destination port or range of destination ports; in Figure 311 on page 452, it
might be port 25 for SMTP. The second part of these rules controls the translation when the condition is satisfied. · Mapped IP - the translated destination address; in Figure 311 on page 452, the IP address of the mail
server in the local network (A). · Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size.
IPSe c VPN Exa m ple Sc e na rio
Here is an example site-to-site IPSec VPN scenario. Fig ure 312 Site-to-site IPSec VPN Example
ZyWALL USG FLEX Series User's Guide
453
C HA PTER 2 0 SSL VPN
20.1 O ve rvie w
Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software.
20.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the VPN > SSLVPN > Ac c e ss Privile g e screens (see Section 20.2 on page 455) to configure SSL access policies.
· Use the Click VPN > SSLVPN > G lo b a l Se tting screen (see Section 20.3 on page 458) to set the IP address of the Zyxel Device (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen.
20.1.2 Wha t Yo u Ne e d to Kno w
Full Tunne l Mo de
In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.
Fig ure 313 Network Access Mode: Full Tunnel Mode
LAN (192.168.1.X)
https:// 192.168.1.100
Web Mail File Share Non-Web
Web-based Application Application Server
SSL Ac c e ss Po lic y
An SSL access policy allows the Zyxel Device to perform the following tasks:
· limit user access to specific applications or file sharing server on the network. · allow user access to specific networks. · assign private IP addresses and provide DNS/WINS server information to remote users to access
internal networks.
ZyWALL USG FLEX Series User's Guide
454
Chapter 20 SSL VPN
SSL Ac c e ss Po lic y O b je c ts
The SSL access policies reference the following objects. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed.
Table 176 Objects
O BJEC TTYPE
O BJEC T SC REEN
DESC RIPTIO N
User Accounts
User Account/ Configure a user account or user group to which you want to apply this SSL
User Group
access policy.
Application
SSL Application
Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access.
IP Pool
Address
Configure an address object that defines a range of private IP addresses to assign to user computers so they can access the internal network through a VPN connection.
Server Addresses
Address
Configure address objects for the IP addresses of the DNS and WINS servers that the Zyxel Device sends to the VPN connection users.
VPN Network
Address
Configure an address object to specify which network segment users are allowed to access through a VPN connection.
You cannot delete an object that is referenced by an SSL access policy. To delete the object, you must first unassociate the object from the SSL access policy.
20.2 The SSL Ac c e ss Privile g e Sc re e n
Click VPN > SSLVPN to open the Ac c e ss Privile g e screen. This screen lists the configured SSL access policies.
Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information.
Fig ure 314 VPN > SSL VPN > Access Privilege
ZyWALL USG FLEX Series User's Guide
455
Chapter 20 SSL VPN
The following table describes the labels in this screen.
Table 177 VPN > SSL VPN > Access Privilege
LA BEL
DESC RIPTIO N
Access Policy This screen shows a summary of SSL VPN policies created.
Summary
Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's
settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
Move
To move an entry to a different number in the list, click the Mo ve icon. In the field that appears, specify the number to which you want to move the interface.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. Click Refresh to update information on this screen.
#
This field displays the index number of the entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the descriptive name of the SSL access policy for identification purposes.
User/Group This field displays the user account or user group name(s) associated to an SSL access policy.
This field displays up to three names.
Access Policy This field displays details about the SSL application object this policy uses including its name, type,
Summary
and address.
Apply
Click Apply to save the settings.
Reset
Click Re se t to discard all changes.
20.2.1 The SSL Ac c e ss Privile g e Po lic y Add/ Edit Sc re e n
To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Ac c e ss Privile g e screen.
ZyWALL USG FLEX Series User's Guide
456
Chapter 20 SSL VPN Fig ure 315 VPN > SSL VPN > Add/Edit
The following table describes the labels in this screen.
Table 178 VPN > SSL VPN > Access Privilege > Add/Edit
LA BEL
DESC RIPTIO N
Create new Object
Use to configure any new settings objects that you need to use in this screen.
Configuration
Enable Policy
Select this option to activate this SSL access policy.
Name
Enter a descriptive name to identify this policy. You can enter up to 31 characters ("a-z", A-Z", "0-9") with no spaces allowed.
Zone
Select the zone to which to add this SSL access policy. You use zones to apply security settings such as security policy and remote management.
Description
Enter additional information about this SSL access policy. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_").
ZyWALL USG FLEX Series User's Guide
457
Chapter 20 SSL VPN
Table 178 VPN > SSL VPN > Access Privilege > Add/Edit (continued)
LA BEL User/Group
DESC RIPTIO N
The Se le c ta b le Use r/ G ro up O b je c ts list displays the name(s) of the user account and/or user group(s) to which you have not applied an SSL access policy yet.
To associate a user or user group to this SSL access policy, select a user account or user group and click the right arrow button to add to the Se le c te d Use r/ G ro up O b je c ts list. You can select more than one name.
To remove a user or user group, select the name(s) in the Se le c te d Use r/ G ro up O b je c ts list and click the left arrow button.
Note: Although you can select admin and limited-admin accounts in this screen, they are reserved for device configuration only. You cannot use them to access the SSL VPN portal.
Network Extension (Optional)
Enable Network Extension
Select this option to create a VPN tunnel between the authenticated users and the internal network. This allows the users to access the resources on the network as if they were on the same local network. This includes access to resources not supported by SSL application objects. For example this lets users Telnet to the internal network even though the Zyxel Device does not have SSL application objects for Telnet.
Force all client traffic to SSL VPN tunnel
NetBIOS broadcast over SSL VPN Tunnel
Assign IP Pool
Clear this option to disable this feature. Users can only access the applications as defined by the VPN tunnel's selected SSL application settings and the remote user computers are not made to be a part of the local network.
Select this to send all traffic from the SSL VPN clients through the SSL VPN tunnel. This replaces the default gateway of the SSL VPN clients with the SSL VPN gateway.
Select this to search for a remote computer and access its applications as if it was in a Local Area Network. The user can find a computer not only by its IP address but also by computer name.
Define a separate pool of IP addresses to assign to the SSL users. Select it here.
DNS/WINS Server 1..2
Network List
The SSL VPN IP pool should not overlap with IP addresses on the Zyxel Device's local networks (LAN and DMZ for example), the SSL user's network, or the networks you specify in the SSL VPN Ne two rk List.
Select the name of the DNS or WINS server whose information the Zyxel Device sends to the remote users. This allows them to access devices on the local network using domain names instead of IP addresses.
To allow user access to local network(s), select a network name in the Se le c ta b le Addre ss O b je c ts list and click the right arrow button to add to the Se le c te d Addre ss O b je c ts list. You can select more than one network.
OK Cancel
To block access to a network, select the network name in the Se le c te d Addre ss O b je c ts list and click the left arrow button.
Click O K to save the changes and return to the main Ac c e ss Privile g e screen.
Click C a nc e l to discard all changes and return to the main Ac c e ss Privile g e screen.
20.3 The SSL G lo b a l Se tting Sc re e n
Click VPN > SSLVPN and click the G lo b a l Se tting tab to display the following screen. Use this screen to set the IP address of the Zyxel Device (or a gateway device) on your network for full tunnel mode access.
ZyWALL USG FLEX Series User's Guide
458
Chapter 20 SSL VPN Fig ure 316 VPN > SSL VPN > Global Setting
The following table describes the labels in this screen.
Table 179 VPN > SSL VPN > Global Setting
LA BEL
Global Setting
Network Extension Local IP
DESC RIPTIO N
Specify the IP address of the Zyxel Device (or a gateway device) for full tunnel mode SSL VPN access.
Apply Reset
Leave this field to the default settings unless it conflicts with another interface. Click Apply to save the changes and/or start the logo file upload process. Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
459
C HA PTER 2 1 L2TP VPN
21.1 O ve rvie w
L2TP VPN uses the L2TP and IPSec client software included in remote users' Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software. Note: Fig ure 317 L2TP VPN Overview
21.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the L2TP VPN screen (see Section 21.2 on page 461) to configure the Zyxel Device's L2TP VPN settings.
· Use the VPN Se tup Wiza rd screen in Q uic k Se tup (Chapter 4 on page 79) to configure the Zyxel Device's L2TP VPN settings.
21.1.2 Wha t Yo u Ne e d to Kno w
The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it. See Chapter 19 on page 418 for information on IPSec VPN.
IPSe c C o nfig ura tio n Re q uire d fo r L2TP VPN
You must configure an IPSec VPN connection prior to proper L2TP VPN usage (see Chapter 21 on page 460 for details). The IPSec VPN connection must: · Be enabled. · Use transport mode.
ZyWALL USG FLEX Series User's Guide
460
Chapter 21 L2TP VPN
· Use Pre - Sha re d Ke y authentication. · Use a VPN gateway with the Se c ure G a te wa y set to 0.0.0.0 if you need to allow L2TP VPN clients to
connect from more than one IP address.
Using the Q uic k Se tup VPN Se tup Wiza rd
The VPN Se tup Wiza rd is an easy and convenient way to configure the L2TP VPN settings. Click C o nfig ura tio n > Q uic k Se tup > VPN Se tup > VPN Se tting s fo r L2TP VPN Se tting s to get started.
Po lic y Ro ute
The Policy Route for return traffic (from LAN to L2TP clients) is automatically created when Zyxel Device adds a new L2TP connection, allowing users access the resources on a network without additional configuration. However, if some of the traffic from the L2TP clients needs to go to the Internet, you will need to create a policy route to send that traffic from the L2TP tunnels out through a WAN trunk. This task can be easily performed by clicking the Allow L2TP traffic through WAN checkbox at Q uic k Se tup > VPN Se tup > Allo w L2TP tra ffic thro ug h WAN. Fig ure 318 Policy Route for L2TP VPN
21.2 L2TP VPN Sc re e n
Click C o nfig ura tio n > VPN > L2TP VPN to open the following screen. Use this screen to configure the Zyxel Device's L2TP VPN settings. Note: Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The
remote users must make any needed matching configuration changes and re-establish the sessions using the new settings. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information.
ZyWALL USG FLEX Series User's Guide
461
Chapter 21 L2TP VPN Fig ure 319 Configuration > VPN > L2TP VPN
The following table describes the fields in this screen.
Table 180 Configuration > VPN > L2TP VPN
LA BEL
DESC RIPTIO N
Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings
Create new Object
Use to configure any new settings objects that you need to use in this screen.
Enable L2TP Over IPSec
Use this field to turn the Zyxel Device's L2TP VPN function on or off.
VPN Connection
Select the IPSec VPN connection the Zyxel Device uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN.
IP Address Pool
Authentication Method
Authentication Server Certificate
Note: Modifying this VPN connection (or the VPN gateway that it uses) disconnects any existing L2TP VPN sessions.
Select the pool of IP addresses that the Zyxel Device uses to assign to the L2TP VPN clients. Use C re a te ne w O b je c t if you need to configure a new pool of IP addresses.
This should not conflict with any WAN, LAN, DMZ or WLAN subnet even if they are not in use.
Select how the Zyxel Device authenticates a remote user before allowing access to the L2TP VPN tunnel.
The authentication method has the Zyxel Device check a user's user name and password against the Zyxel Device's local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these.
Select the certificate to use to identify the Zyxel Device for L2TP VPN connections. You must have certificates already configured in the My C e rtific a te s screen. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols.
ZyWALL USG FLEX Series User's Guide
462
Chapter 21 L2TP VPN
Table 180 Configuration > VPN > L2TP VPN (continued)
LA BEL Allowed User
DESC RIPTIO N The remote user must log into the Zyxel Device to use the L2TP VPN tunnel.
Select a user or user group that can use the L2TP VPN tunnel. Use C re a te ne w O b je c t if you need to configure a new user account. Otherwise, select a ny to allow any user with a valid account and password on the Zyxel Device to log in.
Keep Alive Timer
The Zyxel Device sends a Hello message after waiting this long without receiving any traffic from the remote user. The Zyxel Device disconnects the VPN tunnel if the remote user does not respond.
First DNS Server,
Specify the IP addresses of DNS servers to assign to the remote users. You can specify these IP
Second DNS Server addresses two ways.
C usto m De fine d - enter a static IP address.
First WINS Server, Second WINS Server
Apply Reset
Fro m ISP - use the IP address of a DNS server that another interface received from its DHCP server.
The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Type the IP addresses of up to two WINS servers to assign to the remote users. You can specify these IP addresses two ways.
Click Apply to save your changes in the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
21.2.1 Exa m ple : L2TP a nd Zyxe l De vic e Be hind a NATRo ute r
If the Zyxel Device (Z) is behind a NAT router (N), then do the following for remote clients (C) to access the network behind the Zyxel Device (Z) using L2TP over IPv4.
Fig ure 320 L2TP and Zyxel Device Behind a NAT Router
1 Create an address object in C o nfig ura tio n > O bje c t > Addre ss/ G EO IP > Addre ss for the WAN IP address of the NAT router.
ZyWALL USG FLEX Series User's Guide
463
Chapter 21 L2TP VPN 2 Go to C o nfig ura tio n > VPN > IPSe c VPN > VPN C o nne c tio n and click Add for IPv4 C o nfig ura tio n to create
a new VPN connection. 3 Select Re m o te Ac c e ss (Se rve r Ro le ) as the VPN scenario for the remote client. 4 Select the NAT router WAN IP address object as the Lo c a l Po lic y.
5 Go to C o nfig ura tio n > VPN > L2TP VPN and select the VPN C o nne c tio n just configured.
ZyWALL USG FLEX Series User's Guide
464
C HA PTER 2 2 BWM (Ba ndwidth
Ma na g e m e nt)
22.1 O ve rvie w
Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video.
22.1.1 Wha t Yo u C a n Do in this C ha pte r
Use the BWM screens (see Section 22.2 on page 469) to control bandwidth for services passing through the Zyxel Device, and to identify the conditions that define the bandwidth control.
22.1.2 Wha t Yo u Ne e d to Kno w
When you allow a service, you can restrict the bandwidth it uses. It controls TCP and UDP traffic. Use policy routes to manage other types of traffic (like ICMP). Note: Bandwidth management in policy routes has priority over TCP and UDP traffic policies. If you want to use a service, make sure both the security policy allow the service's packets to go through the Zyxel Device. Note: The Zyxel Device checks security policies before it checks bandwidth management
rules for traffic going through the Zyxel Device. Bandwidth management examines every TCP and UDP connection passing through the Zyxel Device. Then, you can specify, by port, whether or not the Zyxel Device continues to route the connection.
BWM Type
The Zyxel Device supports three types of bandwidth management: Sha re d, Pe r use r and Pe r- So urc e - IP. The Sha re d BWM type is selected by default in a bandwidth management rule. All matched traffic shares the bandwidth configured in the rule. If the BWM type is set to Pe r use r in a rule, each user that matches the rule can use up to the configured bandwidth by his/her own. Select the Pe r- So urc e - IP type when you want to set the maximum bandwidth for traffic from an individual source IP address.
ZyWALL USG FLEX Series User's Guide
465
Chapter 22 BWM (Bandwidth Management)
In the following example, you configure a Pe r use r bandwidth management rule for radius-users to limit outgoing traffic to 300 kbs. Then all radius-users (A, B and C ) can send 300 kbps of traffic. Fig ure 321 Bandwidth Management Per User Type
DiffSe rv a nd DSC P Ma rking
QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types. DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.
C o nne c tio n a nd Pa c ke t Dire c tio ns
Bandwidth management looks at the connection direction, that is, from which interface the connection was initiated and to which interface the connection is going. A connection has outbound and inbound packet flows. The Zyxel Device controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel. · The outbound traffic flows from the connection initiator to the connection responder. · The inbound traffic flows from the connection responder to the connection initiator. For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN. · Outbound traffic goes from a LAN1 device to a WAN device. Bandwidth management is applied
before sending the packets out a WAN interface on the Zyxel Device. · Inbound traffic comes back from the WAN device to the LAN1 device. Bandwidth management is
applied before sending the traffic out a LAN1 interface.
ZyWALL USG FLEX Series User's Guide
466
Chapter 22 BWM (Bandwidth Management) Fig ure 322 LAN1 to WAN Connection and Packet Directions
O utb o und a nd Inb o und Ba ndwidth Lim its
You can limit an application's outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface's bandwidth. This way you can make sure there is bandwidth for other applications. When you apply a bandwidth limit to outbound or inbound traffic, each member of the out-going zone can send up to the limit. Take a LAN1 to WAN policy for example.
· Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN1 so outbound means the traffic traveling from the LAN1 to the WAN. Each of the WAN zone's two interfaces can send the limit of 200 kbps of traffic.
· Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1.
Fig ure 323 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps
Outbound 200 kbps
Inbound 500 kbps
Ba ndwidth Ma na g e m e nt Prio rity
· The Zyxel Device gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate.
· Then lower-priority traffic gets bandwidth.
· The Zyxel Device uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority.
· The Zyxel Device automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority).
ZyWALL USG FLEX Series User's Guide
467
Chapter 22 BWM (Bandwidth Management)
Ma xim ize Ba ndwidth Usa g e
Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to "borrow" any unused bandwidth on the out-going interface.
After each application gets its configured bandwidth rate, the Zyxel Device uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.
Unused bandwidth is divided equally. Higher priority traffic does not get a larger portion of the unused bandwidth.
Ba ndwidth Ma na g e m e nt Be ha vio r
The following sections show how bandwidth management behaves with various settings. For example, you configure DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A's traffic and policy B for server B's traffic.
Fig ure 324 Bandwidth Management Behavior
C o nfig ure d Ra te Effe c t
In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.
Table 181 Configured Rate Effect
PO LIC Y
C O NFIG URED RATE
A
300 kbps
B
200 kbps
MAX. B. U. No No
PRIO RITY 1 1
AC TUAL RATE 300 kbps 200 kbps
ZyWALL USG FLEX Series User's Guide
468
Chapter 22 BWM (Bandwidth Management)
Prio rity Effe c t
Here the configured rates total more than the available bandwidth. Because server A has higher priority, it gets up to it's configured rate (800 kbps), leaving only 200 kbps for server B.
Table 182 Priority Effect
PO LIC Y
C O NFIG URED RATE
A
800 kbps
B
1000 kbps
MAX. B. U. Yes Yes
PRIO RITY 1 2
AC TUAL RATE 800 kbps 200 kbps
Ma xim ize Ba ndwidth Usa g e Effe c t
With maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the available bandwidth is divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps. Then the Zyxel Device divides the remaining bandwidth (1000 - 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets.
So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps.
Table 183 Maximize Bandwidth Usage Effect
PO LIC Y
C O NFIG URED RATE
MAX. B. U.
A
300 kbps
Yes
B
200 kbps
Yes
PRIO RITY 1 2
AC TUAL RATE 550 kbps 450 kbps
Prio rity a nd O ve r Allo tm e nt o f Ba ndwidth Effe c t
Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the Zyxel Device still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.
Table 184 Priority and Over Allotment of Bandwidth Effect
PO LIC Y
C O NFIG URED RATE
MAX. B. U. PRIO RITY
A
1000 kbps
Yes
1
B
1000 kbps
Yes
2
AC TUAL RATE 999 kbps 1 kbps
22.2 The Ba ndwidth Ma na g e m e nt C o nfig ura tio n
The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions, similar to the sequence of rules used by firewalls, to specify how the Zyxel Device handles the DSCP value and allocate bandwidth for the matching packets.
Click C o nfig ura tio n > BWM to open the following screen. This screen allows you to enable/disable bandwidth management and add, edit, and remove user-defined bandwidth management policies.
ZyWALL USG FLEX Series User's Guide
469
Chapter 22 BWM (Bandwidth Management)
The default bandwidth management policy is the one with the priority of "default". It is the last policy the Zyxel Device checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy.
Fig ure 325 Configuration > Bandwidth Management
The following table describes the labels in this screen. See Section 22.2.1 on page 472 for more information as well.
Table 185 Configuration > Bandwidth Management
LA BEL Enable BWM
Enable Highest Bandwidth Priority for SIP Traffic
Add
Edit Remove Activate Inactivate Move
Status
Priority
DESC RIPTIO N
Select this check box to activate management bandwidth.
Select this to maximize the throughput of SIP traffic to improve SIP-based VoIP call sound quality. This has the Zyxel Device immediately send SIP traffic upon identifying it. When this option is enabled the Zyxel Device ignores any other application patrol rules for SIP traffic (so there is no bandwidth control for SIP traffic) and does not record SIP traffic bandwidth usage statistics.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To change an entry's position in the numbered list, select it and click Mo ve to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The status icon is not available for the default bandwidth management policy.
This field displays a sequential value for each bandwidth management policy and it is not associated with a specific setting.
Description BWM Type
This field displays de fa ult for the default bandwidth management policy. This field displays additional information about this policy. This field displays the below types of BWM:
· Sha re d, when the policy is set for all matched traffic · Pe r Use r, when the policy is set for an individual user or a user group · Pe r- So urc e - IP, when the policy is set for a source IP
ZyWALL USG FLEX Series User's Guide
470
Chapter 22 BWM (Bandwidth Management)
Table 185 Configuration > Bandwidth Management
LA BEL User Schedule Incoming Interface Outgoing Interface Source
Destination
DSCP Code
DESC RIPTIO N
This is the type of user account to which the policy applies. If a ny displays, the policy applies to all user accounts.
This is the schedule that defines when the policy applies. no ne means the policy always applies.
This is the source interface of the traffic to which this policy applies.
This is the destination interface of the traffic to which this policy applies.
This is the source address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. If a ny displays, the policy is effective for every source.
This is the destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. If a ny displays, the policy is effective for every destination.
These are the DSCP code point values of incoming and outgoing packets to which this policy applies. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.
a ny means all DSCP value or no DSCP marker.
de fa ult means traffic with a DSCP value of 0. This is usually best effort traffic
Service
The "a f" options stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences.
App and the service name displays if you selected Applic a tio n O b je c t for the service type. An Applic a tio n O b je c t is a pre-defined service.
BWM In/Pri/Out/Pri
O b j and the service name displays if you selected Se rvic e O b je c t for the service type. A Se rvic e O b je c t is a customized pre-defined service or another service. Mouse over the service object name to view the corresponding IP protocol number.
This field shows the amount of bandwidth the traffic can use.
In - This is how much inbound bandwidth, in kilobits per second, this policy allows the matching traffic to use. Inbound refers to the traffic the Zyxel Device sends to a connection's initiator. If no displays here, this policy does not apply bandwidth management for the inbound traffic.
O ut - This is how much outgoing bandwidth, in kilobits per second, this policy allows the matching traffic to use. Outbound refers to the traffic the Zyxel Device sends out from a connection's initiator. If no displays here, this policy does not apply bandwidth management for the outbound traffic.
Pri - This is the priority for the incoming (the first Pri value) or outgoing (the second Pri value) traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. The Zyxel Device ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field's configuration.
ZyWALL USG FLEX Series User's Guide
471
Chapter 22 BWM (Bandwidth Management)
Table 185 Configuration > Bandwidth Management
LA BEL DSCP Marking
DESC RIPTIO N
This is how the Zyxel Device handles the DSCP value of the incoming and outgoing packets that match this policy.
In - Inbound, the traffic the Zyxel Device sends to a connection's initiator.
O ut - Outbound, the traffic the Zyxel Device sends out from a connection's initiator.
If this field displays a DSCP value, the Zyxel Device applies that DSCP value to the route's outgoing packets.
pre se rve means the Zyxel Device does not modify the DSCP value of the route's outgoing packets.
de fa ult means the Zyxel Device sets the DSCP value of the route's outgoing packets to 0.
Apply Reset
The "a f" choices stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
22.2.1 The Ba ndwidth Ma na g e m e nt Add/ Edit Sc re e n
The C o nfig ura tio n > Ba ndwidth Ma na g e m e nt Add/ Edit screen allows you to create a new condition or edit an existing one.
802.1P Ma rking
Use 802.1P to prioritize outgoing traffic from a VLAN interface. The Prio rity C o de is a 3-bit field within a 802.1Q VLAN tag that's used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest.
Table 186 Single Tagged 802.1Q Frame Format
DA
SA
TPID Prio rity
VID
Len/Etype Data FCS
IEEE 802.1Q customer tagged frame
Table 187 802.1Q Frame
DA
Destination Address
SA
Source Address
TPID
Tag Protocol IDentifier
VID
VLAN ID
Priority Len/Etype Data FCS
802.1p Priority Length and type of Ethernet frame Frame data Frame Check Sequence
The following table is a guide to types of traffic for the priority code.
Table 188 Priority Code and Types of Traffic
PRIORITY
TRAFFIC TYPES
0 (lowest)
Background
1
Best Effort
2
Excellent Effort
3
Critical Applications
4
Video, less than 100 ms latency and jitter
5
Voice, less than 10 ms latency and jitter
ZyWALL USG FLEX Series User's Guide
472
Chapter 22 BWM (Bandwidth Management)
Table 188 Priority Code and Types of Traffic
PRIORITY
TRAFFIC TYPES
6
Internetwork Control
7 (highest)
Network Control
To access this screen, go to the C o nfig ura tio n > Ba ndwidth Ma na g e m e nt screen (see Section 22.2 on page 469), and click either the Add icon or an Edit icon.
Fig ure 326 Configuration > Bandwidth Management > Edit (For the Default Policy)
ZyWALL USG FLEX Series User's Guide
473
Chapter 22 BWM (Bandwidth Management) Fig ure 327 Configuration > Bandwidth Management > Add/Edit
The following table describes the labels in this screen.
Table 189 Configuration > Bandwidth Management > Add/Edit
LA BEL Create new Object Configuration Enable Description
Criteria BWM Type
DESC RIPTIO N Use to configure any new settings objects that you need to use in this screen.
Select this check box to turn on this policy. Enter a description of this policy. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Use this section to configure the conditions of traffic to which this policy applies. This field displays the below types of BWM rule:
· Shared, when the policy is set for all users · Per User, when the policy is set for an individual user or a user group · Per Source IP, when the policy is set for a source IP
ZyWALL USG FLEX Series User's Guide
474
Chapter 22 BWM (Bandwidth Management)
Table 189 Configuration > Bandwidth Management > Add/Edit
LA BEL User Schedule Incoming Interface Outgoing Interface Source
Destination
DSCP Code
DESC RIPTIO N
Select a user name or user group to which to apply the policy. Use C re a te ne w O b je c t if you need to configure a new user account. Select a ny to apply the policy for every user.
Select a schedule that defines when the policy applies or select C re a te O bje c t to configure a new one. Otherwise, select no ne to make the policy always effective.
Select the source interface of the traffic to which this policy applies.
Select the destination interface of the traffic to which this policy applies.
Select a source address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Use C re a te ne w O b je c t if you need to configure a new one. Select a ny if the policy is effective for every source.
Select a destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Use C re a te ne w O b je c t if you need to configure a new one. Select a ny if the policy is effective for every destination.
Select a DSCP code point value of incoming packets to which this policy
route applies or select Use r De fine d to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.
a ny means all DSCP value or no DSCP marker.
de fa ult means traffic with a DSCP value of 0. This is usually best effort traffic
The "a f" choices stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences.
User-Defined DSCP Use this field to specify a custom DSCP code point. Code
Service Type
Select Se rvic e O b je c t or Applic a tio n O bje c t if you want a specific service (defined in a service object) or application patrol service to which the policy applies.
Service Object
This field is available if you selected Se rvic e O b je c t as the service type.
Application Object
Select a service or service group to identify the type of traffic to which this policy applies. a ny means all services.
This field is available if you selected Applic a tio n O b je c t as the service type.
DSCP Marking
Select an application patrol service to identify the specific traffic to which this policy applies.
Set how the Zyxel Device handles the DSCP value of the incoming and outgoing packets that match this policy. Inbound refers to the traffic the Zyxel Device sends to a connection's initiator. Outbound refers to the traffic the Zyxel Device sends out from a connection's initiator.
Select one of the pre-defined DSCP values to apply or select Use r De fine d to specify another DSCP value. The "a f" choices stand for Assured Forwarding. The number following the "a f" identifies one of four classes and one of three drop preferences.
Select pre se rve to have the Zyxel Device keep the packets' original DSCP value.
Bandwidth Shaping
Select de fa ult to have the Zyxel Device set the DSCP value of the packets to 0. Configure these fields to set the amount of bandwidth the matching traffic can use.
ZyWALL USG FLEX Series User's Guide
475
Chapter 22 BWM (Bandwidth Management)
Table 189 Configuration > Bandwidth Management > Add/Edit
LA BEL Inbound kbps
DESC RIPTIO N
Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the Zyxel Device sends to a connection's initiator.
If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the Zyxel Device sends to the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).
Outbound kbps
If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.
Type how much outbound bandwidth, in kilobits per second, this policy allows the traffic to use. Outbound refers to the traffic the Zyxel Device sends out from a connection's initiator.
If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the Zyxel Device sends out from the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).
Priority
If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.
This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority.
Traffic with a higher priority is given bandwidth before traffic with a lower priority.
The Zyxel Device uses a fairness-based (round-robin) scheduler to divide bandwidth between traffic flows with the same priority.
Maximize Bandwidth Usage
The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field's configuration.
This field displays when the inbound or outbound bandwidth management is not set to 0 and the BWM Type is set to Sha re d. Enable maximize bandwidth usage to let the traffic matching this policy "borrow" all unused bandwidth on the out-going interface.
Maximum
802.1P Marking Priority Code
Interface Related Setting Log OK Cancel
After each application or type of traffic gets its configured bandwidth rate, the Zyxel Device uses the fairness-based scheduler to divide any unused bandwidth on the outgoing interface among applications and traffic types that need more bandwidth and have maximize bandwidth usage enabled.
If you did not enable Ma xim ize Ba ndwidth Usa g e , then type the maximum unused bandwidth that traffic matching this policy is allowed to "borrow" on the out-going interface (in Kbps), here.
Use 802.1P to prioritize outgoing traffic from a VLAN interface.
This is a 3-bit field within a 802.1Q VLAN tag that's used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. See Table 188 on page 472. The setting configured here overwrites existing priority settings.
Choose a VLAN interface to which to apply the priority level for matching frames.
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or neither (no ) when any traffic matches this policy.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
476
Chapter 22 BWM (Bandwidth Management)
22.2.1.1 Adding O b je c ts fo r the BWM Po lic y
Objects are parameters to which the Policy rules are built upon. There are three kinds of objects you can add/edit for the BWM policy, they are Use r, Sc he dule and Addre ss objects. Click C o nfig ura tio n > BWM > Add > C re a te Ne w O b je c t > Add Use r to see the following screen. Fig ure 328 Configuration >BWM > Create New Object > Add User
The following table describes the fields in the above screen.
Table 190 Configuration > BWM > Create New Object > Add User
LA BEL
DESC RIPTIO N
User Name
Type a user or user group object name of the rule.
User Type
Select a user type from the drop down menu. The user types are Admin, Limited admin, User, Guest, Ext-user, Ext-group-user.
ZyWALL USG FLEX Series User's Guide
477
Chapter 22 BWM (Bandwidth Management)
Table 190 Configuration > BWM > Create New Object > Add User
LA BEL
DESC RIPTIO N
Password
Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ` \ () ), and it can be up to eight characters long.
Retype
Retype the password to confirm.
Description
Enter a description for this user object. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
Authentication Timeout Settings
Choose either Use De fa ult setting option, which shows the default Lease Time of 1,440 minutes and Reauthentication Time of 1,440 minutes or you can enter them manually by choosing Use Manual Settings option.
Lease Time
This shows the Le a se Tim e setting for the user, by default it is 1,440 minutes.
Reauthentication Time
This shows the Re a uthe ntic a tio n Tim e for the user, by default it is 1,440 minutes.
OK
Click OK to save the setting.
Cancel
Click Cancel to abandon this screen.
ZyWALL USG FLEX Series User's Guide
478
Chapter 22 BWM (Bandwidth Management) Fig ure 329 Configuration > BWM > Create New Object > Add Schedule
The following table describes the fields in the above screen.
Table 191 Configuration > BWM > Create New Object > Add Schedule
LA BEL
DESC RIPTIO N
Name
Enter a name for the schedule object of the rule.
Type
Select an option from the drop down menu for the schedule object. It will show O ne
Tim e o r Re c urring .
Start Date
Click the icon menu on the right to choose a Start Date for the schedule object.
Start Time
Click the icon menu on the right to choose a Start Time for the schedule object.
Stop Date
Click the icon menu on the right to choose a Stop Date for schedule object.
Stop Time
Click the icon menu on the right to choose a Stop Time for the schedule object.
ZyWALL USG FLEX Series User's Guide
479
Chapter 22 BWM (Bandwidth Management) Fig ure 330 Configuration > BWM > Create New Object > Add Address
The following table describes the fields in the above screen.
Table 192 Configuration > BWM > Create New Object > Add Address
LA BEL
DESC RIPTIO N
Name
Enter a name for the Address object of the rule.
Address Type
Select an Address Type from the drop down menu on the right. The Address Types are Host, Range, Subnet, Interface IP, Interface Subnet, and Interface Gateway.
IP Address
Enter an IP address for the Address object.
OK
Click OK to save the setting.
Cancel
Click Cancel to abandon the setting.
ZyWALL USG FLEX Series User's Guide
480
C HA PTER 2 3 We b Authe ntic a tio n
23.1 We b Auth O ve rvie w
Web authentication can intercept network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions. Once authentication is successful, they can then connect to the rest of the network or Internet. As soon as a user attempt to open a web page, the Zyxel Device reroutes his/her browser to a web portal page that prompts him/her to log in. Fig ure 331 Web Authentication Example
The web authentication page only appears once per authentication session. Unless a user session times out or he/she closes the connection, he or she generally will not see it again during the same session.
23.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the C o nfig ura tio n > We b Authe ntic a tio n screens (Section 23.2 on page 482) to create and manage web authentication policies.
· Use the C o nfig ura tio n > We b Authe ntic a tio n > SSO screen (Section 23.3 on page 502) to configure how the Zyxel Device communicates with a Single Sign-On agent.
ZyWALL USG FLEX Series User's Guide
481
Chapter 23 Web Authentication
23.1.2 Wha t Yo u Ne e d to Kno w
Sing le Sig n- O n
A SSO (Single Sign On) agent integrates Domain Controller and Zyxel Device authentication mechanisms, so that users just need to log in once (single) to get access to permitted resources.
Fo rc e d Use r Authe ntic a tio n
Instead of making users for which user-aware policies have been configured go to the Zyxel Device Lo g in screen manually, you can configure the Zyxel Device to display the Lo g in screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet. Note: This works with HTTP traffic only. The Zyxel Device does not display the Lo g in screen
when users attempt to send other kinds of traffic. The Zyxel Device does not automatically route the request that prompted the login, however, so users have to make this request again.
23.2 We b Authe ntic a tio n G e ne ra l Sc re e n
The We b Authe ntic a tio n G e ne ra l screen displays the general web portal settings and web authentication policies you have configured on the Zyxel Device. Use this screen to enable web authentication on the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
482
Chapter 23 Web Authentication Fig ure 332 Configuration > Web Authentication > General
The following table gives an overview of the objects you can configure.
Table 193 Configuration > Web Authentication > General
LA BEL
Global Setting
Enable Web Authentication
DESC RIPTIO N
Select the check box to turn on the web authentication feature. Otherwise, clear the check box to turn it off.
Once enabled, all network traffic is blocked until a client authenticates with the Zyxel Device through the specifically designated web portal or user agreement page.
Web Portal General Setting
Enable Session Page
Select this to display a page showing information on the user session after s/he logs in. It displays remaining time with an option to renew or log out immediately.
Logout IP
Specify an IP address that users can use to terminate their sessions manually by entering the IP address in the address bar of the web browser.
User Agreement General Setting
Enforce data collection
Select this to require users to fill in their registration information (name, telephone number, address and email address) on the Use r Ag re e m e nt (PC or mobile) page.
ZyWALL USG FLEX Series User's Guide
483
Chapter 23 Web Authentication
Table 193 Configuration > Web Authentication > General (continued)
LA BEL
Exceptional Services
DESC RIPTIO N
Use this table to list services that users can access without logging in.
Click Add to change the list's membership. A screen appears. Available services appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button to add them. The member services are on the right. Select any service that you want to remove from the member list, and click the left arrow button to remove them.
Keeping DNS as a member allows users' computers to resolve domain names into IP addresses.
Fig ure 333 Configuration > Web Authentication > Add Exceptional Service
Web Authentication Policy Summary Add
Edit
Remove
Activate Inactivate Move
#
Status Priority
Incoming Interface Source
Destination
Schedule
In the table, select one or more entries and click Re m o ve to delete it or them. Use this table to manage the Zyxel Device's list of web authentication policies.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . To move an entry to a different number in the list, click the Mo ve icon. In the field that appears, specify the number to which you want to move the interface. This field is a sequential value showing the number of the profile. The profile order is not important. This icon is lit when the entry is active and dimmed when the entry is inactive. This is the position of the authentication policy in the list. The priority is important as the policies are applied in order of priority. De fa ult displays for the default authentication policy that the Zyxel Device uses on traffic that does not match any exceptional service or other authentication policy. You can edit the default rule but not delete it. This field displays the interface on which packets for this policy are received.
This displays the source address object, including geographic address and FQDN (group) objects, to which this policy applies. This displays the destination address object, including geographic address and FQDN (group) objects, to which this policy applies. This field displays the schedule object that dictates when the policy applies. no ne means the policy is active at all times if enabled.
ZyWALL USG FLEX Series User's Guide
484
Chapter 23 Web Authentication
Table 193 Configuration > Web Authentication > General (continued)
LA BEL Authentication
DESC RIPTIO N This field displays the authentication requirement for users when their traffic matches this policy.
unne c e ssa ry - Users do not need to be authenticated.
re q uire d - Users need to be authenticated. They must manually go to the login screen or user agreement page. The Zyxel Device will not redirect them to the login screen.
Authentication Type Description Apply Reset
fo rc e - Users need to be authenticated. The Zyxel Device automatically displays the login screen or user agreement page whenever it routes HTTP traffic for users who have not logged in yet.
This field displays the name of the authentication type profile used in this policy to define how users authenticate their sessions. It shows n/ a if Authe ntic a tio n is set to unne c e ssa ry.
If the entry has a description configured, it displays here. This is n/ a for the default policy.
Click this button to save your changes to the Zyxel Device.
Click this button to return the screen to its last-saved settings.
C re a ting Exc e ptio na l Se rvic e s
This screen lists services that users can access without logging in. Click Add under Exc e ptio na l Se rvic e s in the previous screen to display this screen. You can change the list's membership here. Available services appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button - > to add them. The member services are on the right. Select any service that you want to remove from the member list, and click the left arrow <- button to remove them. Then click O K to apply the changes and return to the main We b Authe ntic a tio n screen. Alternatively, click C a nc e l to discard the changes and return to the main We b Authe ntic a tio n screen.
Fig ure 334 Configuration > Web Authentication > General > Add Exceptional Service
ZyWALL USG FLEX Series User's Guide
485
Chapter 23 Web Authentication
C re a ting / Editing a n Authe ntic a tio n Po lic y
Open the C o nfig ura tio n > We b Authe ntic a tio n > G e ne ra l screen, then click the Add icon or select an entry and click the Edit icon in the We b Authe ntic a tio n Po lic y Sum m a ry section to open the Auth. Po lic y Add/ Edit screen. Use this screen to configure an authentication policy. Fig ure 335 Configuration > Web Authentication > General > Add Authentication Policy
The following table gives an overview of the objects you can configure.
Table 194 Configuration > Web Authentication > General > Add Authentication Policy
LA BEL
DESC RIPTIO N
Create new Object
Use to configure any new settings objects that you need to use in this screen. Select Address or Schedule.
Enable Policy
Select this check box to activate the authentication policy. This field is available for userconfigured policies.
Description
Enter a descriptive name of up to 60 printable ASCII characters for the policy. Spaces are allowed. This field is available for user-configured policies.
User Authentication Policy
Use this section of the screen to determine which traffic requires (or does not require) the senders to be authenticated in order to be routed.
Incoming Interface
Select the interface on which packets for this policy are received.
Source Address
Select a source address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Select a ny if the policy is effective for every source. This is a ny and not configurable for the default policy.
Destination Address
Schedule
Select a destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Select a ny if the policy is effective for every destination. This is a ny and not configurable for the default policy.
Select a schedule that defines when the policy applies. Otherwise, select no ne and the rule is always effective. This is no ne and not configurable for the default policy.
ZyWALL USG FLEX Series User's Guide
486
Chapter 23 Web Authentication
Table 194 Configuration > Web Authentication > General > Add Authentication Policy (continued)
LA BEL Authentication
DESC RIPTIO N Select the authentication requirement for users when their traffic matches this policy.
unne c e ssa ry - Users do not need to be authenticated.
Single Sign-on
Force User Authentication
Authentication Type
re q uire d - Users need to be authenticated. If Fo rc e Use r Authe ntic a tio n is selected, all HTTP traffic from unauthenticated users is redirected to a default or user-defined login page. Otherwise, they must manually go to the login screen. The Zyxel Device will not redirect them to the login screen.
This field is available for user-configured policies that require Single Sign-On (SSO). Select this to have the Zyxel Device enable the SSO feature. You can set up this feature in the SSO screen.
This field is available for user-configured policies that require authentication. Select this to have the Zyxel Device automatically display the login screen when users who have not logged in yet try to send HTTP traffic.
Select an authentication method.
de fa ult- we b - po rta l: the default login page built into the Zyxel Device.
OK Cancel
de fa ult- use r- a g re e m e nt: the default user agreement page built into the Zyxel Device. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
23.2.1 Use r- a wa re Ac c e ss C o ntro l Exa m ple
You can configure many policies and security settings for specific users or groups of users. Users can be authenticated locally by the Zyxel Device or by an external (RADIUS) authentication server.
In this example the users are authenticated by an external RADIUS server at 172.16.1.200. First, set up the user accounts and user groups in the Zyxel Device. Then, set up user authentication using the RADIUS server. Finally, set up the policies in the table above.
23.2.1.1 Se t Up Use r Ac c o unts
Set up user accounts in the RADIUS server. This example uses the Web Configurator. If you can export user names from the RADIUS server to a text file, then you might configure a script to create the user accounts instead.
1 Click C o nfig ura tio n > O b je c t > Use r/ G ro up > Use r. Click the Add icon.
2 Enter the same user name that is used in the RADIUS server, and set the Use r Type to e xt- use r because this user account is authenticated by an external server. Click O K.
ZyWALL USG FLEX Series User's Guide
487
Chapter 23 Web Authentication Fig ure 336 Configuration > Object > User/Group > User > Add
3 Repeat this process to set up the remaining user accounts.
23.2.1.2 Se t Up Use r G ro ups
Set up the user groups and assign the users to the user groups. 1 Click C o nfig ura tio n > O b je c t > Use r/ G ro up > G ro up. Click the Add icon. 2 Enter the name of the group. In this example, it is "Finance". Then, select O bje c t/Le o and click the right
arrow to move him to the Me m be r list. This example only has one member in this group, so click O K. Of course you could add more members later. Fig ure 337 Configuration > Object > User/Group > Group > Add
3 Repeat this process to set up the remaining user groups. ZyWALL USG FLEX Series User's Guide
488
Chapter 23 Web Authentication
23.2.1.3 Se t Up Use r Authe ntic a tio n Using the RADIUS Se rve r
This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the Zyxel Device to use the authentication method. Finally, force users to log into the Zyxel Device before it routes traffic for them. 1 Click C o nfig ura tio n > O b je c t > AAA Se rve r > RADIUS. Double-click the ra dius entry. Configure the RADIUS server's address, authentication port (1812 if you were not told otherwise), and key. Click O K. Fig ure 338 Configuration > Object > AAA Server > RADIUS > Add
2 Click C o nfig ura tio n > O b je c t > Auth. Me tho d. Double-click the de fa ult entry. Click the Add icon. Select g ro up ra dius because the Zyxel Device should use the specified RADIUS server for authentication. Click O K. Fig ure 339 Configuration > Object > Auth. method > Edit
3 Click C o nfig ura tio n > We b Authe ntic a tio n. In the We b Authe ntic a tio n > G e ne ra l screen, select Ena b le We b Authe ntic a tio n to turn on the web authentication feature and click Apply. ZyWALL USG FLEX Series User's Guide
489
Chapter 23 Web Authentication Fig ure 340 Configuration > Web Authentication
4 In the We b Authe ntic a tio n Po lic y Sum m a ry section, click the Add icon to set up a default policy that has priority over other policies and forces every user to log into the Zyxel Device before the Zyxel Device routes traffic for them.
5 Select Ena b le Po lic y. Enter a descriptive name, "default_policy" for example. Set the Authe ntic a tio n field to re q uire d, and make sure Fo rc e Use r Authe ntic a tio n is selected. Select an authentication type profile ("default-web-portal" in this example). Keep the rest of the default settings, and click O K. Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN.
ZyWALL USG FLEX Series User's Guide
490
Chapter 23 Web Authentication Fig ure 341 Configuration > Web Authentication: General: Add
When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server.
23.2.1.4 Use r G ro up Authe ntic a tio n Using the RADIUS Se rve r
The previous example showed how to have a RADIUS server authenticate individual user accounts. If the RADIUS server has different user groups distinguished by the value of a specific attribute, you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server. 1 Click C o nfig ura tio n > O b je c t > AAA Se rve r > RADIUS. Double-click the ra dius entry. Besides configuring the RADIUS server's address, authentication port, and key; set the G ro up Me m b e rship Attrib ute field to the attribute that the Zyxel Device is to check to determine to which group a user belongs. This example uses C la ss. This attribute's value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss.
ZyWALL USG FLEX Series User's Guide
491
Chapter 23 Web Authentication Fig ure 342 Configuration > Object > AAA Server > RADIUS > Add
2 Now you add ext-group-user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click C o nfig ura tio n > O b je c t > Use r/ G ro up > Use r. Click the Add icon. Enter a user name and set the Use r Type to e xt- g ro up- use r. In the G ro up Ide ntifie r field, enter Finance, Engineer, Sales, or Boss and set the Asso c ia te d AAA Se rve r O b je c t to ra dius.
ZyWALL USG FLEX Series User's Guide
492
Chapter 23 Web Authentication Fig ure 343 Configuration > Object > User/Group > User > Add
3 Repeat this process to set up the remaining groups of user accounts.
23.2.2 Authe ntic a tio n Type Sc re e n
Use this screen to view, create and manage the authentication type profiles on the Zyxel Device. An authentication type profile decides which type of web authentication pages to be used for user authentication. Go to C o nfig ura tio n > We b Authe ntic a tio n and then select the Authe ntic a tio n Type tab to display the screen.
Fig ure 344 Configuration > Web Authentication > Authentication Type
The following table describes the labels in this screen.
Table 195 Configuration > Web Authentication > Authentication Type
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
ZyWALL USG FLEX Series User's Guide
493
Chapter 23 Web Authentication
Table 195 Configuration > Web Authentication > Authentication Type (continued)
LA BEL # Name
DESC RIPTIO N This field is a sequential value, and it is not associated with a specific entry. This field displays the name of the profile.
default-web-portal: the default login page built into the Zyxel Device.
Note: You can also customize the default login page built into the Zyxel Device in the Syste m > WWW > Lo g in Pa g e screen.
Type Web Page
Reset
default-user-agreement: the default user agreement page built into the Zyxel Device.
This field displays the type of the web authentication page used by this profile.
This field displays whether this profile uses the default web authentication page built into the Zyxel Device (Syste m De fa ult Pa g e ) or custom web authentication pages from an external web server (Exte rna l Pa g e ).
Click Re se t to return the screen to its last-saved settings.
Add/ Edit a n Authe ntic a tio n Type Pro file
Click the Add icon or select an entry in the We b Authe ntic a tio n > Authe ntic a tio n Type screen and click the Edit icon to display the screen. The screen differs depending on what you select in the Type field.
Fig ure 345 Configuration > Web Authentication > Authentication Type: Add/Edit (Web Portal)
ZyWALL USG FLEX Series User's Guide
494
Chapter 23 Web Authentication Fig ure 346 Configuration > Web Authentication > Authentication Type: Add/Edit (User Agreement)
The following table describes the labels in this screen.
Table 196 Configuration > Web Authentication > Authentication Type: Add/Edit
LA BEL Type
DESC RIPTIO N
Select the type of the web authentication page through which users authenticate their connections.
Profile Name
If you select Use r Ag re e m e nt, by agreeing to the policy of user agreement, users can access the Internet without a guest account.
Enter a name for the profile.
You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are not allowed. The first character must be a letter.
The following fields are available if you set Type to We b Po rta l.
Internal Web Portal
Select this to use the web portal pages uploaded to the Zyxel Device.
The login page appears whenever the web portal intercepts network traffic, preventing unauthorized users from gaining access to the network.
Preview
Select to display the page you uploaded to the Zyxel Device in a new frame.
Note: You must select a custom file uploaded to the Zyxel Device before you can preview the pages.
Customize file Select the file name of the web portal file in the Zyxel Device.
Note: You can upload zipped custom web portal files to the Zyxel Device using the C o nfig ura tio n > We b Authe ntic a tio n > We b Po rta l C usto m ize File screen.
ZyWALL USG FLEX Series User's Guide
495
Chapter 23 Web Authentication
Table 196 Configuration > Web Authentication > Authentication Type: Add/Edit (continued)
LA BEL
External Web Portal
Login URL
DESC RIPTIO N
Select this to use a custom login page from an external web portal instead of the one uploaded to the Zyxel Device. You can configure the look and feel of the web portal page.
Specify the login page's URL; for example, http://IIS server IP Address/login.html.
Logout URL
The Internet Information Server (IIS) is the web server on which the web portal files are installed. Specify the logout page's URL; for example, http://IIS server IP Address/logout.html.
The Internet Information Server (IIS) is the web server on which the web portal files are installed. Welcome URL Specify the welcome page's URL; for example, http://IIS server IP Address/welcome.html.
Users will be redirected to the welcome page after authentication. This field is optional.
Session URL
The Internet Information Server (IIS) is the web server on which the web portal files are installed. Specify the session page's URL; for example, http://IIS server IP Address/session.html.
Error URL
The Internet Information Server (IIS) is the web server on which the web portal files are installed. Specify the error page's URL; for example, http://IIS server IP Address/error.html.
The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Download
Click this to download an example external web portal file for your reference.
The following fields are available if you set Type to Use r Ag re e m e nt.
Enable Idle Detection
This is applicable for access users.
Select this check box if you want the Zyxel Device to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The Zyxel Device automatically logs out the access user once the Idle tim e o ut has been reached.
Idle timeout This is applicable for access users.
Reauthentication Time Internal User Agreement
Preview
This field is effective when Ena b le Idle De te c tio n is checked. Type the number of minutes each access user can be logged in and idle before the Zyxel Device automatically logs out the access user.
Enter the number of minutes the user can be logged into the Zyxel Device in one session before having to log in again.
Select this to use the user agreement pages in the Zyxel Device. The user agreement page appears whenever the Zyxel Device intercepts network traffic, preventing unauthorized users from gaining access to the network.
Select to display the page you uploaded to the Zyxel Device in a new frame.
Note: You must select a custom file uploaded to the Zyxel Device before you can preview the pages.
Customize file Select the file name of the user agreement file in the Zyxel Device.
External User Agreement
Agreement URL
Note: You can upload zipped custom user agreement files to the Zyxel Device using the C o nfig ura tio n > We b Authe ntic a tio n > Use r Ag re e m e nt C usto m ize File screen.
Select this to use custom user agreement pages from an external web server instead of the default one built into the Zyxel Device. You can configure the look and feel of the user agreement page.
Specify the user agreement page's URL; for example, http://IIS server IP Address/logout.html.
The Internet Information Server (IIS) is the web server on which the user agreement files are installed.
ZyWALL USG FLEX Series User's Guide
496
Chapter 23 Web Authentication
Table 196 Configuration > Web Authentication > Authentication Type: Add/Edit (continued)
LA BEL
DESC RIPTIO N
Welcome URL Specify the welcome page's URL; for example, http://IIS server IP Address/welcome.html.
The Internet Information Server (IIS) is the web server on which the user agreement files are installed.
Download OK Cancel
If you leave this field blank, the Zyxel Device will use the welcome page of internal user agreement file. Click this to download an example external user agreement file for your reference. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
23.2.3 C usto m We b Po rta l / Use r Ag re e m e nt File Sc re e n
Use this screen to upload the zipped custom web portal or user agreement files to the Zyxel Device. You can also download the custom files to your computer.
Click C o nfig ura tio n > We b Authe ntic a tio n and then select the C usto m We b Po rta l File or C usto m Use r Ag re e m e nt File tab to display the screen.
Fig ure 347 Configuration > Web Authentication > Custom Web Portal File
ZyWALL USG FLEX Series User's Guide
497
Chapter 23 Web Authentication Fig ure 348 Configuration > Web Authentication > Custom User Agreement File
The following table describes the labels in this screen.
Table 197 Configuration > Web Authentication > Custom Web Portal / User Agreement File
LA BEL
DESC RIPTIO N
Remove
Click a file's row to select it and click Re m o ve to delete it from the Zyxel Device.
Download
Click a file's row to select it and click Do wnlo a d to save the zipped file to your computer.
#
This column displays the index number for each file entry. This field is a sequential value, and it is
not associated with a specific entry.
File Name
This column displays the label that identifies a web portal or user agreement file.
Size
This column displays the size (in KB) of a file.
Last Modified
This column displays the date and time that the individual files were last changed or saved.
Browse / Upload Click Bro wse ... to find the zipped file you want to upload, then click the Uplo a d button to put it on the Zyxel Device.
Download
Click this to download an example external web portal or user agreement file for your reference.
23.2.4 Fa c e b o o k Wi- Fi Sc re e n
The Zyxel Device supports Facebook Wi-Fi to let users check in to a business on Facebook for free Internet access after connecting to the Zyxel Device's wireless or LAN network. Users then have the option to like the Facebook fan page. This helps promote the Facebook page and then promote the business.
Use this screen to turn on Facebook Wi-Fi on the Zyxel Device and select a Facebook Page. You should already have:
· connected the Zyxel Device to the Internet and registered the Zyxel Device with myZyxel. · set up a Facebook fan page associated with the business location. · created an authentication policy in the C o nfig ura tio n > We b Authe ntic a tio n: G e ne ra l screen to
redirect the matched users to the Facebook page before they can have free Internet access.
ZyWALL USG FLEX Series User's Guide
498
Chapter 23 Web Authentication
Note: If you disable Facebook Wi-Fi or reset the Facebook page settings later, the Zyxel Device automatically logs out existing users who have authenticated their connections via Facebook Wi-Fi.
Click C o nfig ura tio n > We b Authe ntic a tio n and then select the Fa c e b o o k Wi- Fi tab to display the following screen. If your Zyxel Device is not registered at myZyxel, the screen displays a message. Please register your device on portal.myZyxel.com to activate configure Facebook Wi-Fi. Click here to check register status.'
Fig ure 349 Configuration > Web Authentication: Facebook Wi-Fi
The following table describes the labels in this screen.
Table 198 Configuration > Web Authentication: Facebook Wi-Fi
LA BEL
DESC RIPTIO N
Enable Facebook Select the check box and click Apply to turn on Facebook Wi-Fi on the Zyxel Device. Wi-Fi
Configure
Click this button to open the Facebook Wi-Fi configuration screen in a new window, where you can select the Facebook Page associated with your location and configure bypass mode and session length.
Reset FB Page Enable user idle detection User idle timeout
Apply Reset
Note: You should have registered your Zyxel Device with myZyxel before you can click C o nfig ure to set up Facebook Wi-Fi on the Zyxel Device.
Click this button to remove your Facebook Page setting.
Select this check box if you want the Zyxel Device to monitor how long each user (authenticated via Facebook Wi-Fi) is idle (in other words, there is no traffic for this user).
Specify the Use r idle tim e o ut between 1 and 60 minutes. The Zyxel Device automatically disconnects a user (authenticated via Facebook Wi-Fi) from the network after a period of inactivity.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
23.2.4.1 Ho w to C o nfig ure Fa c e b o o k fo r Fa c e b o o k Wi- Fi
This section shows you what to do if you have not yet set up a Facebook fan page and see the following message `This device is not paired with facebook. Please configure this device'.
ZyWALL USG FLEX Series User's Guide
499
1 Click C o nfig ure .
Chapter 23 Web Authentication
2 Log into Facebook and click C re a te Pa g e .
3 Select the Facebook page type and fill in the information prompts to create a Facebook page. Then click G e t Sta rte d.
4 In the following screen, select the page just created and click Sa ve Se tting s. Your Facebook page is now paired with Facebook Wi-Fi.
ZyWALL USG FLEX Series User's Guide
500
Chapter 23 Web Authentication
23.2.4.2 Ho w to use the Zyxe l De vic e 's Fa c e b o o k Wi- Fi
This section shows how users use Facebook Wi-Fi to access the Internet for free after you enable and set up Facebook Wi-Fi on the Zyxel Device. 1 Connect to the Zyxel Device's wireless or LAN network. 2 Open a web browser from the connected computer or mobile device. 3 The Facebook Page you specified displays. By default, users can log in and check in to the location associated with the Facebook Page, or click a link to skip check-in. If you set Bypa ss Mo de to Re q uire Wi- Fi c o de in the Facebook Wi-Fi configuration screen, users need to enter the Wi-Fi password you provided.
4 Users then can click C o ntinue Bro wsing to surf the Internet through the Zyxel Device. ZyWALL USG FLEX Series User's Guide
501
Chapter 23 Web Authentication
23.3 SSO O ve rvie w
The SSO (Single Sign-On) function integrates Domain Controller and Zyxel Device authentication mechanisms, so that users just need to log in once (single login) to get access to permitted resources. In the following figure, U user logs into a Domain Controller (DC ) which passes the user's login credentials to the SSO agent. The SSO agent checks that these credentials are correct with the AD server, and if the AD server confirms so, the SSO then notifies the Zyxel Device to allow access for the user to the permitted resource (Internet access, for example). Note: The Zyxel Device, the DC, the SSO agent and the AD server must all be in the same
domain and be able to communicate with each other. SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database. You must enable Web Authentication in the C o nfig ura tio n > We b Authe ntic a tio n screen. Fig ure 350 SSO Overview
ZyWALL USG FLEX Series User's Guide
502
Chapter 23 Web Authentication
U
User
DC Domain Controller
SSO Single Sign-On agent
AD Active Directory
Install the SSO Agent on one of the following platforms:
· Windows 7 Professional (32-bit and 64-bit) · Windows Server 2008 Enterprise (32-bit and 64-bit) · Windows 2008 R2 (64-bit) · Windows Server 2012 (64-bit)
23.4 SSO - Zyxe l De vic e C o nfig ura tio n
This section shows what you have to do on the Zyxel Device in order to use SSO.
Table 199 Zyxel Device - SSO Agent Field Mapping ZYXEL DEVIC E
SSO
SC REEN
Web Authentication > SSO
FIELD Listen Port
Web Authentication > SSO
Object > User/Group > User > Add
Primary Agent Port Group Identifier
Object > AAA Server > Base DN Active Directory > Add
Object > AAA Server > Bind DN Active Directory > Add
Object > User/Group > User Name User > Add
Object > AAA Server > Server Address Active Directory > Add
Network > Interface > Ethernet > wan (IPv4)
IP address
SC REEN
Agent Configuration Page > Gateway Setting
Agent Configuration Page
Agent Configuration Page > Configure LDAP/AD Server
Agent Configuration Page > Configure LDAP/AD Server
Agent Configuration Page > Configure LDAP/AD Server
Agent Configuration Page > Configure LDAP/AD Server
Agent Configuration Page > Configure LDAP/AD Server
Agent Configuration Page > Gateway Setting
FIELD Gateway Port Agent Listening Port Group Membership Base DN Bind DN Login Name Attribute Server Address Gateway IP
ZyWALL USG FLEX Series User's Guide
503
Chapter 23 Web Authentication
23.4.1 C o nfig ura tio n O ve rvie w
These are the screens you need to configure: · Configure the Zyxel Device to Communicate with SSO on page 504 · Enable Web Authentication on page 505 · Create a Security Policy on page 506 · Configure User Information on page 507 · Configure an Authentication Method on page 508 · Configure Active Directory on page 509 or Configure Active Directory on page 509
23.4.2 C o nfig ure the Zyxe l De vic e to C o m m unic a te with SSO
Use C o nfig ura tio n > We b Authe ntic a tio n > SSO to configure how the Zyxel Device communicates with the Single Sign-On (SSO ) agent. Fig ure 351 Configuration > Web Authentication > SSO
The following table gives an overview of the objects you can configure.
Table 200 Configuration > Web Authentication > SSO
LA BEL
DESC RIPTIO N
Listen Port
The default agent listening port is 2158. If you change it on the Zyxel Device, then change it to the same number in the G a te wa y Po rt field on the SSO agent too. Type a number ranging from 1025 to 65535.
Agent PreShareKey
Type 8-32 printable ASCII characters or exactly 32 hex characters (0-9; a-f). The Agent PreShareKey is used to encrypt communications between the Zyxel Device and the SSO agent.
Primary Agent
Type the IPv4 address of the SSO agent. The Zyxel Device and the SSO agent must be in the same domain and be able to communicate with each other.
Primary Agent Port
Type the same port number here as in the Ag e nt Liste ning Po rt field on the SSO agent. Type a number ranging from 1025 to 65535.
ZyWALL USG FLEX Series User's Guide
504
Chapter 23 Web Authentication
Table 200 Configuration > Web Authentication > SSO
LA BEL
DESC RIPTIO N
Secondary Agent Address (Optional)
Type the IPv4 address of the backup SSO agent if there is one. The Zyxel Device and the backup SSO agent must be in the same domain and be able to communicate with each other.
Secondary Agent Port (Optional)
Type the same port number here as in the Ag e nt Liste ning Po rt field on the backup SSO agent if there is one. Type a number ranging from 1025 to 65535.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings
23.4.3 Ena b le We b Authe ntic a tio n
Enable We b Authe ntic a tio n and add a web authentication policy.
Make sure you select Ena ble Po lic y, Sing le Sig n- O n and choose re q uire d in Authe ntic a tio n. Do NOT select a ny as the so urc e a ddre ss unless you want all incoming connections to be authenticated!
ZyWALL USG FLEX Series User's Guide
505
Chapter 23 Web Authentication
See Table 193 on page 483 and Table 194 on page 486 for more information on configuring these screens.
23.4.4 C re a te a Se c urity Po lic y
Configure a Security Policy for SSO traffic source and destination direction in order to prevent the security policy from blocking this traffic. Go to C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l and add a new policy if a default one does not cover the SSO web authentication traffic direction.
ZyWALL USG FLEX Series User's Guide
506
Chapter 23 Web Authentication Configure the fields as shown in the following screen. Configure the source and destination addresses according to the SSO web authentication traffic in your network.
23.4.5 C o nfig ure Use r Info rm a tio n
Configure a Use r account of the e xt- g ro up- use r type.
Configure G ro up Ide ntifie r to be the same as G ro up Me m b e rship on the SSO agent.
ZyWALL USG FLEX Series User's Guide
507
Chapter 23 Web Authentication
23.4.6 C o nfig ure a n Authe ntic a tio n Me tho d
Configure Active Directory (AD) for authentication with SSO. Choose g ro up a d as the authentication server for SSO.
ZyWALL USG FLEX Series User's Guide
508
Chapter 23 Web Authentication
23.4.7 C o nfig ure Ac tive Dire c to ry
You must configure an Active Directory (AD) server in AAA Se tup to be the same as AD configured on the SSO agent.
The default AD server port is 389. If you change this, make sure you make the same changes on the SSO. Configure the Ba se DN exactly the same as on the Domain Controller and SSO. Bind DN is a user name and password that allows the Zyxel Device to join the domain with administrative privileges. It is a required field.
ZyWALL USG FLEX Series User's Guide
509
Chapter 23 Web Authentication
23.5 SSO Ag e nt C o nfig ura tio n
This section shows what you have to do on the SSO agent in order to work with the Zyxel Device. After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen)
Right-click the SSO icon and select C o nfig ure Zyxe l SSO Ag e nt.
Configure the Ag e nt Liste ning Po rt, AD se rve r exactly as you have done on the Zyxel Device. Add the Zyxel Device IP address as the G a te wa y. Make sure the Zyxel Device and SSO agent are able to communicate with each other.
ZyWALL USG FLEX Series User's Guide
510
Chapter 23 Web Authentication
Configure the Se rve r Addre ss, Po rt, Ba se DN, Bind DN, Lo g in Na m e Attrib ute and G ro up Me m b e rship for the AD server settings exactly as you have done on the Zyxel Device. G ro up Me m be rship is called G ro up Ide ntifie r on the Zyxel Device. LDAP/AD Server Configuration
ZyWALL USG FLEX Series User's Guide
511
Chapter 23 Web Authentication Configure the G a te wa y IP address, G a te wa y Po rt and Pre Sha re Ke y exactly as you have done in the Zyxel Device C o nfig ura tio n > We b Authe ntic a tio n > SSO screen. If you want to use G e ne ra te Ke y to have the SSO create a random password, select C he c k to show Pre Sha re Ke y as clear Text so as to see the password, then copy and paste it to the Zyxel Device.
After all SSO agent configurations are done, right-click the SSO icon in the system tray and select Ena ble Zyxe l SSO Ag e nt.
ZyWALL USG FLEX Series User's Guide
512
C HA PTER 2 4 Ho tspo t
24.1 O ve rvie w
See Section 1.1.1 on page 27 to see which models support Hotspot management.
24.2 Billing O ve rvie w
You can use the built-in billing function to setup billing profiles. A billing profile describes how to charge users. This chapter also shows you how to select an accounting method, configure a discount price plan or use an online payment service by credit card. · Use the G e ne ra l screen (see Section 24.3 on page 514) to configure the general billing settings, such
as the accounting method, currency unit and the SSID profiles to which the settings are applied. · Use the Billing Pro file screen (see Section 24.4 on page 516) to configure the billing profiles for the
web-based account generator and each button on the connected statement printer. · Use the Disc o unt screen (see Section 24.5 on page 523) to enable and configure discount price plans. · Use the Pa ym e nt Se rvic e screen (see Section 24.6 on page 525) to enable online payment service
and configure the service pages.
24.2.1 Wha t Yo u Ne e d to Kno w
Ac c um ula tio n Ac c o unting Me tho d
The accumulation accounting method allows multiple re-logins until the allocated time period or until the user account is expired. The Zyxel Device accounts the time that the user is logged in for Internet access.
Tim e - to - finish Ac c o unting Me tho d
The time-to-finish accounting method is good for one-time logins. Once a user logs in, the Zyxel Device stores the IP address of the user's computer for the duration of the time allocated. Thus the user does not have to enter the user name and password again for re-login within the allocated time. Once activated, the user account is valid until the allocated time is reached even if the user disconnects Internet access for a certain period within the allocated time. For example, Joe purchases a one-hour time-to-finish account. He starts using the Internet for the first 20 minutes and then disconnects his Internet access to go to a 20-minute meeting. After the meeting, he only has 20 minutes left on his account.
ZyWALL USG FLEX Series User's Guide
513
Chapter 24 Hotspot
24.3 The Billing > G e ne ra l Sc re e n
Use this screen to configure the general billing settings, such as the accounting method, currency unit and the SSID profiles to which the settings are applied. Click C o nfig ura tio n > Ho tspo t > Billing > G e ne ra l to open the following screen. Fig ure 352 Configuration > Hotspot > Billing > General
ZyWALL USG FLEX Series User's Guide
514
Chapter 24 Hotspot
The following table describes the labels in this screen.
Table 201 Configuration > Hotspot > Billing > General
LA BEL
General Settings
Unused account will be deleted after the time:
Accounting Method
DESC RIPTIO N
Enter the number and select a time unit from the drop-down list box to specify how long to wait before the Zyxel Device deletes an account that has not been used.
Select Tim e to Finish to allow each user a one-time login. Once the user logs in, the system starts counting down the pre-defined usage even if the user stops the Internet access before the time period is finished. If a user disconnects and reconnects before the allocated time expires, the user does not have to enter the user name and password to access the Internet again.
User idle timeout
Select Ac c um ula tio n to allow each user multiple re-login until the time allocated is used up. The Zyxel Device accounts the time that the user is logged in for Internet access.
The Zyxel Device automatically disconnects a computer from the network after a period of inactivity. The user may need to enter the username and password again before access to the network is allowed.
If you select Ac c um ula tio n, specify the idle timeout between 1 and 60 minutes.
Accumulatio n account will be deleted after the time:
Enter the number and select a time unit from the drop-down list box to specify how long to wait before the Zyxel Device deletes the account.
This is for use with accumulation accounting.
Billing User Logon Settings
Maximum number per billing account
Enter the maximum number of the users that are allowed to log in with the same account.
Reach maximum number per billing account
Select Blo c k to stop new users from logging in when the Ma xim um num b e r pe r b illing a c c o unt is reached.
Select Re m o ve pre vio us use r a nd lo g in to disassociate the first user that logged in and allow new user to log in when the Ma xim um num b e r pe r b illing a c c o unt is reached.
Username &
Select to specify how many characters the username and password of a newly-created
Password length dynamic guest account will have after you click Apply.
Keep user logged Select to let the users automatically log in without entering their user name and password if the
in
Zyxel Device restarts.
Currency
Number of decimals places Decimal symbol Tax
SSID Profile Settings
Note: This works only for free guest accounts or when the accounting method is Tim e to Finish.
Select the appropriate currency symbol or currency unit.
If you set C urre nc y c o de to Use r- De fine , enter a three-letter alphabetic code manually. This shows the number of decimal places to be used for billing.
Select whether you would like to use a dot (.) or a comma (,) for the decimal point. Select this option to charge sales tax for the account. Enter the tax rate (a 6% sales tax is entered as 6). The Se le c ta b le SSID Pro file s list displays the name(s) of the SSID profile(s) to which you can apply the general billing settings.
To apply settings to an SSID profile, you can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and click the right arrow button to add to the Se le c te d SSID Pro file s list. To remove an SSID profile, select the name(s) in the Se le c te d SSID Pro file s list and click the left arrow button.
ZyWALL USG FLEX Series User's Guide
515
Chapter 24 Hotspot
Table 201 Configuration > Hotspot > Billing > General (continued)
LA BEL
DESC RIPTIO N
Hotspot Service Status
Service Status
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Service Type Expiration Date Apply Reset
Then, click Ac tiva te to connect with the myZyxel server to activate the new license. This shows whether you have a trial or standard license or none (Tria l, Sta nda rd, No ne ). This shows when your hotspot license will expire.
Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings.
24.4 The Billing > Billing Pro file Sc re e n
Use this screen to configure the billing profiles that defines the maximum Internet access time and charge per time unit. Click C o nfig ura tio n > Ho tspo t > Billing > Billing Pro file to open the following screen.
Fig ure 353 Configuration > Hotspot > Billing > Billing Profile
The following table describes the labels in this screen.
Table 202 Configuration > Hotspot > Billing > Billing Profile
LA BEL
DESC RIPTIO N
Account Generator Settings
Button A ~ C
Select a billing profile for each button of the web-based account generator. The buttons correspond to the buttons on a connected statement printer.
ZyWALL USG FLEX Series User's Guide
516
Chapter 24 Hotspot
Table 202 Configuration > Hotspot > Billing > Billing Profile (continued)
LA BEL Preview
Billing Profile Add Edit
Remove
Activate Inactivate # Status Name Time Period Quota (T/U/D)
DESC RIPTIO N Click this button to open the Ac c o unt G e ne ra to r screen, where you can generate a dynamic guest account and print the account information using a statement printer connected to the Zyxel Device (see Section 24.4.1 on page 517 for more information).
Click this to create a new entry. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . This field is a sequential value, and it is not associated with a specific entry. This icon is lit when the entry is active and dimmed when the entry is inactive. This field displays the descriptive profile name for this entry. This field displays the duration of the billing period. This field is NOT available when you set Ac c o unting Me tho d to Tim e to Finish in the Billing > G e ne ra l screen.
Bandwidth (U/D)
Price Apply Reset
This field displays how much data in both directions (Total) or upstream data (Upload) and downstream data (Download) can be transmitted through the WAN interface before the account expires.
This field displays the maximum upstream (Upload) and downstream (Download) bandwidth allowed for the user account in kilobits per second.
This field displays each profile's price per time unit.
Click this button to save your changes to the Zyxel Device.
Click this button to return the screen to its last-saved settings.
24.4.1 The Ac c o unt G e ne ra to r Sc re e n
The Ac c o unt G e ne ra to r screen allows you to automatically create dynamic guest accounts (see Dynamic-Guest Accounts for more information on dynamic guest accounts).
Click C o nfig ura tio n > Ho tspo t > Billing > Billing Pro file and then the Pre vie w button to open this screen. You can also open this screen by logging into the Web Configurator with the guest-manager account.
ZyWALL USG FLEX Series User's Guide
517
Chapter 24 Hotspot Fig ure 354 Account Generator
The following table describes the labels in this screen.
Table 203 Account Generator
LA BEL
Account Generator Settings
Discount plan for Button x
#
DESC RIPTIO N Select a button and specify how many units of billing period to be charged for new account in the Butto n x Unit field.
This section displays only when you enable the discount price plan in the Billing > Disc o unt screen. This is the number of each discount level.
Name Unit
Price Customer Information
Real Name Email Phone Number
The default (first) level cannot be edited or deleted. It is created automatically according to the billing profile of the button you select. This field displays the conditions of each discount level. This field displays the duration of the billing period that should be reached before the Zyxel Device charges users at this level. This field displays the price per time unit for each level.
Enter the user's name. Enter the user's email address. Enter the user's phone number.
ZyWALL USG FLEX Series User's Guide
518
Chapter 24 Hotspot
Table 203 Account Generator (continued)
LA BEL
DESC RIPTIO N
Default Thermal Printer
Select a statement printer that is attached to the Zyxel Device. It displays n/ a if there is no printer attached.
Summary
Total
This shows the total price for the account before sales tax is added.
Tax
This shows the tax rate.
Grand Total
This shows the total price including tax.
Quantity
Specify the number of account to be created.
Generate
Click G e ne ra te to generate an account based on the billing settings you configure for the selected button in the Billing Pro file screen. A window displays showing the SMS message and/ or a printout preview of the account generated.
Cancel
Click C a nc e l to exit this screen without saving.
Logout
Click Lo g o ut to log out of the web configurator. This button is available only when you open this screen by logging in with the guest-manager account.
The following figure shows an example SMS message with account information. The SMS screen displays only when you enable SMS in the C o nfig ura tio n > Syste m > No tific a tio n > SMS screen. You can enter the user's mobile phone number and click Se nd SMS to send the account information in an SMS text message to the user's mobile phone. Click C a nc e l to close this window when you are finished viewing it.
ZyWALL USG FLEX Series User's Guide
519
Chapter 24 Hotspot The Printe r screen shows a printout preview example. Click Printe r to print this subscriber statement. Click C a nc e l to close this window when you are finished viewing it.
24.4.2 The Ac c o unt Re de e m Sc re e n
The Ac c o unt Re de e m screen allows you to send SMS messages for certain accounts. Click the Ac c o unt Re de e m tab in the Ac c o unt G e ne ra to r screen to open this screen.
ZyWALL USG FLEX Series User's Guide
520
Chapter 24 Hotspot Fig ure 355 Account Redeem
The following table describes the labels in this screen.
Table 204 Account Redeem
LA BEL Query Account Information Phone Number
SMS
DESC RIPTIO N
Enter the country code and mobile phone number and click Q ue ry to display only the account(s) that has the specified phone number. Click this button to send text messages for the accounts in the list below.
# Status Username Create Time Remaining Time Time Period
Expiration Time
You can use this button only when SMS is enabled and there is at least one account in the list. This is the index number of the dynamic guest account in the list. This field displays whether an account expires or not. This field displays the user name of the account. This field displays when the account was created. This field displays the amount of Internet access time remaining for each account. This field displays the total account of time the account can use to access the Internet through the Zyxel Device. This field displays the date and time the account becomes invalid.
Charge Payment Info Phone Num
Note: Once the time allocated to a dynamic account is used up or a dynamic account remains unused after the expiration time, the account is deleted from the account list.
This field displays the total cost of the account.
This field displays the method of payment for each account.
This field displays the mobile phone number for the account.
ZyWALL USG FLEX Series User's Guide
521
Chapter 24 Hotspot
Table 204 Account Redeem (continued)
LA BEL
DESC RIPTIO N
Cancel
Click C a nc e l to exit this screen without saving.
Logout
Click Lo g o ut to log out of the web configurator. This button is available only when you open this screen by logging in with the guest-manager account.
24.4.3 The Billing Pro file Add/ Edit Sc re e n
The Billing Pro file Add/ Edit screen allows you to create a new billing profile or edit an existing one. Click C o nfig ura tio n > Ho tspo t > Billing > Billing Pro file and then an Add or Edit icon to open this screen.
Fig ure 356 Configuration > Hotspot > Billing > Billing Profile > Add/Edit
The following table describes the labels in this screen.
Table 205 Configuration > Hotspot > Billing > Billing Profile > Add/Edit
LA BEL
Enable billing profile
Name
DESC RIPTIO N Select this option to activate the profile.
Enter a name for the billing profile.
Price Time Period
You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are not allowed. The first character must be a letter.
Define each profile's price, up to 999999.99, per time unit.
Set the duration of the billing period (m inute , ho ur, or da y). When this period expires, the user's access will be stopped. The allowed time period ranges are 10 to 60 minutes, 0 to 24 hours, or 0 to 365 days.
ZyWALL USG FLEX Series User's Guide
522
Chapter 24 Hotspot
Table 205 Configuration > Hotspot > Billing > Billing Profile > Add/Edit (continued)
LA BEL
DESC RIPTIO N
Quota Type
The quota settings section is NOT available when you set Ac c o unting Me tho d to Tim e to Finish in the Billing > G e ne ra l screen.
Set a limit for the user accounts. This only applies to user's traffic that is received or transmitted through the WAN interface.
Note: When the limit is exceeded, the user is not allowed to access the Internet through the Zyxel Device.
Select To ta l to set a limit on the total traffic in both directions.
Total Quota Upload Quota
Select Uplo a d/ Do wnlo a d to set a limit on the upstream traffic and downstream traffic respectively.
If you select To ta l, specify how much downstream and/or upstream data (in MB (Megabytes) or G B (Gigabytes)) can be transmitted through the WAN interface before the account expires. 0 means there is no data limit for the user account.
If you select Uplo a d/ Do wnlo a d, specify how much upstream data (in MB (Megabytes) or G B (Gigabytes)) can be transmitted through the WAN interface before the account expires.
0 means there is no data limit for the user account.
Download Quota If you select Uplo a d/ Do wnlo a d, specify how much downstream data (in MB (Megabytes) or G B (Gigabytes)) can be transmitted through the WAN interface before the account expires.
Enable Bandwidth Upload
Download
Priority
0 means there is no data limit for the user account. Select this option to turn on bandwidth management for the user accounts.
Specify the maximum outgoing bandwidth allowed for the user account in kilobits per second. Upload refers to the traffic the Zyxel Device sends out from a user. Specify the maximum incoming bandwidth allowed for the user account in kilobits per second. Download refers to the traffic the Zyxel Device sends to a user. Enter a number between 1 and 7 to set the priority for the user's traffic. The smaller the number, the higher the priority.
Traffic with a higher priority is given bandwidth before traffic with a lower priority.
OK Cancel
Note: The priority setting here has priority over the priority setting in a bandwidth management rule.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
24.5 The Billing > Disc o unt Sc re e n
Use this screen to configure a custom discount pricing plan. This is useful for providing reduced rates for purchases of longer periods of time. You can charge higher rates per unit at lower levels (fewer units purchased) and lower rates per unit at higher levels (more units purchased). Click C o nfig ura tio n > Ho tspo t > Billing > Disc o unt to open the following screen.
Note: The discount price plan does not apply to users who purchase access time online with a credit card.
ZyWALL USG FLEX Series User's Guide
523
Chapter 24 Hotspot Fig ure 357 Configuration > Hotspot > Billing > Discount
The following table describes the labels in this screen.
Table 206 Configuration > Hotspot > Billing > Discount
LA BEL Discount Settings Enable Discount Button Select Charge by levels
DESC RIPTIO N
Select the check box to activate the discount price plan. Select a button from the drop-down list box to assign the base charge. Select this to charge the rate at each successive level from the first level (most expensive per unit) to the highest level (least expensive per unit) that the total purchase reaches.
Discount Price Plan Add Edit
Remove
#
Otherwise, clear this to charge all of the user's time units only at the highest level (least expensive) that their total purchase reaches.
Click this to create a new entry. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. This is the number of each discount level.
Name Unit
Price Apply Reset
The default (first) level cannot be edited or deleted. It is created automatically according to the billing profile of the button you select.
This field displays the conditions of each discount level.
This field displays the duration of the billing period that should be reached before the Zyxel Device charges users at this level.
This field displays the price per time unit for each level.
Click this button to save your changes to the Zyxel Device.
Click this button to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
524
Chapter 24 Hotspot
24.5.1 The Disc o unt Add/ Edit Sc re e n
The Disc o unt Add/ Edit screen allows you to create a new discount level or edit an existing one. Click C o nfig ura tio n > Ho tspo t > Billing > Disc o unt and then an Add or Edit icon to open this screen. Fig ure 358 Configuration > Hotspot > Billing > Discount > Add/Edit
The following table describes the labels in this screen.
Table 207 Configuration > Hotspot > Billing > Discount > Add/Edit
LA BEL
DESC RIPTIO N
Name
This field displays the conditions of each discount level.
Unit
Set the duration of the billing period that should be reached before the Zyxel Device charges
users at this level.
Price
Define this level's charge per time unit.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
24.6 The Billing > Pa ym e nt Se rvic e Sc re e n
Use this screen to use a credit card service to authorize, process, and manage credit card transactions directly through the Internet. You must register with the supported credit card service before you can configure the Zyxel Device to handle credit card transactions. Click C o nfig ura tio n > Ho tspo t > Billing > Pa ym e nt Se rvic e to open the following screen.
ZyWALL USG FLEX Series User's Guide
525
Chapter 24 Hotspot Fig ure 359 Configuration > Hotspot > Billing > Payment Service > General
The following table describes the labels in this screen.
Table 208 Configuration > Hotspot > Billing > Payment Service > General
LA BEL
General Setting
Enable Payment Service
DESC RIPTIO N
Select the check box to use PayPal to authorize credit card payments.
Note: After you set up web authentication policies and enable the online payment service on the Zyxel Device, a link displays in the login screen when users try to access the Internet. The link redirects users to a screen where they can make online payments by credit card to purchase access time and get dynamic guest account information.
Payment Provider Selection
Account
You should already have a PayPal account to receive credit card payments.
Currency
Identity Token
Payment Gateway Account Delivery Method
Enter your PayPal account name.
Select the currency in which payments are made. The available options depend on currencies that PayPal supports.
Enter the ID token provided to you by PayPal after successfully applying for your PayPal account.
Enter the address of the PayPal gateway provided to you by PayPal after applying for your PayPal account.
ZyWALL USG FLEX Series User's Guide
526
Chapter 24 Hotspot
Table 208 Configuration > Hotspot > Billing > Payment Service > General (continued)
LA BEL Delivery Method
DESC RIPTIO N
Specify how the Zyxel Device provides dynamic guest account information after the user's online payment is done.
Select O n- Sc re e n to display the user account information in the web screen.
Select SMS to use Short Message Service (SMS) to send account information in a text message to the user's mobile device.
Select O n- Sc re e n a nd SMS to provide the account information both in the web screen and via SMS text messages.
Apply Reset
Note: You should have enabled SMS in the C o nfig ura tio n > Syste m > No tific a tio n > SMS screen to send text messages to the user's mobile device.
Click this button to save your changes to the Zyxel Device.
Click this button to return the screen to its last-saved settings.
24.6.1 The Pa ym e nt Se rvic e > De skto p / Mo b ile Vie w Sc re e n
Use this screen to customize the online payment service pages that displays after an unauthorized user clicks the link in the Web Configurator login screen to purchase access time. You can configure both the desktop and mobile versions of the service pages. Users click a link in the pages to switch between the two versions.
Click C o nfig ura tio n > Ho tspo t > Billing > Pa ym e nt Se rvic e > De skto p Vie w or Mo b ile Vie w to open the following screen.
ZyWALL USG FLEX Series User's Guide
527
Chapter 24 Hotspot Fig ure 360 Configuration > Hotspot > Billing > Payment Service > Desktop View
ZyWALL USG FLEX Series User's Guide
528
Chapter 24 Hotspot Fig ure 361 Configuration > Hotspot > Billing > Payment Service > Mobile View
ZyWALL USG FLEX Series User's Guide
529
Chapter 24 Hotspot
The following table describes the labels in this screen.
Table 209 Configuration > Hotspot > Billing > Payment Service > Desktop View or Mobile View
LA BEL
DESC RIPTIO N
Select Type
Use Default Page Select this to use the default online payment service page built into the device. If you later create a custom online payment service page, you can still return to the Zyxel Device's default page as it is saved indefinitely.
Use Customized Page
Select this to use a custom online payment service page instead of the default one built into the Zyxel Device. Once this option is selected, the custom page controls below become active.
Customized Profile Selection Page
Selection Message
Enter a note to display in the first welcome page that allows users to choose a billing period they want. Use up to 256 printable ASCII characters. Spaces are allowed.
Customized Successfully Page
Successfully Message
Enter a note to display in the second page after the user's online payment is made successfully. Use up to 256 printable ASCII characters. Spaces are allowed.
Notification Message
Enter the important information you want to display. Use up to 256 printable ASCII characters. Spaces are allowed.
Notification Color Specify the font color of the important information. You can use the color palette chooser, or enter a color value of your own.
Account Message
Enter a note to display above the user account information. Use up to 256 printable ASCII characters. Spaces are allowed.
Day Time
Select the format in which you want to display the date and how long an account is allowed to stay unused before it expires.
Customized Fail Page
Failed Message
Enter a note to display when the user's online payment failed. Use up to 256 printable ASCII characters. Spaces are allowed.
Customized SMS Page
Information Message
Enter a note to display when you set the Zyxel Device to send account information via SMS text messages. Use up to 256 printable ASCII characters. Spaces are allowed.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
530
Chapter 25 Printer Manager
C HA PTER 2 5 Printe r Ma na g e r
25.1 Printe r Ma na g e r O ve rvie w
You can create dynamic guest accounts and print guest account information by pressing the button on an external statement printer, such as SP350E. Make sure that the printer is connected to the appropriate power and the Zyxel Device, and that there is printing paper in the printer. Refer to the printer's documentation for details.
25.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Printe r Ma na g e r > G e ne ra l screen (see Section 24.3 on page 514) to configure the printer list and enable printer management.
· Use the Printe r Ma na g e r > Printo ut C o nfig ura tio n screen (see Section 25.3 on page 538) to customize the account printout.
25.2 The Printe r Ma na g e r > G e ne ra l Sc re e n
Use this screen to configure a printer list and allow the Zyxel Device to monitor the printer status. Click C o nfig ura tio n > Ho tspo t > Printe r Ma na g e r > G e ne ra l to open the following screen.
ZyWALL USG FLEX Series User's Guide
531
Fig ure 362 Configuration > Hotspot > Printer Manager > General
The following table describes the labels in this screen.
Table 210 Configuration > Hotspot > Printer Manager > General
LA BEL
DESC RIPTIO N
General Setting
Enable Printer Manager
Select the check box to allow the Zyxel Device to manage and monitor the printer status.
Printer Settings
Encryption
Select the check box to turn on data encryption. Data transmitted between the Zyxel Device and the printer will be encrypted with a secret key
Secret Key
Enter four alphanumeric characters (A-Z, a-z, 0-9) to specify a key for data encryption.
Printer List
Use this section to add the printer(s) that can be managed by the Zyxel Device.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
Discover Printer
Click this to discover the printer(s) that is connected to the Zyxel Device and display the printer information in a pop-up window. IPnP is enabled while discovering the printer and disabled when the discovering process has finished.
Note: You need a Hotspot license to use this feature.
Refresh
Use Printe r Ma na g e r > G e ne ra l > Add to manually configure a printer's IP address and add it to the managed printer list when the printer is not detected or connected to the Zyxel Device.
Click this to update the printer list table.
ZyWALL USG FLEX Series User's Guide
532
Chapter 25 Printer Manager
Table 210 Configuration > Hotspot > Printer Manager > General (continued)
LA BEL # Status
IPv4 Address Update Time
DESC RIPTIO N This field is a sequential value, and it is not associated with any entry. This icon is lit when the entry is active and dimmed when the entry is inactive. Click the C o nne c tio n icon for the Zyxel Device connect to the printer. This field displays the IP address of the printer. This field displays the date and time the Zyxel Device last synchronized with the printer.
Status
This shows n/ a when the printer is not in the managed printer list or the printer status is sync fa il or sync pro g re ssing .
This field is hidden by default. It displays whether the Zyxel Device can connect to the printer and update the printer information.
Nickname Firmware Version
This shows n/ a when the printer is not in the managed printer list. This shows an optional friendly name for the printer that you configured. This field displays the model number and firmware version of the printer.
This shows n/ a when the printer is not in the managed printer list or the printer status is sync fa il.
MAC
This shows the hardware MAC address of the printer.
Description
This field displays the descriptive name for the printer that you configured.
Printer Firmware Information
Current Version
This is the version of the printer firmware currently uploaded to the Zyxel Device. The Zyxel Device automatically installs it in the connected printers to make sure the printers are upgraded to the same version.
Hotspot Service Status
The hotspot license must be registered in order to be activated.
Service Status
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Service Type Expiration Date Apply Reset
Then, click Ac tiva te to connect with the myZyxel server to activate the new license. This shows whether you have a trial or standard license or none (Tria l, Sta nda rd, No ne ). This shows when your hotspot license will expire.
Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
533
Chapter 25 Printer Manager
25.2.1 Add Printe r Rule
Click the Add icon to open the following screen. Use this screen to add a new printer. Fig ure 363 Configuration > Hotspot > Printer Manager > General: Add
The following table describes the labels in this screen.
Table 211 Configuration > Hotspot > Printer Manager > General: Add
LA BEL
DESC RIPTIO N
Enable Printer Manager
Select this option to turn on this entry in order to allow the Zyxel Device to manage this printer.
IPv4 Address
Enter an IPv4 address for the printer.
Description
Enter a description of this printer. You can use alphanumeric and ()+,/:=?!*#@$_%-"
characters, and it can be up to 60 characters long.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
25.2.2 Edit Printe r Rule
Select an entry in the Printe r Ma na g e r > G e ne ra l screen and click the Edit icon to open the following screen. Use this screen to modify the printer's settings. You can't click the Edit icon when the printer status is sync fa il or sync pro g re ssing .
Fig ure 364 Configuration > Hotspot > Printer Manager > General: Edit
ZyWALL USG FLEX Series User's Guide
534
Chapter 25 Printer Manager
The following table describes the labels in this screen.
Table 212 Configuration > Hotspot > Printer Manager > General: Edit
LA BEL Enable Printer Manager Nickname
Description
IP Address Assignment Get Automatically Use Fixed IP Address
IP Address
DESC RIPTIO N Select this option to turn on this entry in order to allow the Zyxel Device to manage this printer.
Type an optional friendly name for the printer. A nickname must begin with a letter and cannot exceed 15 characters. Valid characters are [a-zA-Z0-9_-].
Enter a description of this printer. You can use alphanumeric and ()+,/:=?!*#@$_%-"
characters, and it can be up to 60 characters long.
Select this to make the printer a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server. Select this if you want to specify the IP address, subnet mask, and gateway manually.
This field is enabled if you select Use Fixe d IP Addre ss.
Subnet Mask
Enter the IP address for the printer. This field is enabled if you select Use Fixe d IP Addre ss.
Gateway
Enter the subnet mask of the printer in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.
This field is enabled if you select Use Fixe d IP Addre ss.
OK Cancel
Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the printer.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
25.2.3 Disc o ve r Printe r
Click the Disc o ve r Printe r icon in the Printe r Ma na g e r > G e ne ra l screen to open the following screen. Use this screen to find connected printers or edit a connected printer's settings. Use Printe r Ma na g e r >G e ne ra l > Add to manually configure a printer's IP address and add it to the managed printer list when the printer is not detected or connected to the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
535
Chapter 25 Printer Manager Fig ure 365 Configuration > Hotspot > Printer Manager > General: Discover Printer
The following table describes the labels in this screen.
Table 213 Configuration > Hotspot > Printer Manager > General > Discover Printer
LA BEL
DESC RIPTIO N
Un-Mgnt Printer List / Mgnt Printer List
The tables displays according to whether the printer is in the unmanaged printer list (Un- Mg nt Printe r List) or the managed printer list (Mg nt Printe r List).
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Add to Mgnt Printer List # Registration
IPv4 Address Update Time
Note: You cannot edit an entry's settings when the printer status is sync fa il or sync pro g re ssing .
Click this to add the selected printer to the managed printer list.
This is the index number of the printer in the list. This field displays whether the printer is added to the managed printer list (Mg nt Printe r) or not (Un- Mg nt Printe r). This field displays the IP address of the printer. This field displays the date and time the Zyxel Device last synchronized with the printer.
Status
This shows n/ a when the printer is not in the managed printer list or the printer status is sync fa il or sync pro g re ssing .
This field displays whether the Zyxel Device can connect to the printer and update the printer information.
Nickname Firmware Version
This shows n/ a when the printer is not in the managed printer list. This field displays the optional friendly name of the printer that you configured. This field displays the model number and firmware version of the printer.
MAC
This shows n/ a when the printer is not in the managed printer list or the printer status is sync fa il. This field displays the MAC address of the printer.
ZyWALL USG FLEX Series User's Guide
536
Chapter 25 Printer Manager
25.2.4 Edit Printe r Ma na g e r (Disc o ve r Printe r)
Select an entry in the Printe r Ma na g e r > G e ne ra l > Disc o ve r Printe r screen and click the Edit icon to open the following screen. Use this screen to modify the printer's nickname and IP address. Fig ure 366 Configuration > Hotspot > Printer Manager > General > Discover Printer: Edit
The following table describes the labels in this screen.
Table 214 Configuration > Hotspot > Printer Manager > General > Discover Printer: Edit
LA BEL
DESC RIPTIO N
General Settings
Nickname
Type an optional friendly name for the printer. A nickname must begin with a letter and cannot exceed 15 characters. Valid characters are [a-zA-Z0-9_-].
IP Address Assignment
Get Automatically
Select this to make the printer a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server.
Use Fixed IP Address
Select this if you want to specify the IP address, subnet mask, and gateway manually.
IP Address
This field is enabled if you select Use Fixe d IP Addre ss.
Subnet Mask
Enter the IP address for the printer. This field is enabled if you select Use Fixe d IP Addre ss.
Gateway
Enter the subnet mask of the printer in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.
This field is enabled if you select Use Fixe d IP Addre ss.
OK Cancel
Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the printer.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
537
Chapter 25 Printer Manager
25.3 The Printo ut C o nfig ura tio n Sc re e n
Use this screen to customize the account printout. Click C o nfig ura tio n > Ho tspo t > Printe r Ma na g e r > Printo ut C o nfig ura tio n to open the following screen. Fig ure 367 Configuration > Hotspot > Printer Manager > Printout Configuration
The following table describes the labels in this screen.
Table 215 Configuration > Hotspot > Printer Manager > Printout Configuration
LA BEL
Use Default Printout Configuration Use Customized Printout Configuration
Preview
File Name
DESC RIPTIO N
Select this to use the default account printout format built into the device. If you later create a custom account printout format, you can still return to the Zyxel Device's default format as it is saved indefinitely. Select this to use a custom account printout format instead of the default one built into the Zyxel Device. Once this option is selected, the custom format controls below become active.
Click the button to display a preview of account printout format you uploaded to the Zyxel Device. This shows the file name of account printout format file in the Zyxel Device.
Click Do wnlo a d to download the account printout format file from the Zyxel Device to your computer.
File Path / Browse / Upload
Browse for the account printout format file or enter the file path in the available input box, then click the Uplo a d button to put it on the Zyxel Device.
Restore
Click Re sto re to set the Zyxel Device back to use the default built-in account printout format.
Customized
File to Default
Download
Click this to download an example account printout format file from the Zyxel Device for your reference.
Printout
Number of Copies
Select how many copies of subscriber statements you want to print (1 is the default).
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
538
Chapter 25 Printer Manager
25.4 Printe r Re po rts O ve rvie w
The SP350E allows you to print status reports about the guest accounts and general Zyxel Device system information. Simply press a key combination on the SP350E to print a report instantly without accessing the web configurator.
The following lists the reports that you can print using the SP300E.
· Daily account summary · Monthly account summary · Last month account summary · System status
25.4.1 Ke y C o m b ina tio ns
The following table lists the key combination to print each report.
Note: You must press the key combination on the SP350E within five seconds to print.
Table 216 Report Printing Key Combinations
REPO RTTYPE
KEY C O MBINATIO N
Daily Account Summary
A B C A A
Monthly Account Summary
A B C B A
Last Month Account Summary
A B C B B
System Status
A B C C A
The following sections describe each report printout in detail.
25.4.2 Da ily Ac c o unt Sum m a ry
The daily account report lists the accounts printed during the current day, the current day's total number of accounts and the total charge. It covers the accounts that have been printed during the current day starting from midnight (not the past 24 hours). For example, if you press the daily account key combination on 2013/05/10 at 20:00:00, the daily account report includes the accounts created on 2013/05/10 between 00:00:01 and 19:59:59.
Key combination: A B C A A
The following figure shows an example.
ZyWALL USG FLEX Series User's Guide
539
Chapter 25 Printer Manager
Fig ure 368 Daily Account Example
Daily Account ----------------------------
2013/05/10
Username Price ----------------------------
p2m6pf52 1.00 s4pcms28 2.00 ---------------------------TOTAL ACCOUNTS: 2 TOTAL PRICE: $ 3.00 ---------------------------2013/05/10 20:00:00
---End---
25.4.3 Mo nthly Ac c o unt Sum m a ry
The monthly account report lists the accounts printed during the current month, the current month's total number of accounts and the total charge. It covers the accounts that have been printed during the current month starting from midnight of the first day of the current month (not the past one month period). For example, if you press the monthly account key combination on 2013/05/17 at 20:00:00, the monthly account report includes the accounts created from 2013/05/01 at 00:00:01 to 2013/05/17 at 19:59:59.
Key combination: A B C B A
The following figure shows an example.
Fig ure 369 Monthly Account Example
Monthly Account ----------------------------
2013/05
Username Price ----------------------------
p2m6pf52 1.00 s4pcms28 2.00 7ufm7z22 2.00 qm5fxn95 6.00
---------------------------TOTAL ACCOUNTS: 4
TOTAL PRICE: $ 11.00 ----------------------------
2013/05/17 20:00:11 ---End---
25.4.4 Ac c o unt Re po rt No te s
The daily, monthly or last month account report holds up to 2000 entries. If there are more than 2000 accounts created in the same month or same day, the account report's calculations only include the latest 2000.
ZyWALL USG FLEX Series User's Guide
540
Chapter 25 Printer Manager
For example, if 2030 accounts (each priced at $1) have been created from 2013/05/01 00:00:00 to 2013/ 05/31 19:59:59, the monthly account report includes the latest 2000 accounts, so the total would be $2,000 instead of $2,030. Use the Mo nito r > Syste m Sta tus > Dyna m ic G ue st screen to see the accounts generated on another day or month (up to 2000 entries total).
25.4.5 Syste m Sta tus
This report shows the current system information such as the host name and WAN IP address. Key combination: A B C C A The following figure shows an example. Fig ure 370 System Status Example
System Status --------------------------------------
Item Description --------------------------------------
SYST 02:02:35 WAST Link up WLST Activate FWVR 2.50(AACG.0)
BTVR 1.22 WAMA 00-90-0E-00-4A-29 LAMA 00-90-0E-00-4A-30
WAIP 10.21.2.267 LAIP 172.16.0.1 WLIP 10.59.1.1 DHSP 10.59.1.33 DHEP 10.59.1.254 --------------------------------------
CPUS 5% MEMS 40% DKST 5% -------------------------------------2012/04/12 17:10:22 ---End---
The following table describes the labels in this report.
Table 217 System Status
LA BEL
DESC RIPTIO N
SYST
This field displays the time since the system was last restarted.
WAST
This field displays the WAN connection status.
WLST
This field displays the status of the Zyxel Device's wireless LAN.
FWVR
This field displays the version of the firmware on the Zyxel Device.
BTVR
This field displays the version of the bootrom.
WAMA
This field displays the MAC address of the Zyxel Device on the WAN.
LAMA
This field displays the MAC address of the Zyxel Device on the LAN.
ZyWALL USG FLEX Series User's Guide
541
Chapter 25 Printer Manager
Table 217 System Status (continued)
LA BEL
DESC RIPTIO N
WAIP
This field displays the IP address of the WAN port on the Zyxel Device.
LAIP
This field displays the IP address of the LAN port on the Zyxel Device.
WLIP
This field displays the IP address of the wireless LAN interface on the Zyxel Device.
DHSP
This field displays the first of the continuous addresses in the IP address pool.
DHEP
This field displays the end of the continuous addresses in the IP address pool.
CPUS
This field displays the Zyxel Device's recent CPU usage.
MEMS
This field displays the Zyxel Device's recent memory usage.
DKST
This field displays what percentage of the Zyxel Device's on-board flash memory is currently being used.
ZyWALL USG FLEX Series User's Guide
542
C HA PTER 2 6 Fre e Tim e
26.1 Fre e Tim e O ve rvie w
With Free Time, the Zyxel Device can create dynamic guest accounts that allow users to browse the Internet free of charge for a specified period of time.
26.1.1 Wha t Yo u C a n Do in this C ha pte r
Use the Fre e Tim e screen (see Section 26.2 on page 543) to turn on this feature to allow users to get a free account for Internet surfing during the specified time period.
26.2 The Fre e Tim e Sc re e n
Use this screen to enable and configure the free time settings. Click C o nfig ura tio n > Ho tspo t > Fre e Tim e to open the following screen. Fig ure 371 Configuration > Hotspot > Free Time
ZyWALL USG FLEX Series User's Guide
543
Chapter 26 Free Time
The following table describes the labels in this screen.
Table 218 Configuration > Hotspot > Free Time
LA BEL
DESC RIPTIO N
Enable Free Time Select the check box to turn on the free time feature.
Free Time Period Reset Time
Time Day
Maximum Registration Number Before Reset Time Delivery Method
Note: After you set up web authentication policies and enable the free time feature on the Zyxel Device, a link displays in the login screen when users try to access the Internet. The link redirects users to a screen where they can get a free account.
Select the duration of time period for which the free time account is allowed to access the Internet.
Select Da ily to have the Zyxel Device allow free account access every day at the specified time.
Select We e kly to have the Zyxel Device allow free account access once a week on the day you select.
Select Mo nthly to have the Zyxel Device allow free account access once a month on a set date.
When your free period ends, you will see a message telling you when you can use free time again. This depends on the Re se t Tim e period chosen.
If you select Da ily, select the time in 24-hour format at which the new free time account is allowed to access the Internet.
If you select We e kly, select the day on which the new free time account is allowed to access the Internet.
If you select Mo nthly, enter the date on which the new free time account is allowed to access the Internet. If the date you selected is not available in a month, such as 30th or 31th, the Zyxel Device allows the free account access on the last day of the month.
Enter the maximum number of users that are allowed to log in for Internet access with a free guest account before the time specified in the Re se t Tim e field. This also sets how many free guest accounts a user can get.
For example, if you set the Ma xim um Re g istra tio n Num b e r Be fo re Re se t Tim e to 1, the Re se t Tim e to Da ily and the Re se t Tim e to 13:00, even the first free guest account has expired at 11:30, the user cannot get a second account and/or access the Internet until 13:00.
Specify how the Zyxel Device provides dynamic guest account information.
Select O n- Sc re e n to display the user account information in the web screen.
Select SMS to use Short Message Service (SMS) to send account information in a text message to the user's mobile device.
Select O n- Sc re e n a nd SMS to provide the account information both in the web screen and via SMS text messages.
Auto Login
Hotspot Service Status
Note: You should have enabled SMS in the C o nfig ura tio n > Syste m > No tific a tio n > SMS screen to send text messages to the user's mobile device.
Select this to allow users to log into their free account directly without having to enter their user name and password.
Clearing this requires users to enter their user name and password, and click login to access their free account.
ZyWALL USG FLEX Series User's Guide
544
Chapter 26 Free Time
Table 218 Configuration > Hotspot > Free Time (continued)
LA BEL
DESC RIPTIO N
Service Status
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Service Type Expiration Date Apply
Then, click Ac tiva te to connect with the myZyxel server to activate the new license. This shows whether you have a trial or standard license or none (Tria l, Sta nda rd, No ne ). This shows when your hotspot license will expire.
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
The following figure shows an example login screen with a link to create a free guest account.
ZyWALL USG FLEX Series User's Guide
545
Chapter 26 Free Time If you enable both online payment service and free time feature on the Zyxel Device, the link description in the login screen will be mainly for online payment service. You can still click the link to get a free account.
If SMS is enabled on the Zyxel Device, you have to enter your mobile phone number before clicking O K to get a free guest account.
ZyWALL USG FLEX Series User's Guide
546
The guest account information then displays on the screen and/or is sent to the configured mobile phone number.
EXAMPLE
ZyWALL USG FLEX Series User's Guide
547
Chapter 27 IPnP
C HA PTER 2 7 IPnP
27.1 IPnP O ve rvie w
IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the Zyxel Device are not in the same subnet. When you disable the IPnP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the Zyxel Device's LAN IP address can connect to the Zyxel Device or access the Internet through the Zyxel Device. The IPnP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the Zyxel Device's IP address. Note: You must enable NAT to use the IPnP feature. The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment. In a residential house where a Zyxel Device is installed, you can still use the computer to access the Internet without changing the network settings, even when the IP addresses of the computer and the Zyxel Device are not in the same subnet. Fig ure 372 IPnP Application
ZyWALL USG FLEX Series User's Guide
548
27.1.1 Wha t Yo u C a n Do in this C ha pte r
Use the IP screen (Section 27.1.2 on page 549) to enable IPnP on the Zyxel Device and the internal interface(s).
27.1.2 IPnP Sc re e n
This screen allows you to enable IPnP on the Zyxel Device and specific internal interface(s). To access this screen click C o nfig ura tio n > Ho tspo t > IPnP. Fig ure 373 Configuration > Hotspot > IPnP
The following table describes the labels in this screen.
Table 219 Configuration > Hotspot > IPnP
LA BEL
DESC RIPTIO N
Enable IPnP
Select this option to turn on the IPnP feature on the Zyxel Device.
Note: You can enable this feature only when the security policy is enabled.
Member List
The Ava ila b le list displays the name(s) of the internal interface(s) on which you can enable IPnP.
Hotspot Service Status
Service Status
To enable IPnP on an interface, you can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and click the right arrow button to add to the Me m b e r list. To remove an interface, select the name(s) in the Me m b e r list and click the left arrow button.
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Then, click Ac tiva te to connect with the myZyxel server to activate the new license.
ZyWALL USG FLEX Series User's Guide
549
Chapter 27 IPnP
Table 219 Configuration > Hotspot > IPnP (continued)
LA BEL Service Type Expiration Date
Register Now
DESC RIPTIO N This shows whether you have a trial or standard license or none (Tria l, Sta nda rd, No ne ). This shows when your hotspot license will expire.
Click the link to go to myZyxel where you can register your Zyxel Device and activate the service.
Apply Reset
This link is available only when the service is not activated yet. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
550
C HA PTER 2 8 Wa lle d G a rde n
28.1 Wa lle d G a rde n O ve rvie w
A user must log in before the Zyxel Device allows the user's access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.
28.2 Wa lle d G a rde n > G e ne ra l Sc re e n
Use this screen to turn on the walled garden feature. Note: You must enable web authentication before you can access the Wa lle d G a rde n
screens. Note: You can configure up to 50 walled garden web site links. Click C o nfig ura tio n > Ho tspo t > Wa lle d G a rde n to display the screen. Fig ure 374 Configuration > Hotspot > Walled Garden: General
The following table describes the labels in this screen.
Table 220 Configuration > Hotspot > Walled Garden: General
LA BEL
DESC RIPTIO N
Enable Walled Garden
Select this to turn on the walled garden feature.
Note: This feature works only with the web portal authentication type.
Hotspot Service Status
ZyWALL USG FLEX Series User's Guide
551
Chapter 28 Walled Garden
Table 220 Configuration > Hotspot > Walled Garden: General (continued)
LA BEL Service Status
DESC RIPTIO N
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Service Type Expiration Date Register Now
Then, click Ac tiva te to connect with the myZyxel server to activate the new license. This shows whether you have a trial or standard license or none (Tria l, Sta nda rd, No ne ). This shows when your hotspot license will expire.
Click the link to go to myZyxel where you can register your Zyxel Device and activate the service.
Apply Reset
This link is available only when the service is not activated yet. Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings.
28.3 Wa lle d G a rde n > URL Ba se Sc re e n
Use this screen to configure the walled garden web addresses (URLs that use the HTTP or HTTPS protocol) for web sites that all users are allowed to access without logging in. The web site link(s) displays in the user login screen by default.
Click C o nfig ura tio n > Ho tspo t > Wa lle d G a rde n and then select the URL Ba se tab to display the screen.
Fig ure 375 Configuration > Hotspot > Walled Garden: URL Base
The following table describes the labels in this screen.
Table 221 Configuration > Hotspot > Walled Garden: URL Based
LA BEL
DESC RIPTIO N
Walled Garden URL List
Use this table to manage the list of walled garden web site links.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
ZyWALL USG FLEX Series User's Guide
552
Chapter 28 Walled Garden
Table 221 Configuration > Hotspot > Walled Garden: URL Based (continued)
LA BEL
DESC RIPTIO N
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate Move
To turn off an entry, select it and click Ina c tiva te .
To move an entry to a different number in the list, click the Mo ve icon. In the field that appears, specify the number to which you want to move the interface.
#
This field is a sequential value, and it is not associated with any entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Display
This icon is lit when the web site link is set to display in the user login screen.
Name
This field displays the descriptive name of the web site.
URL
This field displays the URL of the web site.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
28.3.1 Adding / Editing a Wa lle d G a rde n URL
Go to the C o nfig ura tio n > We b Authe ntic a tio n > Wa lle d G a rde n > URL Ba se screen. Click Add or select an entry and click the Edit to open the Add/ Edit Wa lle d G a rde n URLscreen. Use this screen to configure a walled garden web site URL entry.
Fig ure 376 Configuration > Hotspot > Walled Garden: URL Base: Add/Edit
The following table describes the labels in this screen.
Table 222 Configuration > Hotspot > Walled Garden: URL Base: Add/Edit
LA BEL
DESC RIPTIO N
Enable
Hide in login page
Select this to activate the entry. Select this to not display the web site link in the user login screen.
This is helpful if a user's access to a specific web site is required to stay connected but he or she doesn't need to visit that web site.
Name
Enter a descriptive name for the walled garden link to be displayed in the login screen.
You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are also allowed. The first character must be a letter.
ZyWALL USG FLEX Series User's Guide
553
Chapter 28 Walled Garden
Table 222 Configuration > Hotspot > Walled Garden: URL Base: Add/Edit (continued)
LA BEL URL
DESC RIPTIO N Enter the URL of the web site.
Preview OK Cancel
Use "http://" or "https://" followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://www.example.com or http://172.16.1.35. Click this button to open the specified web site in a new frame. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
28.4 Wa lle d G a rde n > Do m a in/ IP Ba se Sc re e n
Use this screen to configure walled garden web site links, which use a (wildcard) domain name or an IP address. These links will not display in the login page.
Click C o nfig ura tio n > Ho tspo t > Wa lle d G a rde n and then select the Do m a in/ IP Ba se tab to display the screen.
Fig ure 377 Configuration > Hotspot > Walled Garden: Domain/IP Base
The following table describes the labels in this screen.
Table 223 Configuration > Hotspot > Walled Garden: Domain/IP Based
LA BEL
DESC RIPTIO N
Walled Garden Domain/IP List
Use this table to manage the list of walled garden web site links.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate #
To turn off an entry, select it and click Ina c tiva te . This field is a sequential value, and it is not associated with any entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the descriptive name of the web site.
ZyWALL USG FLEX Series User's Guide
554
Chapter 28 Walled Garden
Table 223 Configuration > Hotspot > Walled Garden: Domain/IP Based (continued)
LA BEL
DESC RIPTIO N
Domain Name/IP This field displays the domain name or IP address and subnet mask of the web site. Address
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
28.4.1 Adding / Editing a Wa lle d G a rde n Do m a in o r IP
Go to the C o nfig ura tio n > Ho tspo t > Wa lle d G a rde n > Do m a in/ IP Ba se screen. Click Add or select an entry and click the Edit to open the Add/ Edit Wa lle d G a rde n Do m a in/ IP screen. Use this screen to configure the domain name or IP address entry for a walled garden web site.
Fig ure 378 Configuration > Hotspot > Walled Garden: Domain/IP Base: Add/Edit
The following table describes the labels in this screen.
Table 224 Configuration > Hotspot > Walled Garden: Domain/IP Base: Add/Edit
LA BEL Enable Name
DESC RIPTIO N Select this to activate the entry. Enter a descriptive name for the walled garden link.
Type
Domain Name / IP Address
You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are also allowed. The first character must be a letter.
Select whether you want to create the link by entering a domain name or an IP address.
If you select Do m a in, type a Fully-Qualified Domain Name (FQDN) of a web site. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where "www" is the host, "zyxel" is the third-level domain, "com" is the second-level domain, and "tw" is the top level domain. Underscores are not allowed. Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com).
OK Cancel
If you select IP, enter the IP address and subnet mask of the web site. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
28.4.2 Wa lle d G a rde n Lo g in Exa m ple
The following figure shows the user login screen with two walled garden links. The links are named Wa lle dG a rde nLink1 through 2 for demonstration purposes.
ZyWALL USG FLEX Series User's Guide
555
Chapter 28 Walled Garden Fig ure 379 Walled Garden Login Example
ZyWALL USG FLEX Series User's Guide
556
C HA PTER 2 9 Adve rtise m e nt Sc re e n
29.1 Adve rtise m e nt O ve rvie w
Use this screen to set the Zyxel Device to display an advertisement web page as the first web page whenever the user connects to the Internet. Click C o nfig ura tio n > Ho tspo t > Adve rtise m e nt to display the screen. Fig ure 380 Configuration > Hotspot > Advertisement
The following table gives an overview of the objects you can configure.
Table 225 Configuration > Hotspot > Advertisement
LA BEL
DESC RIPTIO N
Enable Advertisement
Select this to turn on the advertisement feature.
Note: This feature works only when you enable web authentication.
Advertisement Summary
Use this table to manage the list of advertisement web pages.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
#
This field is a sequential value, and it is not associated with any entry.
ZyWALL USG FLEX Series User's Guide
557
Chapter 29 Advertisement Screen
Table 225 Configuration > Hotspot > Advertisement (continued)
LA BEL Name URL Hotspot Service Status
Service Status
DESC RIPTIO N This field displays the descriptive name of web site. This field displays the address of web site.
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Service Type Expiration Date Register Now
Then, click Ac tiva te to connect with the myZyxel server to activate the new license. This shows whether you have a trial or standard license or none (Tria l, Sta nda rd, No ne ). This shows when your hotspot license will expire.
Click the link to go to myZyxel where you can register your Zyxel Device and activate the service.
Apply Reset
This link is available only when the service is not activated yet. Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings.
29.1.1 Adding / Editing a n Adve rtise m e nt URL
Click C o nfig ura tio n > Ho tspo t > Adve rtise m e nt and then the Add (or Edit) icon in the Adve rtise m e nt Sum m a ry section to open the Add/ Edit Adve rtise m e nt URLscreen. Use this screen to configure an advertisement address entry.
Note: You can create up to 20 advertisement URL entries. The Zyxel Device randomly picks one and open the specified web site in a new frame when an authenticated user is attempts to access the Internet.
Fig ure 381 Configuration > Hotspot > Advertisement > Add/Edit
ZyWALL USG FLEX Series User's Guide
558
Chapter 29 Advertisement Screen
The following table gives an overview of the objects you can configure.
Table 226 Configuration > Hotspot > Advertisement > Add/Edit
LA BEL Name
DESC RIPTIO N Enter a descriptive name for the advertisement web site.
You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are not allowed. The first character must be a letter.
URL
Enter the URL or IP address of the web site.
Preview OK Cancel
Use "http://" followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://www.example.com or http://172.16.1.35. Click this button to open the specified web site in a new frame. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
559
C HA PTER 3 0 Se c urity Po lic y
30.1 O ve rvie w
A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied: · to a specific direction of travel of packets (from / to) · to a specific source and destination address objects · to a specific type of traffic (services) · to a specific user or group of users · at a specific schedule The policy can be configured: · to allow or deny traffic that matches the criteria above · send a log or alert for traffic that matches the criteria above · to apply the actions configured in the profiles (application patrol, content filter, IDP, anti-malware,
email security) to traffic that matches the criteria above Note: Security policies can be applied to both IPv4 and IPv6 traffic. The security policies can also limit the number of user sessions. The following example shows the Zyxel Device's default security policies behavior for a specific direction of travel of packets. WAN to LAN traffic and how stateful inspection works. A LAN user can initiate a Telnet session from within the LAN zone and the Zyxel Device allows the response. However, the Zyxel Device blocks incoming Telnet traffic initiated from the WAN zone and destined for the LAN zone. Fig ure 382 Default Directional Security Policy Example
ZyWALL USG FLEX Series User's Guide
560
Chapter 30 Security Policy
30.2 O ne Se c urity
OneSecurity is a website with guidance on configuration walkthroughs, troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough.
Fig ure 383 Example of a Port Forwarding Configuration Walkthrough.
1
2
3
4
This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting.
ZyWALL USG FLEX Series User's Guide
561
Chapter 30 Security Policy Fig ure 384 Example of L2TP over IPSec Troubleshooting - 1
1 2 3 2
ZyWALL USG FLEX Series User's Guide
562
Chapter 30 Security Policy
Fig ure 385 Example of L2TP over IPSec Troubleshooting - 2
3
In the Zyxel Device, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on in certain screens.
For example, at the time of writing, these are the OneSecurity icons you can see.
Table 227 OneSecurity Icons
O NESEC URITY IC O N
SC REEN
Click this icon to go to a series of screens that guide you how to configure the feature. Note that the walkthroughs do not perform the actual configuring, but just show you how to do it.
· Device HA > General · Licensing > Registration · Network > NAT · Network > Routing > Policy Route · Security Service > App Patrol · Security Service > Content Filter · Security Service > IDP · Security Service > Anti-Malware · Security Service > Email Security · VPN > IPSec VPN · VPN > SSL VPN · VPN > L2TP VPN
Click this icon to go to a series of screens that guide you how to fix problems with the feature.
· Device HA > General · Network > NAT · Network > Routing > Policy Route · Security Service > App Patrol · Security Service > Content Filter · Security Service > IDP · Security Service > Anti-Malware · Security Service > Email Security · VPN > IPSec VPN · VPN > SSL VPN · VPN > L2TP VPN
ZyWALL USG FLEX Series User's Guide
563
Chapter 30 Security Policy
Table 227 OneSecurity Icons (continued)
O NESEC URITY IC O N
SC REEN
Click this icon for more information on Application Patrol, which identifies traffic that passes through the Zyxel Device, so you can decide what to do with specific types of traffic. Traffic not recognized by application patrol is ignored.
· Security Service > Application Patrol
Click this icon for more information on Content Filter, which controls access to specific web sites or web content.
· Security Service > Content Filter
Click this icon for more information on IPSec and SSL VPN. Internet Protocol Security (IPSec) VPN connects IPSec routers or remote users using IPSec client software. SSL VPN allows users to use a web browser for secure remote user login without need of a VPN router or VPN client software.
· VPN > IPSec VPN · VPN > SSL VPN
Click this icon to download VPN client software.
· VPN > IPSec VPN · VPN > SSL VPN
Click this icon for more information on the Wireless AP Controller which sets how the Zyxel Device allows APs to connect to the wireless network.
· Wireless > AP Management > Mgnt. AP List
30.3 Wha t Yo u C a n Do in this C ha pte r
· Use the Se c urity Po lic y C o ntro l screens (Section 30.4 on page 566) to enable or disable policies, asymmetrical routes, and manage and configure policies.
· Use the Ano m a ly De te c tio n a nd Pre ve ntio n (ADP) screens (Section 30.5 on page 572) to detect traffic with protocol anomalies and take appropriate action.
· Use the Se ssio n C o ntro l screens (see Section 30.6 on page 581) to limit the number of concurrent NAT/ security policies traffic sessions a client can use.
30.3.1 Wha t Yo u Ne e d to Kno w
Sta te ful Inspe c tio n
The Zyxel Device uses stateful inspection in its security policies. The Zyxel Device restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Zo ne s
A zone is a group of interfaces. Group the Zyxel Device's interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces.
ZyWALL USG FLEX Series User's Guide
564
Chapter 30 Security Policy
De fa ult Dire c tio na l Se c urity Po lic y Be ha vio r
Security Policies can be grouped based on the direction of travel of packets to which they apply. Here is the The Zyxel Device has default Security Policy behavior for traffic going through the Zyxel Device in various directions.
Table 228 Directional Security Policy Behavior
FRO M ZO NE TO ZO NE From any to Device From LAN1 to any (other than the Zyxel Device) From LAN2 to any (other than the Zyxel Device) From LAN1 to Device From LAN2 to Device From WAN to Device
From any to any
BEHAVIO R
DHCP traffic from any interface to the Zyxel Device is allowed.
Traffic from the LAN1 to any of the networks connected to the Zyxel Device is allowed.
Traffic from the LAN2 to any of the networks connected to the Zyxel Device is allowed.
Traffic from the LAN1 to the Zyxel Device itself is allowed.
Traffic from the LAN2 to the Zyxel Device itself is allowed.
The default services listed in To-Device Policies are allowed from the WAN to the Zyxel Device itself. All other WAN to Zyxel Device traffic is dropped.
Traffic that does not match any Security policy is dropped. This includes traffic
from the WAN to any of the networks behind the Zyxel Device.
This also includes traffic to or from interfaces that are not assigned to a zone (extra-zone traffic).
To - De vic e Po lic ie s
Policies with De vic e as the To Zo ne apply to traffic going to the Zyxel Device itself. By default:
· The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device. · The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device. · The Zyxel Device drops most packets from the WAN zone to the Zyxel Device itself and generates a
log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it does not conflict with your service control rule. The Zyxel Device checks the security policy before the service control rules for traffic destined for the Zyxel Device.
A Fro m Any To De vic e direction policy applies to traffic from an interface which is not in a zone.
G lo b a l Se c urity Po lic ie s
Security Policies with fro m a ny and/or to a ny as the packet direction are called global Security Policies. The global Security Policies are the only Security Policies that apply to an interface that is not included in a zone. The fro m a ny policies apply to traffic coming from the interface and the to a ny policies apply to traffic going to the interface.
Se c urity Po lic y Rule C rite ria
The Zyxel Device checks the schedule, user name (user's login name on the Zyxel Device), source IP address and object, destination IP address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy.
ZyWALL USG FLEX Series User's Guide
565
Chapter 30 Security Policy
Use r Spe c ific Se c urity Po lic ie s
You can specify users or user groups in Security Policies. For example, to allow a specific user from any computer to access a zone by logging in to the Zyxel Device, you can set up a policy based on the user name only. If you also apply a schedule to the Security Policy, the user can only access the network at the scheduled time. A user-aware Security Policy is activated whenever the user logs in to the Zyxel Device and will be disabled after the user logs out of the Zyxel Device.
Se ssio n Lim its
Accessing the Zyxel Device or network resources through the Zyxel Device requires a NAT session and corresponding Security Policy session. Peer to peer applications, such as file sharing applications, may use a large number of NAT sessions. A single client could use all of the available NAT sessions and prevent others from connecting to or through the Zyxel Device. The Zyxel Device lets you limit the number of concurrent NAT/Security Policy sessions a client can use.
30.4 The Se c urity Po lic y Sc re e n
Asym m e tric a l Ro ute s
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device's LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or "triangle" route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged. You can have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information. By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network traffic must pass through the Zyxel Device to the LAN. The following steps and figure describe such a scenario.
1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN.
2 The Zyxel Device reroutes the packet to gateway A, which is in Subne t 2. 3 The reply from the WAN goes to the Zyxel Device. 4 The Zyxel Device then sends it to the computer on the LAN1 in Subne t 1.
ZyWALL USG FLEX Series User's Guide
566
Chapter 30 Security Policy Fig ure 386 Using Virtual Interfaces to Avoid Asymmetrical Routes
30.4.1 C o nfig uring the Se c urity Po lic y C o ntro l Sc re e n
Click C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l to open the Se c urity Po lic y screen. Use this screen to enable or disable the Security Policy and asymmetrical routes, set a maximum number of sessions per host, and display the configured Security Policies. Specify from which zone packets come and to which zone packets travel to display only the policies specific to the selected direction. Note the following. · Besides configuring the Security Policy, you also need to configure NAT rules to allow computers on
the WAN to access LAN devices. · The Zyxel Device applies NAT (Destination NAT) settings before applying the Security Policies. So for
example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding Security Policy to allow the traffic, you need to set the LAN IP address as the destination. · The ordering of your policies is very important as policies are applied in sequence. The following screen shows the Security Policy summary screen.
ZyWALL USG FLEX Series User's Guide
567
Chapter 30 Security Policy Fig ure 387 Configuration > Security Policy > Policy Control
ZyWALL USG FLEX Series User's Guide
568
Chapter 30 Security Policy
The following table describes the labels in this screen.
Table 229 Configuration > Security Policy > Policy Control
LA BEL Show Filter/Hide Filter General Settings Enable Policy Control IPv4 / IPv6 Configuration
From / To
IPv4 / IPv6 Source
DESC RIPTIO N Click Sho w Filte r to display IPv4 and IPv6 (if enabled) security policy search filters.
Enable or disable the Security Policy feature on the Zyxel Device. Select this to activate Security Policy on the Zyxel Device to perform access control.
Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on direction, application, user, source, destination and/or schedule. Select a zone to view all security policies from a particular zone and/or to a particular zone. a ny means all zones. Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source address object used.
IPv4 / IPv6 Destination
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination address object used.
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Service
View all security policies based the service object used.
User
View all security policies based on user or user group object used.
Schedule
View all security policies based on the schedule object used.
IPv4/IPv6 Policy Management
Use the following items to manage IPv4 and IPv6 policies.
Allow Asymmetrical Route
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device's LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or "triangle" route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged.
Select this check box to have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset the connection).
Add Edit Remove Activate Inactivate
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
ZyWALL USG FLEX Series User's Guide
569
Chapter 30 Security Policy
Table 229 Configuration > Security Policy > Policy Control (continued)
LA BEL Move
DESC RIPTIO N
To change a policy's position in the numbered list, select the policy and click Mo ve to display a field to type a number for where you want to put that policy and press [ENTER] to move the policy to the number that you typed.
Clone
The ordering of your policies is important as they are applied in order of their numbering. Use C lo ne to create a new entry by modifying an existing one.
· Select an existing entry. · Click C lo ne , type a number where the new entry should go and then press [ENTER]. · A configuration copy of the selected entry pops up. You must at least change the name as
duplicate entry names are not allowed.
The following read-only fields summarize the policies you have created that apply to traffic traveling in the selected packet direction.
Priority
This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. De fa ult displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This is the name of the Security policy.
From / To
This is the direction of travel of packets. Select from which zone the packets come and to which zone they go.
Security Policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN.
From a ny displays all the Security Policies for traffic going to the selected To Zo ne .
To a ny displays all the Security Policies for traffic coming from the selected Fro m Zo ne .
From a ny to a ny displays all of the Security Policies.
To ZyWALLpolicies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device.
IPv4 / IPv6 Source This displays the IPv4 / IPv6 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
IPv4 / IPv6 Destination
This displays the IPv4 / IPv6 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
Service
This displays the service object to which this Security Policy applies.
User
This is the user name or user group name to which this Security Policy applies.
Schedule
This field tells you the schedule object that the policy uses. no ne means the policy is active at all times if enabled.
Action
This field displays whether the Security Policy silently discards packets without notification (de ny), permits the passage of packets (a llo w) or drops packets with notification (re je c t)
Log
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or not
(no ) when the policy is matched to the criteria listed above.
Profile
This field shows you which Security Service profiles (application patrol, content filter, IDP, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
570
Chapter 30 Security Policy
30.4.2 The Se c urity Po lic y C o ntro l Add/ Edit Sc re e n
In the Se c urity Po lic y C o ntro l screen, click the Edit or Add icon to display the Se c urity Po lic y Edit o r Add screen. Fig ure 388 Configuration > Security Policy > Policy Control > Add
The following table describes the labels in this screen.
Table 230 Configuration > Security Policy > Policy Control > Add
LA BEL Create new Object Enable Name Description
From To
DESC RIPTIO N Use to configure any new settings objects that you need to use in this screen.
Select this check box to activate the Security policy. Type a name to identify the policy Enter a descriptive name of up to 60 printable ASCII characters for the Policy. Spaces are allowed. For through-Zyxel Device policies, select the direction of travel of packets to which the policy applies. a ny means all interfaces.
Source Destination Service
De vic e means packets destined for the Zyxel Device itself.
Select an IPv4 / IPv6 address or address group object, including geographic address and FQDN (group) objects, to apply the policy to traffic coming from it. Select a ny to apply the policy to all traffic coming from IPv4 / IPv6 addresses.
Select an IPv4 / IPv6 address or address group, including geographic address and FQDN (group) objects, to apply the policy to traffic going to it. Select a ny to apply the policy to all traffic going to IPv4 / IPv6 addresses.
Select a service or service group from the drop-down list box.
ZyWALL USG FLEX Series User's Guide
571
Chapter 30 Security Policy
Table 230 Configuration > Security Policy > Policy Control > Add (continued)
LA BEL User
DESC RIPTIO N This field is not available when you are configuring a to-Zyxel Device policy.
Select a user name or user group to which to apply the policy. The Security Policy is activated only when the specified user logs into the system and the policy will be disabled when the user logs out.
Otherwise, select a ny and there is no need for user logging.
Schedule Action
Note: If you specified a source IP address (group) instead of a ny in the field below, the user's IP address should be within the IP address range.
Select a schedule that defines when the policy applies. Otherwise, select no ne and the policy is always effective.
Use the drop-down list box to select what the Security Policy is to do with packets that match this policy.
Select de ny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Select re je c t to discard the packets and send a TCP reset packet or an ICMP destinationunreachable message to the sender.
Log matched traffic
Profile
Select a llo w to permit the passage of the packets.
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or not (no ) when the policy is matched to the criteria listed above..
Use this section to apply anti- x profiles (created in the C o nfig ura tio n > Se c urity Se rvic e screens) to traffic that matches the criteria above. You must have created a profile first; otherwise no ne displays.
Application Patrol Content Filter SSL Inspection OK Cancel
Use Lo g to generate a log (lo g ), log and alert (lo g a le rt) or not (no ) for all traffic that matches criteria in the profile.
Select an Application Patrol profile from the list box; no ne displays if no profiles have been created in the C o nfig ura tio n > Se c urity Se rvic e > App Pa tro l screen.
Select a Content Filter profile from the list box; no ne displays if no profiles have been created in the C o nfig ura tio n > Se c urity Se rvic e > C o nte nt Filte r screen.
Select an SSL Inspection profile from the list box; no ne displays if no profiles have been created in the C o nfig ura tio n > Se c urity Se rvic e > SSL Inspe c tio n screen.
Click O K to save your customized settings and exit this screen.
Click C a nc e l to exit this screen without saving.
30.5 Ano m a ly De te c tio n a nd Pre ve ntio n O ve rvie w
Anomaly Detection and Prevention (ADP) protects against anomalies based on violations of protocol standards (RFCs Requests for Comments) and abnormal flows such as port scans. This section introduces ADP, anomaly profiles and applying an ADP profile to a traffic direction.
Tra ffic Ano m a lie s
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware.
ZyWALL USG FLEX Series User's Guide
572
Chapter 30 Security Policy
Pro to c o l Ano m a lie s
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes: · TCP Decoder · UDP Decoder · ICMP Decoder Protocol anomaly policies may be updated when you upload new firmware. Note: First, create an ADP profile in the In the C o nfig ura tio n > Se c urity Po lic y > ADP > Pro file
screen. Then, apply the profile to traffic originating from a specific zone in the C o nfig ura tio n > Se c urity Po lic y > ADP > G e ne ra l screen.
30.5.1 The Ano m a ly De te c tio n a nd Pre ve ntio n G e ne ra l Sc re e n
Click C o nfig ura tio n > Se c urity Po lic y > ADP > G e ne ra l to display the next screen. Fig ure 389 Configuration > Security Policy > ADP > General
The following table describes the labels in this screen.
Table 231 Configuration > Security Policy > ADP > General
LA BEL
DESC RIPTIO N
General Settings
Enable Anomaly Detection Select this to enable traffic anomaly and protocol anomaly detection and
and Prevention
prevention.
Add
Select an entry and click Add to append a new row beneath the one selected. ADP policies are applied in order (Prio rity) shown in this screen
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate Move
To turn off an entry, select it and click Ina c tiva te .
To change an entry's position in the numbered list, select it and click Mo ve to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
#
This is the entry's index number in the list.
ZyWALL USG FLEX Series User's Guide
573
Chapter 30 Security Policy
Table 231 Configuration > Security Policy > ADP > General
LA BEL Priority Status From
DESC RIPTIO N
This is the rank in the list of anomaly profile policies. The list is applied in order of priority.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
This is the direction of travel of packets to which an anomaly profile is bound. Traffic direction is defined by the zone the traffic is coming from.
Use the Fro m field to specify the zone from which the traffic is coming. Select ZyWALL to specify traffic coming from the Zyxel Device itself.
Fro m LAN means packets traveling from a computer on one LAN subnet to a computer on another subnet via the Zyxel Device's LAN1 zone interfaces. The Zyxel Device does not check packets traveling from a LAN computer to another LAN computer on the same subnet.
Fro m WAN means packets that come in from the WAN zone and the Zyxel Device routes back out through the WAN zone.
Anomaly Profile
Note: Depending on your network topology and traffic load, applying every packet direction to an anomaly profile may affect the Zyxel Device's performance.
An anomaly profile is a set of anomaly policies with configured activation, log and action settings. This field shows which anomaly profile is bound to which traffic direction. Select an ADP profile to apply to the entry's traffic direction. Configure the ADP profiles in the ADP profile screens.
30.5.2 C re a ting Ne w ADP Pro file s
Create new ADP profiles in the C o nfig ura tio n > Se c urity Po lic y > ADP > Pro file screens.
When creating ADP profiles. you may find that certain policies are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the Zyxel Device. As each network is different, false positives and false negatives are common on initial ADP deployment.
To counter this, you could create a `monitor profile' that creates logs, but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you're satisfied that they have been reduced to an acceptable level, you could then create an `in-line profile' whereby you configure appropriate actions to be taken when a packet matches a policy.
ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To create a new profile, select a base profile and then click O K to go to the profile details screen. Type a new profile name, enable or disable individual policies and then edit the default log options and actions.
Click C o nfig ura tio n > Se c urity Po lic y > ADP > Pro file to view the following screen.
ZyWALL USG FLEX Series User's Guide
574
Chapter 30 Security Policy Fig ure 390 Configuration > Security Policy > ADP > Profile
The following table describes the labels in this screen.
Table 232 Configuration > Security Policy > ADP > Profile
LA BEL
DESC RIPTIO N
Profile Management Add
Create ADP profiles here and then apply them in the C o nfig ura tio n > Se c urity Po lic y > ADP > Pro file screen.
Click Add and first choose a no ne or a ll Ba se Pro file .
Edit Remove References
Clone
· no ne base profile sets all ADP entries to have Lo g set to no and Ac tio n set to no ne by default.
· a ll base profile sets all ADP entries to have Lo g set to lo g and Ac tio n set to b lo c k by default.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. Click Re fre sh to update information on this screen.
Use C lo ne to create a new entry by modifying an existing one.
# Name Description Base Profile Reference
· Select an existing entry. · Click C lo ne . · A configuration copy of the selected entry pops up. You must at least change
the name as duplicate entry names are not allowed. This is the entry's index number in the list. This is the name of the profile you created. This is the description of the profile you created. This is the name of the base profile used to create this profile. This is the number of object references used to create this profile.
30.5.3 Tra ffic Ano m a ly Pro file s
Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. In the C o nfig ura tio n > Se c urity Po lic y > ADP > Pro file screen, click the Edit or Add icon and choose a base profile. Tra ffic Ano m a ly is the first tab in the profile.
ZyWALL USG FLEX Series User's Guide
575
Chapter 30 Security Policy Fig ure 391 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
The following table describes the labels in this screen.
Table 233 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
LA BELS
DESC RIPTIO N
Name
A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You
may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first
character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
Description
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
In addition to the name, type additional information to help you identify this ADP profile.
ZyWALL USG FLEX Series User's Guide
576
Chapter 30 Security Policy
Table 233 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued)
LA BELS
DESC RIPTIO N
Scan/Flood Detection
Scan detection, such as port scanning, tries to find attacks where an attacker scans device(s) to determine what types of network protocols or services a device supports.
Sensitivity
Flood detection tries to find attacks that saturate a network with useless data, use up all available bandwidth, and so aim to make communications on the network impossible.
(Scan detection only.) Select a sensitivity level so as to reduce false positives in your network. If you choose low sensitivity, then scan thresholds and sample times are set low, so you will have fewer logs and false positives; however some traffic anomaly attacks may not be detected.
Block Period
Edit (Flood Detection only) Activate Inactivate Log
Action
If you choose high sensitivity, then scan thresholds and sample times are set high, so most traffic anomaly attacks will be detected; however you will have more logs and false positives.
Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address.
Select an entry and click this to be able to modify it.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To edit an item's log option, select it and use the Lo g icon. Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or neither (no ) when traffic matches this anomaly policy.
To edit what action the Zyxel Device takes when a packet matches a policy, select the policy and use the Ac tio n icon.
no ne : The Zyxel Device takes no action when a packet matches the policy.
# Status
Name
Log Action
Threshold (pkt/sec)
blo c k: The Zyxel Device silently drops packets that matches the policy. Neither sender nor receiver are notified.
This is the entry's index number in the list.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
This is the name of the anomaly policy. Click the Na m e column heading to sort in ascending or descending order according to the protocol anomaly policy name.
These are the log options. To edit this, select an item and use the Lo g icon.
This is the action the Zyxel Device should take when a packet matches a policy. To edit this, select an item and use the Ac tio n icon.
(Flood detection only.) Select a suitable threshold level (the number of packets per second that match the flood detection criteria) for your network. If you choose a low threshold, most traffic anomaly attacks will be detected, but you may have more logs and false positives.
OK
Cancel Save
If you choose a high threshold, some traffic anomaly attacks may not be detected, but you will have fewer logs and false positives.
Click O K to save your settings to the Zyxel Device, complete the profile and return to the profile summary page.
Click C a nc e l to return to the profile summary page without saving any changes.
Click Sa ve to save the configuration to the Zyxel Device but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click O K in the final profile screen to complete the profile.
ZyWALL USG FLEX Series User's Guide
577
Chapter 30 Security Policy
30.5.4 Pro to c o l Ano m a ly Pro file s
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes: · TCP Decoder · UDP Decoder · ICMP Decoder · IP Decoder
Te a rdro p
When an IP packet is larger than the Maximum Transmission Unit (MTU) configured in the Zyxel Device, it is fragmented using the TCP or ICMP protocol. A Teardrop attack falsifies the offset which defines the size of the fragment and the original packet. A series of IP fragments with overlapping offset fields can cause some systems to crash, hang, or reboot when fragment reassembling is attempted at the destination.
IP Spo o fing
IP Spoofing is used to gain unauthorized access to network devices by modifying packet headers so that it appears that the packets originate from a host within a trusted network. · In an IP Spoof from the WAN, the source address appears to be in the same subnet as a Zyxel Device
LAN interface. · In an IP Spoof from a LAN interface, the source address appears to be in a different subnet from that
Zyxel Device LAN interface.
ZyWALL USG FLEX Series User's Guide
578
Chapter 30 Security Policy Fig ure 392 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
ZyWALL USG FLEX Series User's Guide
579
Chapter 30 Security Policy
The following table describes the labels in this screen.
Table 234 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
LA BEL Name
DESC RIPTIO N
A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You
may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first
character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
Description
TCP Decoder/UDP Decoder/ICMP Decoder/IP Decoder
Activate Inactivate Log
Action
· MyProfile · mYProfile · Mymy12_3-4 · These are invalid profile names: · 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
In addition to the name, type additional information to help you identify this ADP profile.
Perform the following actions for each type of encoder.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To edit an item's log option, select it and use the Lo g icon. Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or neither (no ) when traffic matches this anomaly policy.
To edit what action the Zyxel Device takes when a packet matches a policy, select the policy and use the Ac tio n icon.
o rig ina l se tting : Select this action to return each rule in a service group to its previously saved configuration.
no ne : Select this action to have the Zyxel Device take no action when a packet matches a policy.
dro p: Select this action to have the Zyxel Device silently drop a packet that matches a policy. Neither sender nor receiver are notified.
re je c t- se nde r: Select this action to have the Zyxel Device send a reset to the sender when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will send a packet with a `RST' flag. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.
re je c t- re c e ive r: Select this action to have the Zyxel Device send a reset to the receiver when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will send a packet with an a `RST' flag. If it is an ICMP or UDP attack packet, the Zyxel Device will do nothing.
# Status
Name
re je c t- bo th: Select this action to have the Zyxel Device send a reset to both the sender and receiver when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will send a packet with a `RST' flag to the receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.
This is the entry's index number in the list.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
This is the name of the anomaly policy. Click the Na m e column heading to sort in ascending or descending order according to the protocol anomaly policy name.
ZyWALL USG FLEX Series User's Guide
580
Chapter 30 Security Policy
Table 234 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
LA BEL
DESC RIPTIO N
Log
These are the log options. To edit this, select an item and use the Lo g icon.
Action
This is the action the Zyxel Device should take when a packet matches a policy. To edit this, select an item and use the Ac tio n icon.
OK
Click O K to save your settings to the Zyxel Device, complete the profile and return to
the profile summary page.
Cancel Save
Click C a nc e l to return to the profile summary page without saving any changes.
Click Sa ve to save the configuration to the Zyxel Device but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click O K in the final profile screen to complete the profile.
30.6 The Se ssio n C o ntro l Sc re e n
Click C o nfig ura tio n > Se c urity Po lic y > Se ssio n C o ntro l to display the Se c urity Po lic y Se ssio n C o ntro l screen. Use this screen to limit the number of concurrent NAT/Security Policy sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both.
Fig ure 393 Configuration > Security Policy > Session Control
ZyWALL USG FLEX Series User's Guide
581
Chapter 30 Security Policy
The following table describes the labels in this screen.
Table 235 Configuration > Security Policy > Session Control
LA BEL
General Settings
UDP Session Time Out
Session Limit Settings
Enable Session limit
IPv4 / IPv6 Configuration
Default Session per Host
DESC RIPTIO N
Set how many seconds the Zyxel Device will allow a UDP session to remain idle (without UDP traffic) before closing it.
Select this check box to control the number of concurrent sessions hosts can have. This table lists the rules for limiting the number of concurrent sessions hosts can have. This field is configurable only when you enable session limit. Use this field to set a common limit to the number of concurrent NAT/Security Policy sessions each client computer can have.
If only a few clients use peer to peer applications, you can raise this number to improve their performance. With heavy peer to peer application use, lower this number to ensure no single client uses too many of the available NAT sessions.
Add
Edit
Remove
Activate Inactivate Move
Create rules below to apply other limits for specific users or addresses.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To turn on an entry, select it and click Ac tiva te .
To turn off an entry, select it and click Ina c tiva te .
To change a rule's position in the numbered list, select the rule and click Mo ve to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their numbering.
#
This field is a sequential value showing the number of the profile. The profile order is not
important.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
#
This is the index number of a session limit rule. It is not associated with a specific rule.
User
This is the user name or user group name to which this session limit rule applies.
IPv4 / IPv6 Address This is the IPv4 / IPv6 address object, including geographic address (group) objects to which this session limit rule applies.
Description
This is the information configured to help you identify the rule.
Limit
This is how many concurrent sessions this user or address is allowed to have.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
30.6.1 The Se ssio n C o ntro l Add/ Edit Sc re e n
Click C o nfig ura tio n > Se c urity Po lic y > Se ssio n C o ntro l and the Add or Edit icon to display the Add o r Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses.
ZyWALL USG FLEX Series User's Guide
582
Chapter 30 Security Policy Fig ure 394 Configuration > Security Policy > Session Control > Edit
The following table describes the labels in this screen.
Table 236 Configuration > Security Policy > Session Control > Add / Edit
LA BEL
DESC RIPTIO N
Create new Object Enable Rule Description
User
Use to configure new settings for User or Address objects that you need to use in this screen.Click on the down arrow to see the menu.
Select this check box to turn on this session limit rule.
Enter information to help you identify this rule. Use up to 60 printable ASCII characters. Spaces are allowed.
Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out.
Otherwise, select a ny and there is no need for user logging.
Address IPv6 Address Session Limit per Host
OK Cancel
Note: If you specified an IP address (or address group) instead of a ny in the field below, the user's IP address should be within the IP address range.
Select the IPv4 source address or address group, including geographic address (group) object, to which this rule applies. Select a ny to apply the rule to all IPv4 source addresses.
Select the IPv6 source address or address group, including geographic address (group) object, to which this rule applies. Select a ny to apply the rule to all IPv6 source addresses.
Use this field to set a limit to the number of concurrent NAT/Security Policy sessions this rule's users or addresses can have.
For this rule's users and addresses, this setting overrides the De fa ult Se ssio n pe r Ho st setting in the general Se c urity Po lic y Se ssio n C o ntro l screen.
Click O K to save your customized settings and exit this screen.
Click C a nc e l to exit this screen without saving.
30.7 Se c urity Po lic y Exa m ple Applic a tio ns
Suppose you decide to block LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN Security Policy that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the Security Policy to always be in effect. The following figure shows the results of this policy.
ZyWALL USG FLEX Series User's Guide
583
Chapter 30 Security Policy Fig ure 395 Blocking All LAN to WAN IRC Traffic Example
Your Security Policy would have the following settings.
Table 237 Blocking All LAN to WAN IRC Traffic Example
#
USER
SO URC E
DESTINATIO N
SC HEDULE
1
Any
Any
Any
Any
2
Any
Any
Any
Any
SERVIC E IRC Any
AC TIO N Deny Allow
· The first row blocks LAN access to the IRC service on the WAN. · The second row is the Security Policy's default policy that allows all LAN1 to WAN traffic.
The Zyxel Device applies the security policies in order. So for this example, when the Zyxel Device receives traffic from the LAN, it checks it against the first policy. If the traffic matches (if it is IRC traffic) the security policy takes the action in the policy (drop) and stops checking the subsequent security policies. Any traffic that does not match the first security policy will match the second security policy and the Zyxel Device forwards it.
Now suppose you need to let the CEO use IRC. You configure a LAN1 to WAN security policy that allows IRC traffic from the IP address of the CEO's computer. You can also configure a LAN to WAN policy that allows IRC traffic from any computer through which the CEO logs into the Zyxel Device with his/her user name. In order to make sure that the CEO's computer always uses the same IP address, make sure it either:
· Has a static IP address, or
· You configure a static DHCP entry for it so the Zyxel Device always assigns it the same IP address.
Now you configure a LAN1 to WAN security policy that allows IRC traffic from the IP address of the CEO's computer (172.16.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the security policy to always be in effect. The following figure shows the results of your two custom policies.
ZyWALL USG FLEX Series User's Guide
584
Chapter 30 Security Policy Fig ure 396 Limited LAN to WAN IRC Traffic Example
Your security policy would have the following configuration.
Table 238 Limited LAN1 to WAN IRC Traffic Example 1
#
USER
SO URC E
DESTINATIO N
SC HEDULE
1
Any
172.16.1.7
Any
Any
2
Any
Any
Any
Any
3
Any
Any
Any
Any
SERVIC E IRC IRC Any
AC TIO N Allow Deny Allow
· The first row allows the LAN1 computer at IP address 172.16.1.7 to access the IRC service on the WAN. · The second row blocks LAN1 access to the IRC service on the WAN. · The third row is the default policy of allowing all traffic from the LAN1 to go to the WAN.
Alternatively, you configure a LAN1 to WAN policy with the CEO's user name (say CEO) to allow IRC traffic from any source IP address to go to any destination address.
Your Security Policy would have the following settings.
Table 239 Limited LAN1 to WAN IRC Traffic Example 2
#
USER
SO URC E
DESTINATIO N
SC HEDULE
1
CEO
Any
Any
Any
2
Any
Any
Any
Any
3
Any
Any
Any
Any
SERVIC E IRC IRC Any
AC TIO N Allow Deny Allow
· The first row allows any LAN1 computer to access the IRC service on the WAN by logging into the Zyxel Device with the CEO's user name.
· The second row blocks LAN1 access to the IRC service on the WAN. · The third row is the default policy of allowing allows all traffic from the LAN1 to go to the WAN.
The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic. If the policy that blocks all LAN1 to WAN IRC traffic came first, the CEO's IRC traffic would match that policy and the Zyxel Device would drop it and not check any other security policies.
ZyWALL USG FLEX Series User's Guide
585
C HA PTER 3 1
Applic a tio n Pa tro l
31.1 O ve rvie w
Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-topeer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application's individual features (like text messaging, voice, video conferencing, and file transfers).
31.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the App Pa tro l summary screen (see Section 31.2 on page 587) to manage the application patrol profiles. You can also view license registration and signature information.
· Use the App Pa tro l Add/ Edit screens (see Section 31.2.2 on page 591 & Section 31.2.3 on page 592) to set actions for application categories and for specific applications within the category.
31.1.2 Wha t Yo u Ne e d to Kno w
If you want to use a service, make sure both the Security Policy and application patrol allow the service's packets to go through the Zyxel Device.
Note: The Zyxel Device checks secure policies before it checks application patrol rules for traffic going through the Zyxel Device.
Application patrol examines every TCP and UDP connection passing through the Zyxel Device and identifies what application is using the connection. Then, you can specify whether or not the Zyxel Device continues to route the connection. Traffic not recognized by the application patrol signatures is ignored.
Applic a tio n Pro file s & Po lic ie s
An application patrol profile is a group of categories of application patrol signatures. For each profile, you can specify the default action the Zyxel Device takes once a packet matches a signature (forward, drop, or reject a service's connections and/or create a log alert).
Use policies to link profiles to traffic flows based on criteria such as source zone, destination zone, source address, destination address, schedule, user.
C la ssific a tio n o f Applic a tio ns
There are two ways the Zyxel Device can identify the application. The first is called auto. The Zyxel Device looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the Zyxel Device examines several packets to make sure the match
ZyWALL USG FLEX Series User's Guide
586
Chapter 31 Application Patrol
is correct. Before confirmation, packets are forwarded by App Patrol with no action taken. The number of packets inspected before confirmation varies by signature. Note: The Zyxel Device allows the first eight packets to go through the security policy,
regardless of the application patrol policy for the application. The Zyxel Device examines these first eight packets to identify the application. The second approach is called service ports. The Zyxel Device uses only OSI level-4 information, such as ports, to identify what application is using the connection. This approach is available in case the Zyxel Device identifies a lot of "false positives" for a particular application. C usto m Po rts fo r SIP a nd the SIP ALG Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG to use the same port numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic.
31.2 Applic a tio n Pa tro l Pro file
Use the application patrol screens to customize action and log settings for a group of application patrol signatures. You then link a profile to a policy. Use this screen to create an application patrol profile, and view signature information. It also lists the registration status and details about the signature set the Zyxel Device is using. Note: You must register for the AppPatrol signature service (at least the trial) before you can
use it. A profile is an application object(s) or application group(s) that has customized action and log settings. Click C o nfig ura tio n > Se c urity Se rvic e > App Pa tro l to open the following screen. Click the Applic a tio n Pa tro l icon for more information on the Zyxel Device's security features. Fig ure 397 Configuration > Security Service > App Patrol
ZyWALL USG FLEX Series User's Guide
587
Chapter 31 Application Patrol
The following table describes the labels in this screen.
Table 240 Configuration > Security Service > App Patrol
LA BEL Add
Edit
Remove References
#
Name Description Scan Option Reference Action
DESC RIPTIO N
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
Select an entry and click Re m o ve to delete the selected entry.
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. Click Refresh to update information on this screen.
This field is a sequential value showing the number of the profile. The profile order is not important.
This displays the name of the profile created.
This displays the description of the App Patrol Profile.
This field displays the scan options from the App Patrol profile.
This displays the number of times an object reference is used in a profile.
Click this icon to apply the entry to a security policy.
Signature Information Current Version
Signature Number
Released Date Update Signatures
Go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen to check the result.
The following fields display information on the current signature set that the Zyxel Device is using.
This field displays the App Patrol signature set version number. This number gets larger as the set is enhanced.
This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
This field displays the date and time the set was released.
Click this link to go to the screen you can use to download signatures from the update server.
31.2.1 Pro file Ac tio n: Apply to a Se c urity Po lic y
Click the icon in the Ac tio n field of an existing application patrol file to apply the profile to a security policy.
Go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen to check the result.
ZyWALL USG FLEX Series User's Guide
588
Chapter 31 Application Patrol Fig ure 398 Configuration > Security Service > App Patrol > Action
The following table describes the labels in this screen.
Table 241 Configuration > Security Service > App Patrol > Action
LA BEL
DESC RIPTIO N
Show Filter/Hide Click Sho w Filte r to display IPv4 and IPv6 (if enabled) security policy search filters. Filter
IPv4 / IPv6 Configuration
Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on direction, application, user, source, destination and/or schedule.
From / To
Select a zone to view all security policies from a particular zone and/or to a particular zone. a ny means all zones.
ZyWALL USG FLEX Series User's Guide
589
Chapter 31 Application Patrol
Table 241 Configuration > Security Service > App Patrol > Action
LA BEL IPv4 / IPv6 Source
DESC RIPTIO N
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source address object used.
IPv4 / IPv6 Destination
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination address object used.
Service User Schedule Priority
Status Name From / To
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
View all security policies based the service object used.
View all security policies based on user or user group object used.
View all security policies based on the schedule object used.
This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. De fa ult displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy.
This icon is lit when the entry is active and dimmed when the entry is inactive.
This is the name of the Security policy.
This is the direction of travel of packets. Select from which zone the packets come and to which zone they go.
Security Policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN.
From a ny displays all the Security Policies for traffic going to the selected To Zo ne .
To a ny displays all the Security Policies for traffic coming from the selected Fro m Zo ne .
From a ny to a ny displays all of the Security Policies.
To ZyWALLpolicies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device.
IPv4 / IPv6 Source This displays the IPv4 / IPv6 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
IPv4 / IPv6 Destination
This displays the IPv4 / IPv6 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
Service
This displays the service object to which this Security Policy applies.
User
This is the user name or user group name to which this Security Policy applies.
Schedule
This field tells you the schedule object that the policy uses. no ne means the policy is active at all times if enabled.
Action
This field displays whether the Security Policy silently discards packets without notification (de ny), permits the passage of packets (a llo w) or drops packets with notification (re je c t)
Log
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or not
(no ) when the policy is matched to the criteria listed above.
Profile
This field shows you which Security Service profiles (application patrol, content filter, IDP, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
590
Chapter 31 Application Patrol
31.2.2 Applic a tio n Pa tro l Pro file > Add/ Edit - My Applic a tio n
Use this screen to configure profile settings. Click C o nfig ura tio n > Se c urity Se rvic e > App Pa tro l > Add/ Edit, then click My Applic a tio n to open the following screen. Fig ure 399 Configuration > Security Service > App Patrol > Add/Edit > My Application
The following table describes the labels in this screen.
Table 242 Configuration > Security Service > App Patrol > Add/Edit > My Application
LA BEL General Settings
Name
DESC RIPTIO N
Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_),
or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
Description
Total Category(s) Total Application(s) Remove
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
Type a description for the profile rule to help identify the purpose of rule. You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be
a number. This value is case-sensitive. This field is optional.
This field displays the total number of the selected category(ies) in the Q ue ry Re sult screen.
This field displays the total number of the selected applications in the Q ue ry Re sult screen.
Select an entry and click Re m o ve to delete the selected entry.
ZyWALL USG FLEX Series User's Guide
591
Chapter 31 Application Patrol
Table 242 Configuration > Security Service > App Patrol > Add/Edit (continued)> My Application
LA BEL Log
Action
DESC RIPTIO N
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or neither (no ) by default when traffic matches a signature in this category.
Select the default action for all signatures in this category.
fo rwa rd - the Zyxel Device routes packets that matches these signatures.
dro p - the Zyxel Device silently drops packets that matches these signatures without notification.
#
Application Category Tag Action
re je c t - the Zyxel Device drops packets that matches these signatures and sends notification.
This field is a sequential value showing the number of the profile. The profile order is not important.
This field displays the application name of the policy.
This field displays the category type of the application.
This field displays the tag information of the application.
Select the default action for all signatures in this category.
fo rwa rd - the Zyxel Device routes packets that matches these signatures.
dro p - the Zyxel Device silently drops packets that matches these signatures without notification.
Log Save & Exit
Cancel Save
re je c t - the Zyxel Device drops packets that matches these signatures and sends notification.
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or neither (no ) by default when traffic matches a signature in this category.
A profile consists of separate category editing screens. If you want to configure just one category for a profile, click O K to save your settings to the Zyxel Device, complete the profile and return to the profile summary page.
Click C a nc e l to return to the profile summary page without saving any changes.
If you want to configure more than one category for a profile, click Sa ve to save your settings to the Zyxel Device without leaving this page.
31.2.3 Applic a tio n Pa tro l Pro file > Add/ Edit - Q ue ry Re sult
Click C o nfig ura tio n > Se c urity Se rvic e > App Pa tro l > Add, then click Q ue ry Re sult to search for certain applications within a specific category, and the selected applications will be added to My Applic a tio n screen. You can also click an existing profile, click Edit (or double-click it), then click Q ue ry Re sult to open the following screen.
ZyWALL USG FLEX Series User's Guide
592
Chapter 31 Application Patrol Fig ure 400 Configuration > Security Service > App Patrol > Add/Edit > Query Result
The following table describes the labels in this screen.
Table 243 Configuration > Security Service > App Patrol > Add/Edit > Query Result
LA BEL General Settings
Name
DESC RIPTIO N
Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_),
or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
Description
Type a description for the profile rule to help identify the purpose of rule. You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be
a number. This value is case-sensitive. This field is optional.
Search Application(s) Enter a name to search for relevant applications. By Name
Search Application(s) Select a category(ies) below to search for relevant applications. By Category
Filter by Tags
Add or delete a tag(s) to display or not display an application(s).
#
This field is a sequential value showing the number of the profile. The profile order is not
important.
Application
This field displays the application name of the policy.
Category
This field displays the category type of the application.
ZyWALL USG FLEX Series User's Guide
593
Chapter 31 Application Patrol
Table 243 Configuration > Security Service > App Patrol > Add/Edit (continued)> Query Result
LA BEL Tag Action
DESC RIPTIO N This field displays the tag information of the policy. Select the default action for all signatures in this category.
fo rwa rd - the Zyxel Device routes packets that matches these signatures.
dro p - the Zyxel Device silently drops packets that matches these signatures without notification.
Log
Add to My Application Reset Cancel
re je c t - the Zyxel Device drops packets that matches these signatures and sends notification. Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or neither (no ) by default when traffic matches a signature in this category. Select an application(s) to show in the My Applic a tio n profile screen.
Click this button to reset the fields to default settings. Click C a nc e l to return to the profile summary page without saving any changes.
ZyWALL USG FLEX Series User's Guide
594
C HA PTER 3 2 C o nte nt Filte r
32.1 O ve rvie w
Use the content filtering feature to control access to specific web sites or web content.
32.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Filte r Pro file screens (Section 32.2 on page 597) to set up content filtering profiles. · Use the Truste d We b Site s screens (Section 32.3 on page 616) to create a common list of good
(allowed) web site addresses. · Use the Fo rb idde n We b Site s screens (Section 32.4 on page 617) to create a common list of bad
(blocked) web site addresses.
32.1.2 Wha t Yo u Ne e d to Kno w
C o nte nt Filte ring
Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filter policies for different addresses, schedules, users or groups and content filter profiles. For example, you can configure one policy that blocks John Doe's access to arts and entertainment web pages during the workday and another policy that lets him access them after work.
C o nte nt Filte ring Po lic ie s
A content filtering policy allows you to do the following. · Use schedule objects to define when to apply a content filter profile. · Use address and/or user/group objects to define to whose web access to apply the content filter
profile. · Apply a content filter profile that you have custom-tailored.
C o nte nt Filte ring Pro file s
A content filtering profile conveniently stores your custom settings for the following features. · Category-based Blocking
The Zyxel Device can block access to particular categories of web site content, such as pornography or racial intolerance.
ZyWALL USG FLEX Series User's Guide
595
Chapter 32 Content Filter
· Restrict Web Features The Zyxel Device can disable web proxies and block web features such as ActiveX controls, Java applets and cookies.
· Customize Web Site Access You can specify URLs to which the Zyxel Device blocks access. You can alternatively block access to all URLs except ones that you specify. You can also have the Zyxel Device block access to URLs that contain particular keywords.
C o nte nt Filte ring C o nfig ura tio n G uide line s
When the Zyxel Device receives an HTTP request, the content filter searches for a policy that matches the source address and time (schedule). The content filter checks the policies in order (based on the policy numbers). When a matching policy is found, the content filter allows or blocks the request depending on the settings of the filtering profile specified by the policy. Some requests may not match any policy. The Zyxel Device allows the request if the default policy is not set to block. The Zyxel Device blocks the request if the default policy is set to block.
Exte rna l We b Filte ring Se rvic e
When you register for and enable the external web filtering service, your Zyxel Device accesses an external database that has millions of web sites categorized based on content. You can have the Zyxel Device block, block and/or log access to web sites based on these categories.
HTTPS Do m a in Filte r
HTTPS Domain Filter works with the Content Filter category feature to identify HTTPS traffic and take appropriate action. SSL Inspection identifies HTTPS traffic for all Security Service traffic and has higher priority than HTTPS Domain Filter. HTTPS Domain Filter only identifies keywords in the domain name of an URL and matches it to a category. For example, if the keyword is 'picture' and the URL is http:// www.google.com/picture/index.htm, then HTTPS Domain Filter cannot identify 'picture' because that keyword in not in the domain name 'www.google.com'. However, SSL Inspection can identify 'picture' in the URL http://www.google.com/picture/index.htm.
Ke ywo rd Blo c king URL C he c king
The Zyxel Device checks the URL's domain name (or IP address) and file path separately when performing keyword blocking.
The URL's domain name or IP address is the characters that come before the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the domain name is www.zyxel.com.tw.
The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php.
Since the Zyxel Device checks the URL's domain name (or IP address) and file path separately, it will not find items that go across the two. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the Zyxel Device would find "tw" in the domain name (www.zyxel.com.tw). It would also find "news" in the file path (news/pressroom.php) but it would not find "tw/news".
ZyWALL USG FLEX Series User's Guide
596
Chapter 32 Content Filter
Finding O ut Mo re
· See Section 32.5 on page 618 for content filtering background/technical information.
32.1.3 Be fo re Yo u Be g in
· You must configure an address object, a schedule object and a filtering profile before you can set up a content security policy.
· You must have Content Filtering license in order to use the function.subscribe to use the external database content filtering (see the Lic e nsing > Re g istra tio n screens).
32.2 C o nte nt Filte r Pro file Sc re e n
Click C o nfig ura tio n > Se c urity Se rvic e > C o nte nt Filte r > Pro file to open the C o nte nt Filte r Pro file screen. Use this screen to enable content filtering, view and order your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Click the C o nte nt Filte r icon for more information on the Zyxel Device's security features. Fig ure 401 Configuration > Security Service > Content Filter > Profile
ZyWALL USG FLEX Series User's Guide
597
Chapter 32 Content Filter
The following table describes the labels in this screen.
Table 244 Configuration > Security Service > Content Filter > Profile
LA BEL
DESC RIPTIO N
General Settings
Enable HTTPS Domain Filter Select this check box to have the Zyxel Device block HTTPS web pages using the
for HTTPS traffic
cloud category service.
In an HTTPS connection, the Zyxel Device can extract the Server Name Indication (SNI) from a client request, check if it matches a category in the cloud content filter and then take appropriate action. The keyword match is for the domain name only.
Enable Content Filter HTTPS Use this field to have the Zyxel Device display a warning page instead of a blank Domain Filter Block/Warn page when an HTPPS connection is redirected. Page
Block/Warn Page Port
Use the default port number as displayed for the warning page. If you change it, the new port number should be unique.
Drop connection when HTTPS connection with SSL V3 or previous version
Select this check box to have the Zyxel Device block HTTPS web pages using SSL V3 or a previous version.
Content Filter Category Service Timeout
Specify the allowable time period in seconds for accessing the external web filtering service's server.
Denied Access Message
Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,"). For example, "Access to this web page is not allowed. Please contact the network administrator".
Redirect URL
It is also possible to leave this field blank if you have a URL specified in the Re dire c t URL field. In this case if the content filter blocks access to a web page, the Zyxel Device just opens the web page you specified without showing a denied access message.
Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message.
Profile Management Add Edit Remove References
# Name Description Reference Action
Use "http://" or "https://" followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\._!~*'()%). For example, http://192.168.1.17/blocked access.
Click Add to create a new content filter rule. Click Edit to make changes to a content filter rule. Click Remove the delete a content filter rule. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. Click Refresh to update information on this screen. This column lists the index numbers of the content filter profile. This column lists the names of the content filter profile rule. This column lists the description of the content filter profile rule. This displays the number of times an Object Reference is used in a rule. Click this icon to apply the content filter profile with a security policy.
Apply Reset
Go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen to check the result. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
32.2.1 Apply to a Se c urity Po lic y
Click the icon in the Ac tio n field to apply the entry to a security policy.
ZyWALL USG FLEX Series User's Guide
598
Chapter 32 Content Filter
Go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen to check the result. Fig ure 402 Configuration > Security Service > Content Filter > Action
The following table describes the labels in this screen.
Table 245 Configuration > Security Service > Content Filter > Action
LA BEL
DESC RIPTIO N
Show Filter/Hide Click Sho w Filte r to display IPv4 and IPv6 (if enabled) security policy search filters. Filter
IPv4 / IPv6 Configuration
Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on direction, application, user, source, destination and/or schedule.
From / To
Select a zone to view all security policies from a particular zone and/or to a particular zone. a ny means all zones.
ZyWALL USG FLEX Series User's Guide
599
Chapter 32 Content Filter
Table 245 Configuration > Security Service > Content Filter > Action
LA BEL IPv4 / IPv6 Source
DESC RIPTIO N
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source address object used.
IPv4 / IPv6 Destination
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination address object used.
Service User Schedule Priority
Status Name From / To
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
View all security policies based the service object used.
View all security policies based on user or user group object used.
View all security policies based on the schedule object used.
This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. De fa ult displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy.
This icon is lit when the entry is active and dimmed when the entry is inactive.
This is the name of the Security policy.
This is the direction of travel of packets. Select from which zone the packets come and to which zone they go.
Security Policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN.
From a ny displays all the Security Policies for traffic going to the selected To Zo ne .
To a ny displays all the Security Policies for traffic coming from the selected Fro m Zo ne .
From a ny to a ny displays all of the Security Policies.
To ZyWALLpolicies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device.
IPv4 / IPv6 Source This displays the IPv4 / IPv6 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
IPv4 / IPv6 Destination
This displays the IPv4 / IPv6 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
Service
This displays the service object to which this Security Policy applies.
User
This is the user name or user group name to which this Security Policy applies.
Schedule
This field tells you the schedule object that the policy uses. no ne means the policy is active at all times if enabled.
Action
This field displays whether the Security Policy silently discards packets without notification (de ny), permits the passage of packets (a llo w) or drops packets with notification (re je c t)
Log
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or not
(no ) when the policy is matched to the criteria listed above.
Profile
This field shows you which Security Service profiles (application patrol, content filter, IDP, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
600
Chapter 32 Content Filter
32.2.2 C o nte nt Filte r Add Pro file C a te g o ry Se rvic e
Click C o nfig ura tio n > Se c urity Se rvic e > C o nte nt Filte r > Pro file > Add o r Edit to open the Add Filte r Pro file screen. Fig ure 403 Content Filter > Profile > Add Filter Profile > Category Service
ZyWALL USG FLEX Series User's Guide
601
Chapter 32 Content Filter
The following table describes the labels in this screen.
Table 246 Configuration > Security Service > Content Filter > Profile > Add > Category Service
LA BEL Name
Description
DESC RIPTIO N
Enter a descriptive name for this content filtering profile name. You may use 1-31
alphanumeric characters, underscores(_), or dashes (-), but the first character
cannot be a number. This value is case-sensitive.
Enter a description for the content filtering profile rule to help identify the purpose
of rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-),
but the first character cannot be a number. This value is case-sensitive.
Enable SafeSearch
This field is optional.
SafeSearch is a search engine that can automatically filter sexually explicit videos and images from the search result without overloading the Zyxel Device. It does this by adding a parameter in the search URL:
http s://www.g o o g le .c o m.tw/? g ws_rd=ssl# q =p o rn&sa fe =a c tive .
Supported search engines at the time of writing are:
Enable Content Filter Category Service
Log all web pages
Yahoo, Google, MSN Live Bing, Yandex
Enable external database content filtering to have the Zyxel Device check an external database to find to which category a requested web page belongs. The Zyxel Device then blocks or forwards access to the web page depending on the configuration of the rest of this page.
Select this to record attempts to access web pages when:
Action for Managed Web Pages
· They match the other categories that you select below. · They are not categorized. · The external content filtering database is unavailable.
Select Pa ss to allow users to access web pages that match the other categories that you select below.
Select Blo c k to prevent users from accessing web pages that match the other categories that you select below. When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the C o nte nt Filte r G e ne ra l screen along with the category of the blocked web page.
Action for Unrated Web Pages
Select Lo g to record attempts to access web pages that match the other categories that you select below.
Select Pa ss to allow users to access web pages that the external web filtering service has not categorized.
Select Blo c k to prevent users from accessing web pages that the external web filtering service has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the C o nte nt Filte r G e ne ra l screen along with the category of the blocked web page.
Select Wa rn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized.
Select Lo g to record attempts to access web pages that are not categorized.
ZyWALL USG FLEX Series User's Guide
602
Chapter 32 Content Filter
Table 246 Configuration > Security Service > Content Filter > Profile > Add > Category Service
LA BEL Action When Category Server Is Unavailable
DESC RIPTIO N
Select Pa ss to allow users to access any requested web page if the external content filtering database is unavailable.
Select Blo c k to block access to any requested web page if the external content filtering database is unavailable.
Select Wa rn to display a warning message before allowing users to access any requested web page if the external content filtering database is unavailable.
The following are possible causes for the external content filtering server not being available:
Select Categories Select All Categories Clear All Categories
Managed Categories
· There is no response from the external content filtering server within the time period specified in the C o nte nt Filte r Se rve r Una va ila b le Tim e o ut field.
· The Zyxel Device is not able to resolve the domain name of the external content filtering database.
· There is an error response from the external content filtering database. This can be caused by an expired content filtering registration (External content filtering's license key is invalid").
Select Lo g to record attempts to access web pages that occur when the external content filtering database is unavailable.
Select this check box to restrict access to all site categories listed below. Select this check box to clear the selected categories below. These are categories of web pages based on their content. Select categories in this section to control access to specific types of Internet content.
Test Web Site Category URL to test
You must have the Category Service content filtering license to filter these categories. See the next table for category details.
You can check which category a web page belongs to. Enter a web site URL in the text box.
When the content filter is active, you should see the web page's category. The query fails if the content filter is not active.
If you think the category is incorrect
Test Against Content Filter Category Server
OK
Cancel
Content Filtering can query a category by full URL string (for example, http:// www.google.com/picture/index.htm), but HTTPS Domain Filter can only query a category by domain name ('www.google.com'), so the category may be different in the query result. URLto te st displays both results in the test.
Click this link to see the category recorded in the Zyxel Device's content filtering database for the web page you specified (if the database has an entry for it).
Click this button to see the category recorded in the external content filter server's database for the web page you specified.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving your changes.
The following table describes the managed categories.
Table 247 Managed Category Descriptions
C ATEG O RY Adult Topics
Alcohol
DESC RIPTIO N
Web pages that contain content or themes that are generally considered unsuitable for children.
Web pages that mainly sell, promote, or advocate the use of alcohol, such as beer, wine, and liquor.
This category also includes cocktail recipes and home-brewing instructions.
ZyWALL USG FLEX Series User's Guide
603
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Anonymizing Utilities
Web pages that result in anonymous web browsing without the explicit intent to provide such a service.
This category includes URL translators, web-page caching, and other utilities that might function as anonymizers, but without the express purpose of bypassing filtering software.
Art Culture Heritage
This category does not include text translation.
Web pages that contain virtual art galleries, artist sites (including sculpture and photography), museums, ethnic customs, and country customs.
Auctions Classifieds
This category does not include online photograph albums. Web pages that provide online bidding and selling of items or services.
This category includes web pages that focus on bidding and sales.
Blogs/Wiki
This category does not include classified advertisements such as real estate postings, personal ads, or companies marketing their auctions.
Web pages containing dynamic content, which often changes because users can post or edit content at any time.
Business
This category covers the risks with dynamic content that might range from harmless to offensive.
Web pages that provide business-related information, such as corporate overviews or business planning and strategies.
This category also includes information, services, or products that help other businesses plan, manage, and market their enterprises, and multi-level marketing.
Chat
This category does not include personal pages and web-hosting web pages.
Web pages that provide web-based, real-time social messaging in public and private chat rooms. This category includes IRC.
Computing Internet Consumer Protection
This category does not include instant messaging.
Web pages containing reviews, information, buyer's guides of computers, computer parts and accessories, computer software and internet companies, industry news and magazines, and pay-to-surf sites.
Websites that try to rob or cheat consumers.
Some examples of their activities include selling counterfeit products, selling products that were originally provided for free, or improperly using the brand of another company. This category also includes sites where many consumers reported being cheated or not receiving services.
Content Server
This category does not include phishing, which tries to perpetrate fraud or theft by stealing account information.
URLs for servers that host images, media files, or JavaScript for one or more sites and are intended to speed up content retrieval for existing web servers, such as Apache.
This category includes domain-level and sub-domain-level URLs that function as content servers.
This category does not include:
· Web pages for businesses that provide the content servers · Web pages that allow users to browse photographs. See the Media Sharing
category. · URLs for servers that serve only advertisements. See the Web Ads category.
ZyWALL USG FLEX Series User's Guide
604
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Controversial Opinions
Web pages that contain opinions that are likely to offend political or social sensibilities and incite controversy. Much of this content is at the extremes of public opinion.
Cult Occult Dating Personals
This category does not include opinion or language clearly intended to promote hate or discrimination.
Sites relating to non-traditional religious practices considered to be false, unorthodox, extremist, or coercive.
Web pages that provide networking for online dating, matchmaking, escort services, or introductions to potential spouses.
Dating Social Networking
This category does not include sites that provide social networking that might include dating, but are not specific to dating.
Web pages that focus on social interaction such as online dating, friendship, school reunions, pen-pals, escort services, or introductions to potential spouses.
Digital Postcards Discrimination
This category does not include wedding-related content, dating tips, or related marketing.
Web pages that allow people to send and receive digital postcards and greeting cards via the Internet.
Web pages, which provide information that explicitly encourages the oppression or discrimination of a specific group of individuals.
Drugs
This category does not include jokes and humor, unless the focus of the entire site is considered discriminatory.
Websites that provide information on the purchase, manufacture, and use of illegal or recreational drugs.
Education Reference Entertainment
This category does not include sites with exclusive health or political themes.
Web pages devoted to academic-related content such as academic subjects (mathematics, history), school or university web pages, and education administration pages (school boards, teacher curriculum).
Web pages that provide information about cinema, theater, music, television, infotainment, entertainment industry gossip-news, and sites about celebrities such as actors and musicians.
Extreme Fashion Beauty
This category also includes sites where the content is devoted to providing entertainment on the web, such as horoscopes or fan clubs.
Web pages that provide content considered gory, perverse, or horrific.
Web pages that market clothing, cosmetics, jewelry, and other fashion-oriented products, accessories, or services.
This category also includes product reviews, comparisons, and general consumer information, and services such as hair salons, tanning salons, tattoo studios, and body-piercing studios.
Finance Banking
This category does not include fashion-related content such as modeling or celebrity fashion unless the site focuses on marketing the product line.
Web pages that provide financial information or access to online financial accounts.
For Kids
This category includes stock information (but not stock trading), home finance, and government-related financial information.
Web pages that are family-safe, specifically for children of approximate ages ten and under.
This category can also be used as an exception to allow web pages that do not pose a risk to children, or to access sites that have a primary educational or recreational focus for children, but are in other categories such as Games, Humor/ Comics, Recreation/Hobbies, or Entertainment.
ZyWALL USG FLEX Series User's Guide
605
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Forum Bulletin Boards
Web pages that provide access (http://) to Usenet newsgroups or hold discussions and post user-generated content, such as real-time message posting for an interest group. This category also includes archives of files uploaded to newsgroups.
Gambling
This category does not include message forums with a business or technical support focus.
Web pages that allow users to wager or place bets online, or provide gambling software that allows online betting, such as casino games, betting pools, sports betting, and lotteries.
Gambling Related
This category does not include web pages related to gambling that do not allow betting online.
Web pages that offer information about gambling, without providing the means to gamble.
Game Cartoon Violence
This category includes casino-related web pages that do not offer online gambling, gambling links, tips, sports picks, lottery results, and horse, car, or boat racing.
Web pages that provide fantasy or fictitious representations of violence within the context of games, comics, cartoons, or graphic novels.
Games
This category includes images and textual descriptions of physical assaults or hand-to-hand combat, and grave injury and destruction caused by weapons or explosives.
Web pages that offer online games and related information such as cheats, codes, demos, emulators, online contests or role-playing games, gaming clans, game manufacturer sites, fantasy or virtual sports leagues, and other gaming sites without chances of profit.
General News
This category includes gaming consoles.
Web pages that provide online news media, such as international or regional news broadcasting and publication.
Government Military
This category includes portal sites that provide news content.
Web pages that contain content maintained by governmental or military organizations, such as government branches or agencies, police departments, fire departments, civil defense, counter-terrorism organizations, or supranational organizations, such as the United Nations or the European Union.
Gruesome Content
This category includes military and veterans' medical facilities.
Web pages with content that can be considered tasteless, gross, shocking, or gruesome.
Health
This category does not include web pages with content pertaining to physical assault.
Web pages that cover all health-related information and health care services.
Historical Revisionism
This category does not include cosmetic surgery, marketing/selling pharmaceuticals, or animal-related medical services.
Web pages that denounce, or offer different interpretations of, significant historical facts, such as holocaust denial.
History
This category does not include all re-examination of historical facts, only historical events that are highly sensitive.
Web pages that provide content about historical facts.
This category includes content suitable for higher education, but the Education category includes content for primary education. For example, a site with Holocaust photographs might be offensive, but have academic value.
ZyWALL USG FLEX Series User's Guide
606
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Humor Comics
Web pages that provide comical or funny content.
Illegal UK Incidental Nudity
This category includes sites with jokes, sketches, comics, and satire pages. This category might also include graphic novel content, which is often associated with comics.
Web pages that contain child sexual abuse content hosted anywhere in the world, and criminally obscene and incitement to racial hatred content hosted in the UK.
Web pages that contain non-pornographic images of the bare human body like those in classic sculpture and paintings, or medical images.
Information Security
This category enables you to allow or block sites in order to address cultural or geographic differences in opinion about nudity. For example, you can use this category to block access to nudity, but allow access when nudity is not the primary focus of a site, such as news sites or major portals.
Web pages that legitimately provide information about data protection. This category includes detailed information for safeguarding business or personal data, intellectual property, privacy, and infrastructure on the Internet, private networks, or in other bandwidth services such as telecommunications.
This category does not include:
Information Security New
· Legitimate information security companies and security software providers, such as virus protection companies.
· Sites that intend to exploit security or teach how to bypass security.
Web pages that legitimately provide information about data protection. This category includes detailed information for safeguarding business or personal data, intellectual property, privacy, and infrastructure on the Internet, private networks, or in other bandwidth services such as telecommunications.
This category does not include:
Instant Messaging
· Legitimate information security companies and security software providers, such as virus protection companies.
· Sites that intend to exploit security or teach how to bypass security.
Web pages that provide software for real-time communication over a network exclusively for users who joined a member's contact list or an instant-messaging session.
Interactive Web Applications
Most instant-messaging software includes features such as file transfer, PC-to-PC phone calls, and can track when other people log on and off.
Web pages that provide access to live or interactive web applications, such as browser-based office suites and groupware. This category includes sites with business, academic, or individual focus.
Internet Radio TV
This category does not include sites providing access to interactive web applications that do not take critical user data or offer security risks, such as Google Maps.
Web pages that provide software or access to continuous audio or video broadcasting, such as Internet radio, TV programming, or podcasting.
Internet Services
Quick downloads and shorter streams that consume less bandwidth are in the Streaming Media or Media Downloads categories.
Web pages that provide services for publication and maintenance of Internet sites such as web design, domain registration, Internet Service Providers, and broadband and telecommunications companies that provide web services.
This category includes web utilities such as statistics and access logs, and web graphics like clip art.
ZyWALL USG FLEX Series User's Guide
607
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Job Search
Web pages related to a job search including sites concerned with resume writing, interviewing, changing careers, classified advertising, and large job databases. This category also includes corporate web pages that list job openings, salary comparison sites, temporary employment, and company job-posting sites.
Major Global Religions
This category does not include make-money-at-home sites.
Web pages with content about religious topics and information related to major religions. This category includes sites that cover religious content such as discussion, beliefs, non-controversial commentary, articles, and information for local congregations such as a church or synagogue homepage.
Marketing Merchandising
The religions in this category are Baha'i, Buddhism, Chinese Traditional, Christianity, Hinduism, Islam, Jainism, Judaism, Shinto, Sikhism, Tenrikyo, Zoroastrianism.
Web pages that promote individual or business products or services on the web, but do not sell their products or services online.
This category includes websites that are generally a company overview, describing services or products that cannot be purchased directly from these sites. Examples include automobile manufacturer sites, wedding photography services, or graphic design services.
This category does not include:
Media Downloads
· Other categories that imply marketing such as Alcohol, Auctions/Classifieds, Drugs, Finance/Banking, Mobile Phone, Online Shopping, Real Estate, School Cheating Information, Software/Hardware, Stock Trading, Tobacco, Travel, and Weapons.
· Sites that market their services only to other businesses. See the Business category.
· Sites that rob or cheat consumers. See the Consumer Protection category.
Web pages that provide audio or video files for download such as MP3, WAV, AVI, and MPEG formats. The files are saved to, and played from, the user's computer.
Media Sharing Messaging
This category does not include audio or video files that are played directly through a browser window. See the Streaming Media category.
Web pages that allow users to upload, search for, and share media files and photographs, such as online photograph albums.
Examples include text messaging to mobile phones, PDAs, fax machines, and internal website user-to-user messaging or site-to-site messaging.
Mobile Phone
This category does not include real-time chat or instant messaging, or message posts that can be viewed by anyone but the intended recipient.
Web pages that sell media, software, or utilities for mobile phones that can be downloaded and delivered to mobile phones.
Moderated
Examples include ringtones, logos/skins, games, screen-savers, text-based tunes, and software for SMS, MMS, WAP, and other mobile phone protocols.
Bulletin boards, chat rooms, search engines, or web mail sites that are monitored by an individual or group who has the authority to block messages or content considered inappropriate.
Motor Vehicles
This category does not include sites with posted rules against offensive content. See the Forum/Bulletin Boards category.
Websites for manufacturers and dealerships of consumer transportation vehicles, such as cars, vans, trucks, SUVs, motorcycles, and scooters. This category also includes sites that provide product marketing, reviews, comparisons, pricing information, auto fairs, auto expos, and general consumer information about motor vehicles.
This category does not include automotive accessories, mechanics, auto-body shops, and recreational hobby pages. This category does not include sites that provide business-to-business-only content regarding motor vehicles.
ZyWALL USG FLEX Series User's Guide
608
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Non Profit Advocacy NGO
Web pages from charitable or educational groups that fulfill a stated mission, benefiting the larger community, such as clubs, lobbies, communities, non-profit organizations, labor unions, and advocacy groups.
Nudity
Examples are Masons, Elks, Boy and Girl Scouts, or Big Brothers.
Web pages that have non-pornographic images of the bare human body. This category includes classic sculpture and paintings, artistic nude photographs, some naturism pictures, and detailed medical illustrations.
Online Shopping
This category does not include high-profile sites where nudity is not a concern for visitors. See the Incidental Nudity category.
Web pages that sell products or services online.
P2P File Sharing
Web pages selling a broad range of products might pose a risk to users by offering access to items that are normally in other categories such as Pornography, Weapons, Nudity, or Violence. Web pages selling such content exclusively are in their respective categories.
Web pages that allow the exchange of files between computers and users for business or personal use, such as downloadable music.
Parked Domain
P2P clients allow users to search for and exchange files from a peer-user network. They often include spyware or real-time chat capabilities. This category includes BitTorrent web pages.
Web pages that once served content, but their domains have been sold or abandoned and are no longer registered.
Personal Network Storage Personal Pages
Parked domains do not host their own content, but usually redirect users to a generic page that states the domain name is for sale, or redirect users to a generic search engine and portal page, some of which provide valid search engine results.
Web pages that allow users to upload folders and files to an online network server in order to backup, share, edit, or retrieve files or folders from any web browser.
Personal home pages that share a common domain such as those hosted by ISPs, university/education servers, or free web page hosts.
Pharmacy Politics Opinion
This category also includes unique domains that contain personal information, such as a personal home page. This category does not include home pages of public figures.
Web pages that provide reviews, descriptions, and market or sell prescriptionbased drugs, over-the-counter drugs, birth control, or dietary supplements.
Web pages covering political parties, individuals in political life, and opinion on various topics.
Pornography
This category might also cover laws and political opinion about drugs. This category includes URLs for political parties, political campaigning, and opinions on various topics, including political debates.
Web pages that contain materials intended to be sexually arousing or erotic.
Portal Sites
This category includes fetish pages, animation, cartoons, stories, and illegal pornography.
Web pages that serve as major gateways or directories to content on the web.
Many portal sites also provide a variety of internal site features or services such as search engines, email, news, and entertainment. Mailing list sites with a variety of content are in this category.
This category does not include sites with topic-specific content.
ZyWALL USG FLEX Series User's Guide
609
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Potential Criminal Activities
Web pages that provide instructions to commit illegal or criminal activities.
Instructions include committing murder or suicide, sabotage, bomb-making, lockpicking, service theft, evading law enforcement, or spoofing drug tests. This category might also include information on how to distribute illegal content, perpetrate fraud, or consumer scams.
Potential Hacking Computer Crime
This category does not include computer-related fraud.
Web pages that provide instructions, or otherwise enable, fraud, crime, or malicious activity that is computer-oriented.
This category includes web pages related to computer crime include malicious hacking information or tools that help individuals gain unauthorized access to computers and networks (root kits, kiddy scripts). This category also includes other areas of electronic fraud such as dialer scams and illegal manipulation of electronic devices.
Potential Illegal Software
This category does not include illegal software.
Web pages, which the filter believes offer information to potentially `pirated' or illegally distribute software or electronic media, such as copyrighted music or film, distribution of illegal license key generators, software cracks, and serial numbers.
Private IP Addresses
Profanity Professional Networking
This category does not include peer-to-peer web pages.
Sites that are private IP addresses as defined in RFC 1918, that is, hosts that do not require access to hosts in other enterprises (or require just limited access) and whose IP address may be ambiguous between enterprises but are well defined within a certain enterprise.
Web pages that contain crude, vulgar, or obscene language or gestures.
Web pages that provide social networking exclusively for professional or business purposes.
This category includes sites that provide personal or group profiles, and enable their members to interact through real-time communication, message posting, public bulletins, and media sharing. This category also contains alumni sites that have a networking function.
Provocative Attire
This category does not include social networking sites where the focus might vary, but include friendship, dating, or professional focuses.
Web pages with pictures that include alluring or revealing attire, lingerie and swimsuits, or supermodel or celebrity photograph collections, but do not involve nudity.
Public Information PUPs
This category does not include sites with swimwear or similar attire that is not intended to be provocative. For example, Olympic swimming sites are not in this category.
Web pages that provide general reference information such as public service providers, regional information, transportation schedules, maps, or weather reports.
Web pages that contain Potentially Unwanted Programs (PUPs).
PUPs are often made for a beneficial purpose but they alter the security of a computer or the computer user's privacy. Computer users who are concerned about security or privacy might want to be informed about this software, and in some cases, they might want to remove this software from their computers.
ZyWALL USG FLEX Series User's Guide
610
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Real Estate
Web pages that provide commercial or residential real estate services and information.
Service and information includes sales and rental of living space or retail space and guides for apartments, housing, and property, and information on appraisal and brokerage. This category includes sites that allow you to browse model homes.
Recreation Hobbies
This category does not include content related to personal finance, such as credit applications.
Web pages for recreational organizations and facilities that include content devoted to recreational activities and hobbies.
This category includes information about public swimming pools, zoos, fairs, festivals, amusement parks, recreation guides, hiking, fishing, bird watching, or stamp collecting.
Religion Ideology
This category does not include activities that need no active participation, such as watching a movie or reading celebrity gossip.
Web pages with content related to religious topics and beliefs in human spirituality that are not within the major religions.
This category includes religious discussion, beliefs, articles, and information for local congregations or groups such as a church homepage, unless the site is already in the Major Global Religions category. This category also includes comparative religion, or sites that include religions and ideologies.
Remote Access
This category does not include astrology and horoscope sites
Web pages that provide remote access to a program, online service, or an entire computer system.
Reserved Residential IP Addresses
Although remote access is often used legitimately to run a computer from a remote location, it creates a security risk, such as backdoor access. Backdoor access, written by the original programmer, allows the system to be controlled by another party without the user's knowledge.
This category is reserved for future use.
IP addresses (and any domains associated with them) that access the Internet by DSL modems or cable modems.
Resource Sharing
Because this content is not generally intended for Internet access via HTTP, access to the Internet through these IP addresses can indicate suspicious behavior. This behavior might be related to malware located on the home computer or homegrown gateways set up to allow anonymous Internet access.
Web pages that harness idle or unused computer resources to focus on a common task.
Restaurants
The task can be on a company or an international basis. Well known examples are the SETI program and the Human Genome Project, which use the idle time of thousands of volunteered computers to analyze data.
Web pages that provide information about restaurants, bars, catering, take-out and delivery, including online ordering.
This category includes sites that provide information about location, hours, prices, menus and related dietary information. This category also includes restaurant guides and reviews, and cafes and coffee shops.
School Cheating Information
This category does not include groceries, wholesale food, non-profit and charitable food organizations, or bars that do not focus on serving food.
Web pages that promote plagiarism or cheating by providing free or fee-based term papers, written essays, or exam answers.
This category does not include sites that offer student help, discuss literature, films, or books, or other content that is often the subject of research papers.
ZyWALL USG FLEX Series User's Guide
611
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Search Engines
Web pages that provide search results that enable users to find information on the Internet based on key words.
Sexual Materials
This category does not include site-specific search engines.
Web pages that describe or depict sexual acts, but are not intended to be arousing or erotic.
Examples of sexual materials include sex education, sexual innuendo, humor, or sex related merchandise.
Shareware Freeware
This category does not include web pages with content intended to arouse.
Web pages that are repositories of downloadable copies of shareware and freeware.
Social Networking
This category does not include subscription-based software.
Web pages that enable social networking for a variety of purposes, such as friendship, dating, professional, or topics of interest.
These sites provide personal or group profiles and enable interaction among their members through real-time communication, message posting, public bulletins, and media sharing.
Software Hardware
This category does not include sites that are exclusive to dating, matchmaking, or a specific professional networking focus.
Web pages related to computing software and hardware, including vendors, product marketing and reviews, deployment and maintenance of software and hardware, and software updates and add-ons such as scripts, plug-ins, or drivers. Hardware includes computer parts, accessories, and electronic equipment used with computers and networks.
Sports
This category includes the marketing of software and hardware, and magazines focused on software or hardware product reviews or industry trends.
Web pages related to professional or organized recreational sports.
This category includes sporting news, events, and information such as playing tips, strategies, game scores, or player trades.
Stock Trading
This category does not include fantasy leagues, sports centers, athletic clubs, fitness or martial arts clubs, and non-league billiards, darts, or other such activities.
Web pages that offer purchasing, selling, or trading of shares online.
This category also includes ticker-tape information that enables viewing of realtime stock prices and financial spread betting in the stock market. Other betting is in the Gambling category.
Streaming Media
This category does not include sites that offer information about stocks, but do not offer purchasing, selling, or trading of shares.
Web pages that provide streaming media, or contain software plug-ins for displaying audio and visual data before the entire file has been transmitted.
Technical Business Forums
This category does not include audio or video files that are downloaded to a user's computer before being played.
Web pages with a technical or business focus that provide online message posting or real-time chatting, such as technical support or interactive business communication.
Although users can post any type of content, these forums tend to present less risk of containing offensive content.
Sites that offer a variety of forums with themes, including technical and business content, are only in the categories of Forum/Bulletin Boards or Chat.
ZyWALL USG FLEX Series User's Guide
612
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Technical Information
Web pages that provide computing information with an educational focus in areas such as Information Technology, computer programming, and certification.
Examples include Linux user groups, UNIX commands, software tutorials, or dictionaries of technical terms. Most sites in this category might be subdirectories of larger domains. For example, a software site with a tutorial page is in this category only at the tutorial page URL.
Text Spoken Only
This category does not include content about information security. Content that is text or audio only, and does not contain pictures.
Text Translators
This category can be used as an exception to allow explicit text and recorded material to be accessed when you want pictures blocked using the Pornography, Violence, or Sexual Materials categories. Libraries or universities can use this category to prevent the display of offensive graphics in their public facilities.
Web pages that allow users to type phrases or a block of text to translate it from one language into another.
Tobacco Travel
This category also includes language identifier web pages. URL translation is in the Anonymizing Utilities category.
Web pages that sell, promote, or advocate the use of tobacco products, tobacco paraphernalia, including cigarettes, cigars, pipes, snuff and chewing tobacco.
Web pages that promote personal or business travel, such as hotels, resorts, airlines, ground transportation, car rentals, travel agencies, and general tourist and travel information.
This category also includes sites for buying tickets or accommodation.
Usenet News
This category does not include personal vacation photographs.
Web pages that provide access (http://) to Usenet newsgroups and archives of files uploaded to newsgroups.
Violence Visual Search Engine
This category also includes online groups that offer similar community-oriented content posting.
Web pages that contain real or lifelike images or text that portray, describe, or advocate physical assaults against people, animals, or institutions, such as depictions of war, suicide, mutilation, or dismemberment.
Web pages that provide image-specific search results such as thumbnail pictures.
Weapons
This category does not include sites that offer site-specific visual search engines.
Web pages that provide information about buying, making, modifying, or using weapons, such as guns, knives, swords, paintball guns, and ammunition, explosives, and weapon accessories.
This category also includes sites that contain content for: weapons for personal or military use, homemade weapons, non-lethal weapons such as mace, pepper spray, or Taser guns, weapons facilities, such as shooting ranges, and government or military oriented weapons.
Web Ads
This category does not include political action groups, such as the NRA.
Web pages that provide advertisement-hosting or programs that create advertisements.
Examples include links, source code or applets for banners, popups, and other kinds of static or dynamically generated advertisements that appear on web pages. This category is intended to block advertisements on web pages, not the companies that provide the advertisements or advertising services.
Web Mail
This category does not include aggressive advertising adware. See the Spyware/ Adware category.
Web pages that enable users to send or receive email through the Internet.
ZyWALL USG FLEX Series User's Guide
613
Chapter 32 Content Filter
Table 247 Managed Category Descriptions (continued)
Web Meetings
Web pages that host live meetings, video conferences, and interactive presentations mainly for businesses.
Web Phone
Web meetings generally include streaming audio and video, and allow data transfer or office-oriented application sharing, such as online presentations.
Web pages that enable users to make telephone calls via the Internet or obtain information or software for this purpose.
Web Phone service is also called Internet Telephony, or VoIP. Web phone service includes PC-to-PC, PC-to-phone, and phone-to-phone services connecting via TCP/IP networks.
32.2.3 C o nte nt Filte r Add Filte r Pro file C usto m Se rvic e
Click C o nfig ura tio n > Se c urity Se rvic e > C o nte nt Filte r > Filte r Pro file > Add o r Edit > C usto m Se rvic e to open the C usto m Se rvic e screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site's address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.
Fig ure 404 Configuration > Security Service > Content Filter > Filter Profile > Custom Service
ZyWALL USG FLEX Series User's Guide
614
Chapter 32 Content Filter
The following table describes the labels in this screen.
Table 248 Configuration > Security Service > Content Filter > Profile > Custom Service
LA BEL Name
Description
DESC RIPTIO N
Enter a descriptive name for this content filtering profile name. You may use 1-31
alphanumeric characters, underscores(_), or dashes (-), but the first character
cannot be a number. This value is case-sensitive.
Enter a description for the content filtering profile rule to help identify the
purpose of rule. You may use 1-31 alphanumeric characters, underscores(_), or
dashes (-), but the first character cannot be a number. This value is casesensitive.
This field is optional.
Enable Custom Service
Select this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without reentering these site names.
Allow Web traffic for trusted web When this box is selected, the Zyxel Device blocks Web access to sites that are
sites only
not on the Truste d We b Site s list. If they are chosen carefully, this is the most
effective way to block objectionable material.
Check Common Trusted/ Forbidden List
Select this check box to check the common trusted and forbidden web sites lists. See Section 32.3 on page 616 and Section 32.4 on page 617 for information on configuring these lists.
Restricted Web Features
Select the check box(es) to restrict a feature. Select the check box(es) to restrict a feature.
Block ActiveX Java
Cookies Web Proxy
Allow Java/ActiveX/Cookies/ Web proxy to trusted web sites
Trusted Web Sites Add Edit Remove #
· When you download a page containing ActiveX or Java, that part of the web page will be blocked with an X.
· When you download a page coming from a Web Proxy, the whole web page will be blocked.
· When you download a page containing cookies, the cookies will be removed, but the page will not be blocked.
ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again.
Java is a programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds.
Cookies are files stored on a computer's hard drive. Some web servers use them to track usage and provide service based on ID.
A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server.
When this box is selected, the Zyxel Device will permit Java, ActiveX and Cookies from sites on the Truste d We b Site s list to the LAN. In certain cases, it may be desirable to allow Java, ActiveX or Cookies from sites that are known and trusted.
These are sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This displays the index number of the trusted web sites.
ZyWALL USG FLEX Series User's Guide
615
Chapter 32 Content Filter
Table 248 Configuration > Security Service > Content Filter > Profile > Custom Service (continued)
LA BEL Trusted Web Site
DESC RIPTIO N This column displays the trusted web sites already added.
Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site that is, do not include "http://". All subdomains are allowed. For example, entering "*zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com", and so on. You can also enter just a top level domain. For example, enter "*.com" to allow all .com domains.
Add Edit Remove # Forbidden Web Sites
Use up to 127 characters (0-9a-z-). The casing does not matter. "*" can be used as a wildcard to match any string. The entry must contain at least one "." or it will be invalid.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This displays the index number of the forbidden web sites.
This list displays the forbidden web sites already added.
Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site that is, do not include "http://". All subdomains are also blocked. For example, entering "*bad-site.com" also blocks "www.badsite.com", "partner.bad-site.com", "press.bad-site.com", and do on. You can also enter just a top level domain. For example, enter "*.com" to block all .com domains.
Blocked URL Keywords
Add Edit Remove # Blocked URL Keywords
Use up to 127 characters (0-9a-z-). The casing does not matter. "*" can be used as a wildcard to match any string. The entry must contain at least one "." or it will be invalid.
This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This displays the index number of the blocked URL keywords.
This list displays the keywords already added.
Enter a keyword or a numerical IP address to block. You can also enter a numerical IP address.
Use up to 127 case-insensitive characters (0-9a-zA-Z;/?:@&=+$\.-_!~*()%). "*" can be used as a wildcard to match any string. Use "|*" to indicate a single wildcard character.
OK Cancel
For example enter *Bad_Site* to block access to any web page that includes the exact phrase Bad_Site. This does not block access to web pages that only include part of the phrase (such as Bad for example).
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving your changes.
32.3 C o nte nt Filte r Truste d We b Site s Sc re e n
Click C o nfig ura tio n > Se c urity Se rvic e > C o nte nt Filte r > Truste d We b Site s to open the Truste d We b Site s screen. You can create a common list of good (allowed) web site addresses. When you configure Filte r
ZyWALL USG FLEX Series User's Guide
616
Chapter 32 Content Filter
Pro file s, you can select the option to check the C o m m o n Truste d We b Site s list. Use this screen to add or remove specific sites from the filter list. Fig ure 405 Configuration > Security Service > Content Filter > Trusted Web Sites
The following table describes the labels in this screen.
Table 249 Configuration > Security Service > Content Filter > Trusted Web Sites
LA BEL Common Trusted Web Sites
Add Edit Remove # Trusted Web Site
DESC RIPTIO N These are sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. This displays the index number of the trusted web sites. This column displays the trusted web sites already added.
Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site that is, do not include "http://". All subdomains are allowed. For example, entering "zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com", and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains.
Apply Reset
Use up to 127 characters (0-9a-z-). The casing does not matter. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
32.4 C o nte nt Filte r Fo rb idde n We b Site s Sc re e n
Click C o nfig ura tio n > Se c urity Se rvic e > C o nte nt Filte r > Fo rb idde n We b Site s to open the Fo rb idde n We b Site s screen. You can create a common list of bad (blocked) web site addresses. When you configure Filte r Pro file s, you can select the option to check the C o m m o n Fo rb idde n We b Site s list. Use this screen to add or remove specific sites from the filter list.
ZyWALL USG FLEX Series User's Guide
617
Chapter 32 Content Filter Fig ure 406 Configuration > Security Service > Content Filter > Forbidden Web Sites
The following table describes the labels in this screen.
Table 250 Configuration > Security Service > Content Filter > Forbidden Web Sites
LA BEL Forbidden Web Site List
Add Edit Remove # Forbidden Web Sites
DESC RIPTIO N Sites that you want to block access to, regardless of their content rating, can be allowed by adding them to this list. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. This displays the index number of the forbidden web sites. This list displays the forbidden web sites already added.
Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site that is, do not include "http://". All subdomains are also blocked. For example, entering "bad-site.com" also blocks "www.badsite.com", "partner.bad-site.com", "press.bad-site.com", and do on. You can also enter just a top level domain. For example, enter .com to block all .com domains.
Apply Cancel
Use up to 127 characters (0-9a-z-). The casing does not matter. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
32.5 C o nte nt Filte r Te c hnic a l Re fe re nc e
This section provides content filtering background information.
Exte rna l C o nte nt Filte r Se rve r Lo o kup Pro c e dure
The content filter lookup process is described below.
ZyWALL USG FLEX Series User's Guide
618
Chapter 32 Content Filter Fig ure 407 Content Filter Lookup Procedure
1 A computer behind the Zyxel Device tries to access a web site. 2 The Zyxel Device looks up the web site in its cache. If an attempt to access the web site was made in the
past, a record of that web site's category will be in the Zyxel Device's cache. The Zyxel Device blocks, blocks and logs or just logs the request based on your configuration. 3 Use the C o nte nt Filte r C a c he screen to configure how long a web site address remains in the cache as well as view those web site addresses. All of the web site address records are also cleared from the local cache when the Zyxel Device restarts. 4 If the Zyxel Device has no record of the web site, it queries the external content filter database and simultaneously sends the request to the web server. 5 The external content filter server sends the category information back to the Zyxel Device, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site's address and category are then stored in the Zyxel Device's content filter cache.
ZyWALL USG FLEX Series User's Guide
619
C HA PTER 3 3 Anti- Ma lwa re
33.1 O ve rvie w
Use the Zyxel Device's anti-malware feature to protect your connected network from malware (malicious software) infection, such as computer virus, worms, and spyware. The Zyxel Device scans traffic going in both directions for malware signature matches. In the following figure, the Zyxel Device scans traffic coming from the WAN zone (which includes two interfaces) to the LAN zone. Fig ure 408 Zyxel Device Anti-Malware Example
The anti-malware matches a file with those in a malware database. This is done as files go through the Zyxel Device.
Virus, Wo rm , a nd Spywa re
A computer virus is a type of malicious software designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable. Spyware infiltrate your device and secretly gathers information about you, such as your network activity, passwords, bank details, and so on.
ZyWALL USG FLEX Series User's Guide
620
Chapter 33 Anti-Malware
Ha sh Va lue
A hash function is an algorithm that maps data of arbitrary size to data of fixed size. The value returned by a hash function is a hash value. Hash values can be used to identify if the contents of a file have changed. At the time of writing, the MD5 (Message Digest 5) hash algorithm is supported.
Lo c a l Sig na ture Da ta b a se s
The Zyxel Device downloads the signature(s) after it is registered and the anti-malware license is activated at myZyxel. A signature is a unique string of bits, or binary pattern, of a malware. A signature acts as a fingerprint that can be used to detect and identify specific malware. The Zyxel Device downloads the following signatures: · Anti-malware signature These signatures are periodically updated if you have a valid license. See Section 33.2 on page 625 for how the Zyxel Device updates these signatures for the anti-malware license.
C lo ud Q ue ry
Another method of malware protection is through cloud query. This process is illustrated in the next figure. With C lo ud Q ue ry, the Zyxel Device queries the De fe nd C e nte r database by sending the file's hash value (A) and receiving the scan results (B) through the Defend Center (DC ). Fig ure 409 Cloud Query
Anti-Malware Licensing Having extensive, up-to-date signatures with the most common malware is critical to making the antimalware service work effectively. Section 7.2 on page 199 shows licensing information for the different signature databases that can be used by the Zyxel Device. After the anti-malware license expires, you need to purchase an iCard to update your local signature database and use cloud query. Extend your license in the Re g istra tio n > Se rvic e screen.
Anti- Ma lwa re Sc a n Pro c e ss
Before going through the Anti-Malware scan, the Zyxel Device first identifies the packets sent by the following four major protocols with corresponding standard ports: · FTP (File Transfer Protocol) · HTTP (Hyper Text Transfer Protocol) · SMTP (Simple Mail Transfer Protocol)
ZyWALL USG FLEX Series User's Guide
621
Chapter 33 Anti-Malware · POP3 (Post Office Protocol version 3) The Zyxel Device records the order of packets in TCP connection-oriented sessions to check for matching malware signatures. The order of non-setup packets such as SYN, ACK and FIN is ignored.
Anti- Ma lwa re Sc a nning Pro c e dure :
1 The Zyxel Device checks every packet of the file for matches with the local signature databases. If a malware pattern signature is matched, the actions you specify for identified malware will be applied. If De stro y infe c te d file is enabled, the file will be modified. Logs/alerts will be sent according to your settings. Note: The receiver is not notified if a file is modified by the Zyxel Device. If the file cannot be used, the receiver should contact the Zyxel Device administrator to confirm if the Zyxel Device modified the file by checking the logs.
2 If no match is found with the local databases, the Zyxel Device uses C lo ud Q ue ry to forward the file's hash value to Defend Center.
3 Defend Center checks its database for malware signature matches and sends the results back to the Zyxel Device. If a malware signature is matched, the actions you specify for identified malware will be applied. If De stro y infe c te d file is enabled, the file will be modified. Logs/alerts will be sent according to your settings. The next figure shows a flow chart detailing the anti-malware scan.
ZyWALL USG FLEX Series User's Guide
622
Chapter 33 Anti-Malware Fig ure 410 Anti-Malware Flowchart
ZyWALL USG FLEX Series User's Guide
623
Chapter 33 Anti-Malware
File Sc a nning C lo ud Q ue ry Suppo rte d File Type s
At the time of writing, the following file types are supported:
Table 251 File Scanning Cloud Query Supported File Types
· 7z Archive (7z)
· AVI Video (avi)
· BMP Image (bmp) · BZ2 Archive (bz2)
· Executables (exe) · Macromedia Flash · GIF Image (gif) Data (swf)
· GZ Archive (gz)
· JPG Image (jpg) · MOV Video (mov) · MP3 Audio (mp3) · MPG Video (mpg)
· MS Office
· PDF Document
Document (doc...) (pdf)
· PNG Image (png) · RAR Archive (rar)
· RM Video (rm)
· RTF Document (rtf) · TIFF Image (tif)
· WAV Audio (wav)
· ZIP Archive (zip)
No te s Ab o ut the Zyxe l De vic e Anti- Ma lwa re
The following lists important notes about the Zyxel Device's anti-malware feature:
1 Zyxel's anti-malware feature can detect polymorphic malware (see Section 33.5 on page 631).
2 When malware is detected, a log is created or an alert message is sent to the administrator depending on your log settings.
3 Changes to the Zyxel Device's anti-malware settings only affect new sessions, not sessions that already existed before you applied the changed settings.
4 Enabling C lo ud Q ue ry may affect file transfer speeds.
5 The Zyxel Device does not scan the following file/traffic types: · Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously. · Encrypted traffic. This could be password-protected files or VPN traffic where the Zyxel Device is not the endpoint (pass-through VPN traffic). · Traffic through custom (non-standard) ports. The Zyxel Device scans whatever port number is specified for FTP in the ALG screen. · All compressed files within a compressed file. Note that a single file can still be decompressed and scanned if you select Ena ble file de c o m pre ssio n (ZIP a nd RAR). · Traffic compressed or encoded using a method the Zyxel Device does not support.
Finding O ut Mo re
· See Section 33.7 on page 638 for anti-malware background information.
33.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Anti- Ma lwa re screen (Section 33.2 on page 625) to turn anti-malware on or off, and check the anti-malware signature status. In addition, you can set up anti-malware black (blocked) and white (allowed) lists of malware patterns.
ZyWALL USG FLEX Series User's Guide
624
Chapter 33 Anti-Malware · Use the White List screen (Section 33.3 on page 628) to specify the file or encryption pattern to allow in
order to avoid false positives. False positives occur when a non-infected file matches a malware signature. · Use the Bla c k List screen (Section 33.4 on page 630) to specify the file or encryption pattern that you want to block. · Use the Sig na ture screen (Section 33.5 on page 631) to search for particular signatures and get more information about them.
33.2 Anti- Ma lwa re Sc re e n
Click C o nfig ura tio n > Se c urity Se rvic e > Anti- Ma lwa re to display the configuration screen as shown next. Click the Anti- Ma lwa re icon for more information on the Zyxel Device's security features.
See Subscription Services Available on page 196 for more information on the subscription services for the two types of security packs. Note: If De stro y infe c te d file is disabled and lo g is set to no , the Zyxel Device will still perform the scan but will not do anything else. It is recommended to enable at least one of the two functions.
If De stro y infe c te d file is disa b le d, a ny m a lic io us file fo und c a n still b e e xe c ute d b y the e nd use r a fte r it is fo rwa rde d. The a dm inistra to r wo uld ha ve to info rm the use r if the re is a n infe c te d file .
ZyWALL USG FLEX Series User's Guide
625
Chapter 33 Anti-Malware Fig ure 411 Configuration > Security Service > Anti-Malware
The following table describes the labels in this screen.
Table 252 Configuration > Security Service > Anti-Malware
LA BEL
DESC RIPTIO N
General Setting
Enable
Select this checkbox to activate the anti-malware feature to protect your connected network from infection and the installation of malicious software.
ZyWALL USG FLEX Series User's Guide
626
Chapter 33 Anti-Malware
Table 252 Configuration > Security Service > Anti-Malware (continued)
LA BEL
Scan and detect EICAR test virus
DESC RIPTIO N
Select this option to have the Zyxel Device check for an EICAR test file and treat it in the same way as a real malware file.
The EICAR test file is a standardized test file for signature based anti-malware scanners. When the scanner detects the EICAR file, it responds in the same way as if it found real malware. The EICAR file can also be compressed to test whether the anti-malware software can detect it in a compressed file. The EICAR test string consists of the following humanreadable ASCII characters.
Scan Mode Express Mode
Stream Mode File Type For Scan Available File Types
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
In this mode you can define which types of files are scanned using the File Type Fo r Sc a n fields. The Zyxel Device then scans files by sending each file's hash value to a cloud database using cloud query. This is the fastest scan mode. In this mode the Zyxel Device scans all files for viruses using its anti-malware signatures to detect known virus pattens. This is the deepest scan mode.
File types that can be checked by the Zyxel Device are listed here. Note that the files on this list are currently bypassed. To use this feature on a specific file type, click this file type and then click the right arrow button.
Applied File Types Destroy infected file Log
See available file types in Table 251 on page 624.
File types that will be checked are listed here. If you don't want a file type to be checked, click this file type and then click the left arrow button.
When you select this check box, if a malware signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified.
These are the log options:
Check White List
Add Edit Remove Activate Inactivate Status
# File Pattern
Check Black List Add Edit Remove Activate
· no : Do not create a log when a packet matches a signature. · lo g : Create a log on the Zyxel Device when a packet matches a signature. · lo g a le rt: An alert is an emailed log for more serious events that may need more
immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s). Select this check box to have the Zyxel Device not perform the anti-malware check on files with names that match the white list patterns. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry's index number in the list. This is the file name pattern. If a file's name matches this pattern, the Zyxel Device does not check the file for malware. Select this check box to log and delete files with names that match the black list patterns. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. To turn on an entry, select it and click Ac tiva te .
ZyWALL USG FLEX Series User's Guide
627
Chapter 33 Anti-Malware
Table 252 Configuration > Security Service > Anti-Malware (continued)
LA BEL
DESC RIPTIO N
Inactivate
To turn off an entry, select it and click Ina c tiva te .
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#
This is the entry's index number in the list.
File Pattern
This is the file name pattern. If a file's name that matches this pattern, the Zyxel Device logs and then destroys the file.
File decompression
Enable file decompression (ZIP and RAR)
Select this check box to have the Zyxel Device scan a compressed file (the file does not need to have a "zip" or "rar" file extension). The Zyxel Device first decompresses the file and then scans the contents for malware.
Destroy compressed files that could not be decompressed
Note: The Zyxel Device decompresses a compressed file once. The Zyxel Device does NOT decompress any file(s) within a compressed file.
When you select this check box, the Zyxel Device deletes compressed files that use password encryption.
Select this check box to have the Zyxel Device delete any compressed files that it cannot decompress. The Zyxel Device cannot decompress password protected files or a file within another compressed file. There are also limits to the number of compressed files that the Zyxel Device can concurrently decompress.
Signature Information
Current Version
Released Date Update Signatures
Apply Reset
Note: The Zyxel Device's firmware package cannot go through the Zyxel Device with this check box enabled. The Zyxel Device classifies the firmware package as a file that cannot be decompressed and then deletes it. Clear this check box when you download a firmware package from the Zyxel website. It's OK to upload a firmware package to the Zyxel Device with the check box selected.
The following fields display information on the current signature set that the Zyxel Device is using.
This field displays the signature set version number currently used by the Zyxel Device. This number gets larger as the set is enhanced.
This field displays the date and time the set was released.
Click this link to go to the screen you can use to download signatures from the update server.
Click Apply to save your changes.
Click Re se t to return the screen to its last-saved settings.
33.3 The White List Sc re e n
A white list allows you to specify the file or encryption pattern to allow in order to avoid false positives. False positives occur when a non-infected file matches a malware signature.
Enter a file or encryption pattern that would cause the Zyxel Device to allow this file.
Click C o nfig ura tio n > Se c urity Se rvic e > Anti- Ma lwa re > Bla c k/ White List > White List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Re m o ve to delete an existing entry.
ZyWALL USG FLEX Series User's Guide
628
Chapter 33 Anti-Malware Fig ure 412 Configuration > Security Service > Anti-Malware > Black/White List > White List
The following table describes the fields in this screen.
Table 253 Configuration > Security Service > Anti-Malware > Black/White List > White List
LA BEL Check White List
Add Edit Remove Activate Inactivate # Status
Type
DESC RIPTIO N
Select this check box to have the Zyxel Device not perform the anti-malware check on files with names or algorithm (MD5 Ha sh) that match the white list patterns. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Inactivate. This is the entry's index number in the list. The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This field displays the type (MD5 Ha sh or File Pa tte rn) used to distinguish whether a file should be allowed.
Value
Select the type (MD5 Ha sh or File Pa tte rn) that you want to use to distinguish whether a file should be allowed.
This field displays the file or encryption pattern of the entry.
Enter the file or encryption pattern for this entry. Specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses.
Apply Reset
· Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question
marks (?) and asterisks (*) are allowed. · A question mark (?) lets a single character in the file name vary. For example, use "a?.zip"
(without the quotation marks) to specify aa.zip, ab.zip and so on. · Wildcards (*) let multiple files match the pattern. For example, use "*a.zip" (without the
quotation marks) to specify any file that ends with "a.zip". A file named "testa.zip would match. There could be any number (of any type) of characters in front of the "a.zip" at the end and the file name would still match. A file named "test.zipa" for example would not match. · A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with "abc*.zip", any file starting with "abc" and ending in ".zip" matches, no matter how many characters are in between. · The whole file name has to match if you do not use a question mark or asterisk. · If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
629
Chapter 33 Anti-Malware
33.4 The Bla c k List Sc re e n
A black list allows you to specify the file or encryption pattern that you want to block. Enter a file or encryption pattern that would cause the Zyxel Device to log and then destroy this file. Click C o nfig ura tio n > Se c urity Se rvic e > Anti- Ma lwa re > Bla c k/ White List > Bla c k List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Re m o ve to delete an existing entry. Fig ure 413 Configuration > Security Service > Anti-Malware > Black/White List > Black List
The following table describes the fields in this screen.
Table 254 Configuration > Security Service > Anti-Malware > Black/White List > Black List
LA BEL Check Black List
Add Edit Remove Activate Inactivate # Status
Type
DESC RIPTIO N
Select this check box to log and delete files with names or encryption algorithm (MD5 Ha sh) that match the black list patterns. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Inactivate. This is the entry's index number in the list. The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This field displays the type (MD5 Ha sh or File Pa tte rn) used to distinguish whether a file should be blocked.
Select the type (MD5 Ha sh or File Pa tte rn) that you want to use to distinguish whether a file should be blocked.
ZyWALL USG FLEX Series User's Guide
630
Chapter 33 Anti-Malware
Table 254 Configuration > Security Service > Anti-Malware > Black/White List > Black List
LA BEL Value
DESC RIPTIO N
This field displays the file or encryption pattern of the entry. Enter a file pattern that would cause the Zyxel Device to log and modify this file.
Apply Reset
· Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question
marks (?) and asterisks (*) are allowed. · A question mark (?) lets a single character in the file name vary. For example, use "a?.zip"
(without the quotation marks) to specify aa.zip, ab.zip and so on. · Wildcards (*) let multiple files match the pattern. For example, use "*a.zip" (without the
quotation marks) to specify any file that ends with "a.zip". A file named "testa.zip would match. There could be any number (of any type) of characters in front of the "a.zip" at the end and the file name would still match. A file named "test.zipa" for example would not match. · A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with "abc*.zip", any file starting with "abc" and ending in ".zip" matches, no matter how many characters are in between. · The whole file name has to match if you do not use a question mark or asterisk. · If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
33.5 Anti- Ma lwa re Sig na ture Se a rc hing
Click C o nfig ura tio n > Se c urity Se rvic e > Anti- Ma lwa re > Sig na ture to display this screen. Use this screen to locate signatures and display details about them.
If your web browser opens a warning screen about a script making the web browser run slowly and the computer unresponsive, just click No to continue.
Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.
Fig ure 414 Configuration > Security Service > Anti-Malware > Signature
The following table describes the labels in this screen.
Table 255 Configuration > Security Service > Anti-Malware > Signature
LA BEL
DESC RIPTIO N
Signatures Search
Enter the name, part of the name or keyword of the signature(s) you want to find and click Se a rc h. This search is not case-sensitive and accepts numerical strings.
Query Result
ZyWALL USG FLEX Series User's Guide
631
Chapter 33 Anti-Malware
Table 255 Configuration > Security Service > Anti-Malware > Signature (continued)
LA BEL # Name
DESC RIPTIO N
This is the entry's index number in the list.
This is the name of the anti-malware signature. Click the Na m e column heading to sort your search results in ascending or descending order according to the signature name.
Click a signature's name to see details about the malware.
33.6 Anti- Ma lwa re Pro file
To use multiple profiles for this feature, run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style advance Router(config)# show secure-policy-style status secure-policy-style: advance
After you run these command, go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
Fig ure 415 Logout Prompt
After you log in again, you will see the new profile screen for this feature. Fig ure 416 Configuration > Security Service > Anti-Malware > Profile
The following table describes the labels in this screen.
Table 256 Configuration > Security Service > Anti-Malware > Profile
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
Select an entry and click Re m o ve to delete the selected entry.
ZyWALL USG FLEX Series User's Guide
632
Chapter 33 Anti-Malware
Table 256 Configuration > Security Service > Anti-Malware > Profile
LA BEL
DESC RIPTIO N
#
This field is a sequential value showing the number of the profile. The profile order is not
important.
Name
This displays the name of the profile created.
Description
This displays the description of the profile.
33.6.1 Add o r Edit a n Anti- Ma lwa re Pro file
Click Add to create a new entry or select an existing entry and click Edit to open the following screen where you can create or modify the entry's settings.
Fig ure 417 Configuration > Security Service > Anti-Malware > Profile > Add/Edit
The following table describes the labels in this screen.
Table 257 Configuration > Security Service > Anti-Malware > Profile > Add/Edit
LA BEL General Setting
Name
DESC RIPTIO N
Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_),
or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
ZyWALL USG FLEX Series User's Guide
633
Chapter 33 Anti-Malware
Table 257 Configuration > Security Service > Anti-Malware > Profile > Add/Edit (continued)
LA BEL Description
Actions When Matched Destroy infected file
Log
DESC RIPTIO N Type a description for the profile rule to help identify the purpose of rule. You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be
a number. This value is case-sensitive. This field is optional.
When you select this check box, if a malware signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified. These are the log options:
Scan Options Check White List
Check Black List File decompression Enable file decompression (ZIP and RAR)
· no : Do not create a log when a packet matches a signature. · lo g : Create a log on the Zyxel Device when a packet matches a signature. · lo g a le rt: An alert is an emailed log for more serious events that may need more
immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s).
Select this check box to have the Zyxel Device not perform the anti-malware check on files with names that match the white list patterns. Select this check box to log and delete files with names that match the black list patterns.
Select this check box to have the Zyxel Device scan a compressed file (the file does not need to have a "zip" or "rar" file extension). The Zyxel Device first decompresses the file and then scans the contents for malware.
Destroy compressed files that could not be decompressed
Note: The Zyxel Device decompresses a compressed file once. The Zyxel Device does NOT decompress any file(s) within a compressed file.
When you select this check box, the Zyxel Device deletes compressed files that use password encryption.
Select this check box to have the Zyxel Device delete any compressed files that it cannot decompress. The Zyxel Device cannot decompress password protected files or a file within another compressed file. There are also limits to the number of compressed files that the Zyxel Device can concurrently decompress.
OK Cancel
Note: The Zyxel Device's firmware package cannot go through the Zyxel Device with this check box enabled. The Zyxel Device classifies the firmware package as a file that cannot be decompressed and then deletes it. Clear this check box when you download a firmware package from the Zyxel website. It's OK to upload a firmware package to the Zyxel Device with the check box selected.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
33.6.2 Link a Pro file
To link a profile to a policy, go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen, select a policy, and then click Edit. In the Edit Po lic y screen under Pro file , select which profile you want to use for each security service.
ZyWALL USG FLEX Series User's Guide
634
Chapter 33 Anti-Malware Fig ure 418 Configuration > Security Service > Policy Control > Profile
33.6.3 Anti- Ma lwa re Adva nc e Sc re e n
The Se c urity Se rvic e > Anti- Ma lwa re > Anti- Ma lwa re screen changes when using profiles.
ZyWALL USG FLEX Series User's Guide
635
Chapter 33 Anti-Malware Fig ure 419 Configuration > Security Service > Anti-Malware Advance
The following table describes the labels in this screen.
Table 258 Configuration > Security Service > Anti-Malware Advance
LA BEL
DESC RIPTIO N
General Setting
Enable
Select this checkbox to activate the anti-malware feature to protect your connected network from infection and the installation of malicious software.
Inspect all traffic, setting: Inspect by policy Scan and detect EICAR test virus
Scan Mode
Select this to have all traffic inspected by the de fa ult_pro file . You cannot rename or delete the de fa ult_pro file profile, but you can edit it by clicking the link here.
If you configured a specific profile in the Pro file tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Se c urity
Po lic y > Po lic y C o ntro l.
Select this option to have the Zyxel Device check for an EICAR test file and treat it in the same way as a real malware file.
The EICAR test file is a standardized test file for signature based anti-malware scanners. When the scanner detects the EICAR file, it responds in the same way as if it found real malware. The EICAR file can also be compressed to test whether the anti-malware software can detect it in a compressed file. The EICAR test string consists of the following humanreadable ASCII characters.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
ZyWALL USG FLEX Series User's Guide
636
Chapter 33 Anti-Malware
Table 258 Configuration > Security Service > Anti-Malware Advance (continued)
LA BEL Express Mode
Stream Mode File Type For Scan Available File Types
DESC RIPTIO N
In this mode you can define which types of files are scanned using the File Type Fo r Sc a n fields. The Zyxel Device then scans files by sending each file's hash value to a cloud database using cloud query. This is the fastest scan mode. In this mode the Zyxel Device scans all files for viruses using its anti-malware signatures to detect known virus pattens. This is the deepest scan mode.
File types that can be checked by the Zyxel Device are listed here. Note that the files on this list are currently bypassed. To use this feature on a specific file type, click this file type and then click the right arrow button.
Applied File Types
Apply Reset
See available file types in Table 251 on page 624. File types that will be checked are listed here. If you don't want a file type to be checked, click this file type and then click the left arrow button. Click Apply to save your changes. Click Re se t to return the screen to its last-saved settings.
33.6.4 Re m o ve Pro file s
To remove profiles and revert to the default general security policy style, you must first make sure to change Inspe c t b y po lic y to Inspe c t a ll tra ffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security.
Note: All profiles that you created will be removed from Se c urity Po lic y > Po lic y C o ntro l.
Run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style general Router(config)# show secure-policy-style status secure-policy-style: general
Wait a minute and then go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
Fig ure 420 Logout Prompt
After you log in again, you will not see the profile screen for this feature.
ZyWALL USG FLEX Series User's Guide
637
Chapter 33 Anti-Malware
33.7 Anti- Ma lwa re Te c hnic a l Re fe re nc e
Type s o f Ma lwa re
The following table describes some of the common malware.
Table 259 Common Malware Types
TYPE
DESC RIPTIO N
File Infector
This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer.
Boot Sector Virus
This type of virus infects the area of a hard drive that a computer reads and executes during startup. The virus causes computer crashes and to some extend renders the infected computer inoperable.
Macro Virus Email Virus
Macro viruses or Macros are small programs that are created to perform repetitive actions. Macros run automatically when a file to which they are attached is opened. Macros spread more rapidly than other types of viruses as data files are often shared on a network.
Email viruses are malicious programs that spread through email.
Polymorphic Virus
A polymorphic virus (also known as a mutation virus) tries to evade detection by changing a portion of its code structure after each execution or self replication. This makes it harder for an anti-malware scanner to detect or intercept it.
A polymorphic virus can also belong to any of the virus types discussed above.
Ma lwa re Infe c tio n a nd Pre ve ntio n
The following describes a simple life cycle of malware.
1 A computer gets a copy of malware from a source such as the Internet, email, file sharing or any removable storage media. The malware is harmless until the execution of an infected program.
2 The malware spreads to other files and programs on the computer.
3 The infected files are unintentionally sent to another computer thus starting the spread of the malware.
4 Once the malware is spread through the network, the number of infected networked computers can grow exponentially.
Type s o f Anti- Ma lwa re Sc a nne r
The section describes two types of anti-malware scanner: host-based and network-based.
A host-based anti-malware (HAM) scanner is often software installed on computers and/or servers on the network. It inspects files for malware patterns as they are moved in and out of the drive. However, host-based anti-malware scanners cannot eliminate all malware for a number of reasons:
· HAM scanners are slow in stopping malware threats through real-time traffic (such as from the Internet).
· HAM scanners may reduce computing performance as they also share resources (such as CPU time) on the computer for file inspection.
· You have to update the malware signatures and/or perform malware scans on all computers on the network regularly.
ZyWALL USG FLEX Series User's Guide
638
Chapter 33 Anti-Malware A network-based anti-malware (NAM) scanner is often deployed as a dedicated security device (such as your Zyxel Device) on the network edge. NAM scanners inspect real-time data traffic (such as email messages or web) that tends to bypass HAM scanners. The following lists some of the benefits of NAM scanners. · NAM scanners stop malware threats at the network edge before they enter or exit a network. · NAM scanners reduce computing loading on computers as the read-time data traffic inspection is
done on a dedicated security device.
ZyWALL USG FLEX Series User's Guide
639
C HA PTER 3 4 Re puta tio n Filte r
34.1 O ve rvie w
Use the Re puta tio n Filte r screens to configure settings forURL Threat filtering.
34.1.1 Wha t Yo u Ne e d to Kno w
URL Thre a t Filte r
URL filtering compares access to specific URLs against a database of blocked or allowed sites. Sites on the database are sorted into categories such as:
· Anonymizers · Malicious Sites · Spyware Adware Keyloggers
· Browser Exploits · Phishing ·
· Malicious Downloads · Spam URLs ·
34.1.2 Wha t Yo u C a n Do in this C ha pte r
· Use the URLThre a t Filte r screen (Section 34.2 on page 640) to enable URL Threat filtering and specify what action the Zyxel Device takes when any suspicious activity is detected.
34.2 URL Thre a t Filte r Sc re e n
When you enable the URL Threat filtering service, your Zyxel Device will access an external database, Cloud Query, that has millions of web sites categorized based on content. You can have the Zyxel Device allow, block, warn and/or log access to web sites or hosts based on selected categories. The priority for URL Threat checking is as follows:
1 White List 2 Black List 3 Cloud Query Cache 4 Cloud Query
Use this screen to enable URL Threat filtering and specify the action the Zyxel Device takes when it detects a suspicious activity or a connection attempt to or from a site in a selected category.
ZyWALL USG FLEX Series User's Guide
640
Chapter 34 Reputation Filter
Click the URLThre a t Filte r icon for more information on the Zyxel Device's security features. Click C o nfig ura tio n > Se c urity Se rvic e > Re puta tio n Filte r > URL Thre a t Filte r to display the configuration screen as shown next. Fig ure 421 Configuration > Security Service > Reputation Filter > URL Threat Filter > General
The following table describes the labels in this screen.
Table 260 Configuration > Security Service > Reputation Filter > URL Threat Filter > General
LA BEL URL Blocking Enable Action
DESC RIPTIO N
Select this option to turn on URL blocking on the Zyxel Device. Set what action the Zyxel Device takes when it detects a connection attempt to or from the web pages of the specified categories.
blo c k: Select this action to have the Zyxel Device block access to the web pages that match the categories that you select above.
wa rn: Select this action to have the Zyxel Device display a warning message to the access requesters for the web pages before allowing users to access web pages that match the categories that you select above.
pa ss: Select this action to have the Zyxel Device allow access to the web pages that match the categories that you select above.
Log
These are the log options:
· no : Do not create a log when it detects a connection attempt to or from the web pages of the specified categories.
· lo g : Create a log on the Zyxel Device when it detects a connection attempt to or from the web pages of the specified categories.
· lo g a le rt: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a connection matches web pages of the specified categories.
ZyWALL USG FLEX Series User's Guide
641
Chapter 34 Reputation Filter
Table 260 Configuration > Security Service > Reputation Filter > URL Threat Filter > General (continued)
LA BEL
DESC RIPTIO N
Message to display when a site is blocked
Denied Access Message
Enter a message to be displayed when the URL Threat filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,"). For example, "Access to this web page is not allowed. Please contact the network administrator".
Redirect URL
It is also possible to leave this field blank if you have a URL specified in the Re dire c t URLfield. In this case if the URL Threat filter blocks access to a web page, the Zyxel Device just opens the web page you specified without showing a denied access message.
Enter the URL of the web page to which you want to send users when their web access is blocked by the URL Threat filter. The web page you specify here opens in a new frame below the denied access message.
Use "http://" or "https://" followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access.
Security Threat Categories
Select the categories of web pages that may pose a security threat to network devices behind the Zyxel Device.
Anonymizers
Sites and proxies that act as an intermediary for surfing to other Web sites in an anonymous fashion, whether to circumvent Web filtering or for other reasons.
Browser Exploits
Sites that contain browser exploits. A browser exploit is any content that forces a web browser to perform operations that you do not explicitly intend.
Malicious Downloads
Sites that have been identified as containing malicious downloads or malware harmful to a user's computer.
Malicious Sites
Sites that install unwanted software on a user's computer with the intent to enable thirdparty monitoring or make system changes without the user's consent.
Phishing
Sites that are used for deceptive or fraudulent purposes, such as stealing financial or other user account information. These sites are most often designed to appear as legitimate sites in order to mislead users into entering their credentials.
Spam URLs
Sites that have been promoted through spam techniques.
Spyware Adware Keyloggers
Sites that contain spyware, adware or keyloggers.
· Spyware is a program installed on your computer, usually without your explicit knowledge, that captures and transmits personal information or Internet browsing habits and details to companies. Companies use this information to analyze browsing habits, to gather marketing data, and to sell your information to others.
· Key logger programs try to capture and steal your passwords and watch and record everything you do on your computer.
· Adware programs typically display blinking advertisements or pop-up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it.
Test URL Threat Category
URL to test
Enter a URL using http://domain or https://domain and click the Q ue ry button to check if the domain belongs to a URL threat category.
Apply
Click Apply to save your changes.
Reset
Click Re se t to return the screen to its last-saved settings.
34.2.1 URL Thre a t Filte r White List Sc re e n
Use this screen to create white list entries. The Zyxel Device will allow incoming packets from the listed IPv4 addresses and URLs.
ZyWALL USG FLEX Series User's Guide
642
Chapter 34 Reputation Filter Fig ure 422 Configuration > Security Service > Reputation Filter > URL Threat Filter > White List
The following table describes the labels in this screen.
Table 261 Configuration > Security Service > Reputation Filter > URL Threat Filter > White List
LA BEL
DESC RIPTIO N
White List
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry's index number in the list.
White List
This field displays the URL of this entry.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
34.2.2 URL Thre a t Filte r Bla c k List Sc re e n
Use this screen to create black list entries. The Zyxel Device will block incoming packets from the listed IPv4 addresses and URLs.
Fig ure 423 Configuration > Security Service > Reputation Filter > URL Threat Filter > Black List
ZyWALL USG FLEX Series User's Guide
643
Chapter 34 Reputation Filter
The following table describes the labels in this screen.
Table 262 Configuration > Security Service > Reputation Filter > URL Threat Filter > Black List
LA BEL
DESC RIPTIO N
Black List
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry's index number in the list.
Black List
This field displays the URL of this entry.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
34.3 URL Thre a t Filte r Pro file
To use multiple profiles for this feature, run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style advance Router(config)# show secure-policy-style status secure-policy-style: advance
After you run these command, go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
Fig ure 424 Logout Prompt
After you log in again, you will see the new profile screen for this feature. Fig ure 425 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile
ZyWALL USG FLEX Series User's Guide
644
Chapter 34 Reputation Filter
The following table describes the labels in this screen.
Table 263 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
Select an entry and click Re m o ve to delete the selected entry.
#
This field is a sequential value showing the number of the profile. The profile order is not
important.
Name
This displays the name of the profile created.
Description
This displays the description of the profile.
34.3.1 Add o r Edit a URL Thre a t Filte r Pro file
Click Add to create a new entry or select an existing entry and click Edit to open the following screen where you can create or modify the entry's settings.
Fig ure 426 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile > Add/Edit
ZyWALL USG FLEX Series User's Guide
645
Chapter 34 Reputation Filter
The following table describes the labels in this screen.
Table 264 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile > Add/Edit
LA BEL Configuration
Profile Name
DESC RIPTIO N
Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_),
or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
Description Action
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
Type a description for the profile rule to help identify the purpose of rule. You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be
a number. This value is case-sensitive. This field is optional.
Set what action the Zyxel Device takes when it detects a connection attempt to or from the web pages of the specified categories.
blo c k: Select this action to have the Zyxel Device block access to the web pages that match the categories that you select above.
wa rn: Select this action to have the Zyxel Device display a warning message to the access requesters for the web pages before allowing users to access web pages that match the categories that you select above.
pa ss: Select this action to have the Zyxel Device allow access to the web pages that match the categories that you select above.
Log
These are the log options:
Scan Options Check White List
Check Black List
Security Threat Categories
Anonymizers
Browser Exploits
Malicious Downloads Malicious Sites
· no : Do not create a log when it detects a connection attempt to or from the web pages of the specified categories.
· lo g : Create a log on the Zyxel Device when it detects a connection attempt to or from the web pages of the specified categories.
· lo g a le rt: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a connection matches web pages of the specified categories.
Select this check box to have the Zyxel Device not perform the URL Threat filter check on URLs that match the white list entries.
Select this check box to have the Zyxel Device perform the URL Threat filter check on URLs that match the black list entries.
Select the categories of FQDNs that may pose a security threat to network devices behind the Zyxel Device.
Sites and proxies that act as an intermediary for surfing to other Web sites in an anonymous fashion, whether to circumvent Web filtering or for other reasons.
Sites that contain browser exploits. A browser exploit is any content that forces a web browser to perform operations that you do not explicitly intend.
Sites that have been identified as containing malicious downloads or malware harmful to a user's computer.
Sites that install unwanted software on a user's computer with the intent to enable thirdparty monitoring or make system changes without the user's consent.
ZyWALL USG FLEX Series User's Guide
646
Chapter 34 Reputation Filter
Table 264 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile > Add/Edit
LA BEL
DESC RIPTIO N
Phishing
Sites that are used for deceptive or fraudulent purposes, such as stealing financial or other user account information. These sites are most often designed to appear as legitimate sites in order to mislead users into entering their credentials.
Spam URLs
Sites that have been promoted through spam techniques.
Spyware Adware Keyloggers
Sites that contain spyware, adware or keyloggers.
· Spyware is a program installed on your computer, usually without your explicit knowledge, that captures and transmits personal information or Internet browsing habits and details to companies. Companies use this information to analyze browsing habits, to gather marketing data, and to sell your information to others.
· Key logger programs try to capture and steal your passwords and watch and record everything you do on your computer.
· Adware programs typically display blinking advertisements or pop-up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
34.3.2 Link a Pro file
To link a profile to a policy, go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen, select a policy, and then click Edit. In the Edit Po lic y screen under Pro file , select which profile you want to use for each security service.
ZyWALL USG FLEX Series User's Guide
647
Chapter 34 Reputation Filter Fig ure 427 Configuration > Security Service > Policy Control > Profile
34.3.3 URL Thre a t Filte r Adva nc e Sc re e n
The C o nfig ura tio n > Se c urity Se rvic e > Re puta tio n Filte r > URL Thre a t Filte r screen also changes when using profiles.
ZyWALL USG FLEX Series User's Guide
648
Chapter 34 Reputation Filter Fig ure 428 Configuration > Security Service > Reputation Filter > URL Threat Filter > General
The following table describes the labels in this screen.
Table 265 Configuration > Security Service > Reputation Filter > URL Threat Filter > General
LA BEL
DESC RIPTIO N
URL Blocking
Enable
Select this option to turn on URL blocking on the Zyxel Device.
Inspect all traffic, setting:
Select this to have all traffic inspected by the de fa ult_pro file . You cannot rename or delete the de fa ult_pro file profile, but you can edit it by clicking the link here.
Inspect by policy
If you configured a specific profile in the Pro file tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Se c urity
Po lic y > Po lic y C o ntro l.
Message to display when a site is blocked
Denied Access Message
Enter a message to be displayed when the URL Threat filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,"). For example, "Access to this web page is not allowed. Please contact the network administrator".
Redirect URL
It is also possible to leave this field blank if you have a URL specified in the Re dire c t URLfield. In this case if the URL Threat filter blocks access to a web page, the Zyxel Device just opens the web page you specified without showing a denied access message.
Enter the URL of the web page to which you want to send users when their web access is blocked by the URL Threat filter. The web page you specify here opens in a new frame below the denied access message.
Test URL Threat Category
URL to test
Apply Reset
Use "http://" or "https://" followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access.
Enter a URL using http://domain or https://domain and click the Q ue ry button to check if the domain belongs to a URL threat category. Click Apply to save your changes. Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
649
Chapter 34 Reputation Filter
34.3.4 Re m o ve Pro file s
To remove profiles and revert to the default general security policy style, you must first make sure to change Inspe c t b y po lic y to Inspe c t a ll tra ffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security. Note: All profiles that you created will be removed from Se c urity Po lic y > Po lic y C o ntro l. Run the following commands in the Zyxel Device Command Line Interface (CLI). Router# configure terminal Router(config)# secure-policy-style general Router(config)# show secure-policy-style status secure-policy-style: general Wait a minute and then go to the feature screen again in the web configurator. You will be prompted to log out and then log in again. Fig ure 429 Logout Prompt
After you log in again, you will not see the profile screen for this feature.
ZyWALL USG FLEX Series User's Guide
650
C HA PTER 3 5 IDP
35.1 O ve rvie w
This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), custom signatures, and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the Zyxel Device protects against network-based intrusions.
35.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Se c urity Se rvic e > IDP screen (Section 35.2 on page 652) to view registration and signature information.
· Use the Se c urity Se rvic e > IDP > C usto m Sig na ture > Add screens (Section 35.3 on page 657) to create a new custom signature, edit an existing signature, delete existing signatures or save signatures to your computer.
· Use the Se c urity Se rvic e > IDP > White List screen (Section 35.4 on page 665) to list signatures that will be exempted from IDP inspection.
35.1.2 Wha t Yo u Ne e d To Kno w
Pa c ke t Inspe c tio n Sig na ture s
A signature is a pattern of malicious or suspicious packet activity. You can specify an action to be taken if the system matches a stream of data to a malicious signature. You can change the action in the profile screens. Packet inspection examine OSI (Open System Interconnection) layer-4 to layer-7 packet contents for malicious data. Generally, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior.
Applying Yo ur IDP C o nfig ura tio n
Changes to the Zyxel Device's IDP settings affect new sessions, but not the sessions that already existed before you applied the new settings.
35.1.3 Be fo re Yo u Be g in
· Register for a trial IDP subscription in the Re g istra tio n screen. This gives you access to free signature updates. This is important as new signatures are created as new attacks evolve. When the trial subscription expires, purchase and enter a license key using the same screens to continue the subscription.
ZyWALL USG FLEX Series User's Guide
651
Chapter 35 IDP
35.2 The IDP Sc re e n
An IDP profile is a set of packet inspection signatures. Click C o nfig ura tio n > Se c urity Se rvic e > IDP to open this screen. Use this screen to view registration and signature information. Note: You must register in order to update packet inspection signatures. See the Re g istra tio n
screens. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled. Click the IDP icon for more information on the Zyxel Device's security features. Fig ure 430 Configuration > Security Service > IDP
ZyWALL USG FLEX Series User's Guide
652
Chapter 35 IDP
The following table describes the fields in this screen.
Table 266 Configuration > Security Service > IDP
LA BEL General Settings
Enable
Query Signatures Name Signature ID Search all custom signatures
Severity
DESC RIPTIO N
Select this check box to activate the IDP feature which detects and prevents malicious or suspicious packets and responds instantaneously.
Type the name or part of the name of the signature(s) you want to find. Type the ID or part of the ID of the signature(s) you want to find. Select this check box to include signatures you created or imported in the C usto m Sig na ture s screen in the search. You can search for specific signatures by name or ID. If the name and ID fields are left blank, then all signatures are searched according to the criteria you select. Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections.
These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands.
Se ve re (5): These denote attacks that try to run arbitrary code or gain system privileges.
Hig h (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.
Me dium (3): These denote medium threats, access control attacks or attacks that could be false alarms.
Lo w (2): These denote mild threats or attacks that could be false alarms.
Classification Type
Platform Service Action Activation Log Query Result
Custom Signature Rules Add Edit Remove Export
Ve ry- Lo w (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc.
Search for signatures by attack type(s) (see Table 267 on page 654). Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections.
Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections.
Search for signatures by IDP service group(s). See Table 267 on page 654 for group details. Hold down the [Ctrl] key if you want to make multiple selections.
Search for signatures by the response the Zyxel Device takes when a packet matches a signature.Hold down the [Ctrl] key if you want to make multiple selections.
Search for activated and/or inactivated signatures here.
Search for signatures by log option here.
The results are displayed in a table showing the SID, Na m e , Se ve rity, C la ssific a tio n Type , Pla tfo rm , Se rvic e , Lo g , and Ac tio n criteria as selected in the search. Click the SID column header to sort search results by signature ID.
Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
To save an entry or entries as a file on your computer, select them and click Expo rt. Click Sa ve in the file download dialog box and then select a location and name for the file.
Custom signatures must end with the `rules' file name extension, for example, MySig.rules.
ZyWALL USG FLEX Series User's Guide
653
Chapter 35 IDP
Table 266 Configuration > Security Service > IDP (continued)
LA BEL
DESC RIPTIO N
#
This is the entry's index number in the list.
SID
SID is the signature ID that uniquely identifies a signature. Click the SID header to sort
signatures in ascending or descending order. It is automatically created when you click
the Add icon to create a new signature. You can edit the ID, but it cannot already exist
and it must be in the 9000000 to 9999999 range.
Name
This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.
Customer Signature Rule Use this part of the screen to import custom signatures (previously saved to your
Importing
computer) to the Zyxel Device.
File Path
Signature Information Current Version Signature Number
Released Date Update Signatures Apply Reset
Note: The name of the complete custom signature file on the Zyxel Device is `custom.rules'. If you import a file named `custom.rules', then all custom signatures on the Zyxel Device are overwritten with the new file. If this is not your intention, make sure that the files you import are not named `custom.rules'.
Type the file path and name of the custom signature file you want to import in the text box (or click Bro wse to find it on your computer) and then click Im po rting to transfer the file to the Zyxel Device.
New signatures then display in the Zyxel Device IDP > C usto m Sig na ture s screen.
The following fields display information on the current signature set that the Zyxel Device is using.
This field displays the IDP signature set version number. This number gets larger as the set is enhanced.
This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
This field displays the date and time the set was released.
Click this link to go to the screen you can use to download signatures from the update server.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
Po lic y Type s
This table describes Po lic y Type s as categorized in the Zyxel Device.
Table 267 Policy Types
PO LIC Y TYPE
DESC RIPTIO N
Access Control
Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files.
Any
Any attack includes all other kinds of attacks that are not specified in the policy such as
password, spoof, hijack, phishing, and close-in.
ZyWALL USG FLEX Series User's Guide
654
Chapter 35 IDP
Table 267 Policy Types (continued)
PO LIC Y TYPE Backdoor/Trojan Horse
DESC RIPTIO N
A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be triggered to gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program that is hidden inside apparently harmless programs or data.
BotNet Buffer Overflow
Although a virus, a worm and a Trojan are different types of attacks, they can be blended into one attack. For example, W32/Blaster and W32/Sasser are blended attacks that feature a combination of a worm and a Trojan.
A Botnet is a number of Internet computers that have been set up to forward transmissions including spam or viruses to other computers on the Internet though their owners are unaware of it. It is also a collection of Internet-connected programs communicating with other similar programs in order to perform tasks and participate in distributed Denial-Of-Service attacks.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. The excess information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
DoS/DDoS
Intruders could run codes in the overflow buffer region to obtain control of the system, install a backdoor or use the victim to launch attacks on other devices.
The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet.
Instant Messenger Mail Misc P2P Scan
A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
IM (Instant Messenger) refers to chat applications. Chat is real-time, text-based communication between two or more users via networks-connected computers. After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants.
A Mail or email bombing attack involves sending several thousand identical messages to an electronic mailbox in order to overflow it, making it unusable.
Miscellaneous attacks takes advantage of vulnerable computer networks and web servers by forcing cache servers or web browsers into disclosing user-specific information that might be sensitive and confidential. The most common type of Misc. attacks are HTTP Response Smuggling, HTTP Response Splitting and JSON Hijacking.
Peer-to-peer (P2P) is where computing devices link directly to each other and can directly initiate communication with each other; they do not need an intermediary. A device can be both the client and the server. In the Zyxel Device, P2P refers to peer-topeer applications such as e-Mule, e-Donkey, BitTorrent, iMesh, etc.
A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels.
A network scan occurs at layer-3. For example, an attacker looks for network devices such as a router or server running in an IP network.
A scan on a protocol is commonly referred to as a layer-4 scan. For example, once an attacker has found a live end system, he looks for open ports.
SPAM
A scan on a service is commonly referred to a layer-7 scan. For example, once an attacker has found an open port, say port 80 on a server, he determines that it is a HTTP service run by some web server application. He then uses a web vulnerability scanner (for example, Nikto) to look for documented vulnerabilities.
Spam is unsolicited "junk" email sent to large numbers of people to promote products or services.
ZyWALL USG FLEX Series User's Guide
655
Chapter 35 IDP
Table 267 Policy Types (continued)
PO LIC Y TYPE
DESC RIPTIO N
Stream Media
A Stream Media attack occurs when a malicious network node downloads an overwhelming amount of media stream data that could potentially exhaust the entire system. This method allows users to send small requests messages that result in the streaming of large media objects, providing an opportunity for malicious users to exhaust resources in the system with little effort expended on their part.
Tunnel
A Tunneling attack involves sending IPv6 traffic over IPv4, slipping viruses, worms and spyware through the network using secret tunnels. This method infiltrates standard security measures through IPv6 tunnels, passing through IPv4 undetected. An external signal then triggers the malware to spring to life and wreak havoc from inside the network.
Virus/Worm
A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network. A worm's uncontrolled replication consumes system resources, thus slowing or stopping other tasks.
Web Attack
Web attacks refer to attacks on web servers such as IIS (Internet Information Services).
IDP Se rvic e G ro ups
An IDP service group is a set of related packet inspection signatures.
Table 268 IDP Service Groups
WEB_PHP
WEB_MISC
WEB_CGI
WEB_ATTACKS
SQL
SNMP
RPC
POP3
ORACLE
NNTP
MISC_EXPLOIT
MISC_DDOS
IMAP
IM
FINGER
DNS
WEB_IIS TFTP SMTP POP2 NETBIOS MISC_BACKDOOR ICMP n/a
WEB_FRONTPAGE TELNET RSERVICES P2P MYSQL MISC FTP
35.2.1 Q ue ry Exa m ple
This example shows a search with these criteria:
· Severity: Severe · Classification Type: Misc · Platform: Windows · Service: Any · Actions: Any
ZyWALL USG FLEX Series User's Guide
656
Chapter 35 IDP Fig ure 431 Query Example Search
35.3 IDP C usto m Sig na ture s
Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
IP Pa c ke t He a de r
These are the fields in an Internet Protocol (IP) version 4 packet header. Fig ure 432 IP v4 Packet Headers
ZyWALL USG FLEX Series User's Guide
657
Chapter 35 IDP
The header fields are discussed in the following table.
Table 269 IP v4 Packet Headers
HEA DER
DESC RIPTIO N
Version
The value 4 indicates IP version 4.
IHL
IP Header Length is the number of 32 bit words forming the total length of the header
(usually five).
Type of Service
The Type of Service, (also known as Differentiated Services Code Point (DSCP)) is usually set to 0, but may indicate particular quality of service needs from the network.
Total Length
This is the size of the datagram in bytes. It is the combined length of the header and the data.
Identification
This is a 16-bit number, which together with the source address, uniquely identifies this packet. It is used during reassembly of fragmented datagrams.
Flags
Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver.
Fragment Offset
This is a byte count from the start of the original sent packet.
Time To Live
This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops.
Protocol
The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.
Header Checksum
This is used to detect processing errors introduced into the packet inside a router or bridge where the packet is not protected by a link layer cyclic redundancy check. Packets with an invalid checksum are discarded by all nodes in an IP network.
Source IP Address
This is the IP address of the original sender of the packet.
Destination IP Address
This is the IP address of the final destination of the packet.
Options
IP options is a variable-length list of IP options for a datagram that define IP Se c urity O ptio n, IP Stre a m Ide ntifie r, (security and handling restrictions for the military), Re c o rd Ro ute (have each router record its IP address), Lo o se So urc e Ro uting (specifies a list of IP addresses that must be traversed by the datagram), Stric t So urc e Ro uting (specifies a list of IP addresses that must ONLY be traversed by the datagram), Tim e sta m p (have each router record its IP address and time), End o f IP List and No IP O ptio ns.
Padding
Padding is used as a filler to ensure that the IP packet is a multiple of 32 bits.
Select C o nfig ura tio n > Se c urity Se rvic e . The C usto m Sig na ture Rule s section shows a summary of all custom signatures created. Click the SID or Na m e heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer.
Note: The Zyxel Device checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the Zyxel Device applies the more restrictive action (re je c t- b o th, re je c t- re c e ive r o r re je c t- se nde r, dro p, no ne in this order). If a packet matches a rule for re je c t- re c e ive r and it also matches a rule for re je c t- se nde r, then the Zyxel Device will re je c t- b o th.
35.3.1 Add / Edit C usto m Sig na ture s
Click the Add icon to create a new signature or click the Edit icon to edit an existing signature on the screen as shown in Figure 430 on page 652.
ZyWALL USG FLEX Series User's Guide
658
Chapter 35 IDP A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger. Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Fig ure 433 Configuration > Security Service > IDP > Custom Signatures > Add/Edit
ZyWALL USG FLEX Series User's Guide
659
Chapter 35 IDP
The following table describes the fields in this screen.
Table 270 Configuration > Security Service > IDP > Custom Signatures > Add/Edit
LA BEL Name
DESC RIPTIO N
Type the name of this custom signature. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Signature ID
Information Severity Platform
Classification Type Frequency
Threshold Header Options Network Protocol
Type Of Service Identification
Fragmentation Fragment Offset
Time to Live
Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. Refer to (but do not copy) the packet inspection signature names for hints on creating a naming convention.
A signature ID is automatically created when you click the Add icon to create a new signature. You can edit the ID to create a new one (in the 9000000 to 9999999 range), but you cannot use one that already exists. You may want to do that if you want to order custom signatures by SID.
Use the following fields to set general information about the signature as denoted below.
The severity level denotes how serious the intrusion is. Categorize the seriousness of the intrusion here.
Some intrusions target specific operating systems only. Select the operating systems that the intrusion targets, that is, the operating systems you want to protect from this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multi-user Unix workstations that run the IRIX operating system (SGI's version of UNIX). A router is an example of a network device.
Categorize the attack type here. See Table 267 on page 654 as a reference.
Recurring packets of the same type may indicate an attack. Use the following field to indicate how many packets per how many seconds constitute an intrusion
Select Thre sho ld and then type how many packets (that meet the criteria in this signature) per how many seconds constitute an intrusion.
Configure signatures for IP version 4.
Type of service in an IP header is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type O f Se rvic e number. Select the check box, then select Eq ua l or No t- Eq ua l and then type in a number.
The identification field in a datagram uniquely identifies the datagram. If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Ide ntific a tio n number. Select the check box and then type in the invalid number that the intrusion uses.
A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses.
When an IP datagram is fragmented, it is reassembled at the final destination. The fragmentation offset identifies where the fragment belongs in a set of fragments. Some intrusions use an invalid Fra g m e nt O ffse t number. Select the check box, select Eq ua l, Sm a lle r or G re a te r and then type in a number
Time to Live is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. Usually it's used to set an upper limit on the number of routers a datagram can pass through. Some intrusions can be identified by the number in this field. Select the check box, select Eq ua l, Sm a lle r or G re a te r and then type in a number.
ZyWALL USG FLEX Series User's Guide
660
Chapter 35 IDP
Table 270 Configuration > Security Service > IDP > Custom Signatures > Add/Edit (continued)
LA BEL IP Options
Same IP Transport Protocol Transport Protocol: TCP
Port Flow
DESC RIPTIO N
IP options is a variable-length list of IP options for a datagram that define IP Se c urity O ptio n, IP Stre a m Ide ntifie r, (security and handling restrictions for the military), Re c o rd Ro ute (have each router record its IP address), Lo o se So urc e Ro uting (specifies a list of IP addresses that must be traversed by the datagram), Stric t So urc e Ro uting (specifies a list of IP addresses that must ONLY be traversed by the datagram), Tim e sta m p (have each router record its IP address and time), End o f IP List and No IP O ptio ns. IP O ptio ns can help identify some intrusions. Select the check box, then select an item from the list box that the intrusion uses
Select the check box for the signature to check for packets that have the same source and destination IP addresses.
The following fields vary depending on whether you choose TC P, UDP or IC MP.
Select the check box and then enter the source and destination TCP port numbers that will trigger this signature.
The selected keyword sets the criteria as to which traffic is matched. You can match traffic based on direction or whether the connection is established or not. You can also specify whether you want to match signatures per packet or in a stream of packets.
Esta b lishe d: Match established connections.
Sta te le ss: Match packets that are not part of an established connection.
To C lie nt: Match packets that flow from server to client..
To Se rve r: Match packets that flow from client to server.
Fro m C lie nt: Match packets that flow from client to server.
Fro m Se rve rs: Match packets that flow from server to client.
No Stre a m : Match packets that have not been reassembled by the stream engine. It will not match packets that have been reassembled.
Flags Sequence Number Ack Number Window Size Transport Protocol: UDP Port
Transport Protocol: ICMP
Type Code ID
Sequence Number
Payload Options
O nly Stre a m : Match packets that have been reassembled. Select what TCP flag bits the signature should check. Use this field to check for a specific TCP sequence number. Use this field to check for a specific TCP acknowledgment number. Use this field to check for a specific TCP window size.
Select the check box and then enter the source and destination UDP port numbers that will trigger this signature.
Use this field to check for a specific ICMP type value. Use this field to check for a specific ICMP code value. Use this field to check for a specific ICMP ID value. This is useful for covert channel programs that use static ICMP fields when they communicate. Use this field to check for a specific ICMP sequence number. This is useful for covert channel programs that use static ICMP fields when they communicate. The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature.
ZyWALL USG FLEX Series User's Guide
661
Chapter 35 IDP
Table 270 Configuration > Security Service > IDP > Custom Signatures > Add/Edit (continued)
LA BEL Payload Size
DESC RIPTIO N
This field may be used to check for abnormally sized packets or for detecting buffer
overflows.
Select the check box, then select Eq ua l, Sm a lle r or G re a te r and then type the payload size.
Add Edit Remove # Offset
Content
Case-insensitive Decode as URI
Stream rebuilt packets are not checked regardless of the size of the payload.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This is the entry's index number in the list.
This field specifies where to start searching for a pattern within a packet. For example, an offset of 5 would start looking for the specified pattern after the first five bytes of the payload.
Type the content that the signature should search for in the packet payload. Hexadecimal code entered between pipes is converted to ASCII. For example, you could represent the ampersand as either & or |26| (26 is the hexadecimal code for the ampersand).
Select Ye s if content casing does NOT matter.
A Uniform Resource Identifier (URI) is a string of characters for identifying an abstract or physical resource (RFC 2396). A resource can be anything that has identity, for example, an electronic document, an image, a service ("today's weather report for Taiwan"), a collection of other resources. An identifier is an object that can act as a reference to something that has identity. Example URIs are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services
http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for Hypertext Transfer Protocol services
mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET Protocol
Select Ye s for the signature to search for normalized URI fields. This means that if you are writing signatures that includes normalized content, such as %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
OK Cancel
/winnt/system32/cmd.exe?/c+ver
Click this button to save your changes to the Zyxel Device and return to the summary screen.
Click this button to return to the summary screen without saving any changes.
35.3.2 C usto m Sig na ture Exa m ple
Before creating a custom signature, you must first clearly understand the vulnerability.
ZyWALL USG FLEX Series User's Guide
662
Chapter 35 IDP
35.3.2.1 Unde rsta nd the Vulne ra b ility
Check the Zyxel Device logs when the attack occurs. Use web sites such as Google or Security Focus to get as much information about the attack as you can. The more specific your signature, the less chance it will cause false positives. As an example, say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic.
35.3.2.2 Ana lyze Pa c ke ts
Use the packet capture screen and a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Fig ure 434 DNS Query Packet Details
ZyWALL USG FLEX Series User's Guide
663
Chapter 35 IDP From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern. The final custom signature should look like as shown in the following figure. Fig ure 435 Example Custom Signature
35.3.3 Applying C usto m Sig na ture s
After you create your custom signature, it becomes available in an IDP profile (C o nfig ura tio n > Se c urity Se rvic e > IDP > Pro file > Edit screen). Custom signatures have an SID from 9000000 to 9999999.
ZyWALL USG FLEX Series User's Guide
664
Chapter 35 IDP Search for, then activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone.
35.3.4 Ve rifying C usto m Sig na ture s
Configure the signature to create a log when traffic matches the signature. (You may also want to configure an alert if it is for a serious attack and needs immediate attention.) After you apply the signature to a zone, you can see if it works by checking the logs (Mo nito r > Lo g ). The Prio rity column shows wa rn for signatures that are configured to generate a log only. It shows c ritic a l for signatures that are configured to generate a log and alert. All IDP signatures come under the IDP category. The No te column displays AC C ESS FO RWARD when no action is configured for the signature. It displays AC C ESS DENIED if you configure the signature action to drop the packet. The destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Fig ure 436 Custom Signature Log
35.4 The White List Sc re e n
Use this screen to list signatures that will be exempted from IDP inspection. The Zyxel Device will exclude incoming packets with the listed signature(s) from being intercepted and inspected. Click C o nfig ura tio n > Se c urity Se rvic e > IDP > White List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Re m o ve to delete an existing entry.
ZyWALL USG FLEX Series User's Guide
665
Chapter 35 IDP Fig ure 437 Configuration > Security Service > IDP > White List
The following table describes the fields in this screen.
Table 271 Configuration > Security Service > IDP > White List
LA BEL
DESC RIPTIO N
White List Settings
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry's index number in the list.
Signature ID
This field displays the signature ID of this entry.
Signature Name This field displays the signature name of this entry.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
35.5 IDP Pro file
To use multiple profiles for this feature, run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style advance Router(config)# show secure-policy-style status secure-policy-style: advance
After you run these command, go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
Fig ure 438 Logout Prompt
ZyWALL USG FLEX Series User's Guide
666
Chapter 35 IDP
After you log in again, you will see the new profile screen for this feature. Fig ure 439 Configuration > Security Service > IDP> Profile
The following table describes the labels in this screen.
Table 272 Configuration > Security Service > IDP > Profile
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
Select an entry and click Re m o ve to delete the selected entry.
#
This field is a sequential value showing the number of the profile. The profile order is not
important.
Name
This displays the name of the profile created.
Description
This displays the description of the profile.
35.5.1 Add o r Edit a n IDP Pro file
Click Add to create a new entry or select an existing entry and click Edit to open the following screen where you can create or modify the entry's settings.
ZyWALL USG FLEX Series User's Guide
667
Chapter 35 IDP Fig ure 440 Configuration > Security Service > IDP > Profile > Add/Edit
The following table describes the labels in this screen.
Table 273 Configuration > Security Service > IDP
LA BEL Configuration
Profile Name
DESC RIPTIO N
Type the name of the profile. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
Description
Query Signatures Name Signature ID
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012 Type a description for the profile rule to help identify the purpose of rule. You may use 1-
31 alphanumeric characters, underscores (_), or dashes (-), but the first character
cannot be a number. This value is case-sensitive. This field is optional.
Type the name or part of the name of the signature(s) you want to find. Type the ID or part of the ID of the signature(s) you want to find.
ZyWALL USG FLEX Series User's Guide
668
Chapter 35 IDP
Table 273 Configuration > Security Service > IDP (continued)
LA BEL Search all custom signatures
Severity
DESC RIPTIO N
Select this check box to include signatures you created or imported in the C usto m Sig na ture s screen in the search. You can search for specific signatures by name or ID. If the name and ID fields are left blank, then all signatures are searched according to the criteria you select.
Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections.
These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands.
Se ve re (5): These denote attacks that try to run arbitrary code or gain system privileges.
Hig h (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.
Me dium (3): These denote medium threats, access control attacks or attacks that could be false alarms.
Lo w (2): These denote mild threats or attacks that could be false alarms.
Classification Type
Platform Service Action Activation Log Query Result
OK Cancel
Ve ry- Lo w (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc.
Search for signatures by attack type(s) (see Table 267 on page 654). Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections.
Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections.
Search for signatures by IDP service group(s). See Table 267 on page 654 for group details. Hold down the [Ctrl] key if you want to make multiple selections.
Search for signatures by the response the Zyxel Device takes when a packet matches a signature.Hold down the [Ctrl] key if you want to make multiple selections.
Search for activated and/or inactivated signatures here.
Search for signatures by log option here.
The results are displayed in a table showing the SID, Na m e , Se ve rity, C la ssific a tio n Type , Pla tfo rm , Se rvic e , Lo g , and Ac tio n criteria as selected in the search. Click the SID column header to sort search results by signature ID.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
35.5.2 Link a Pro file
To link a profile to a policy, go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen, select a policy, and then click Edit. In the Edit Po lic y screen under Pro file , select which profile you want to use for each security service.
ZyWALL USG FLEX Series User's Guide
669
Chapter 35 IDP Fig ure 441 Configuration > Security Service > Policy Control > Profile
35.5.3 The IDP Adva nc e Sc re e n
The C o nfig ura tio n > Se c urity Se rvic e > IDP screen changes when using profiles.
ZyWALL USG FLEX Series User's Guide
670
Chapter 35 IDP Fig ure 442 Configuration > Security Service > IDP Advance
The following table describes the fields in this screen.
Table 274 Configuration > Security Service > IDP Advance
LA BEL
DESC RIPTIO N
General Settings Enable
Inspect all traffic, setting: Inspect by policy
Custom Signature Rules
Select this check box to activate the IDP feature which detects and prevents malicious or suspicious packets and responds instantaneously.
Select this to have all traffic inspected by the de fa ult_pro file . You cannot rename or delete the de fa ult_pro file profile, but you can edit it by clicking the link here.
If you configured a specific profile in the Pro file tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Se c urity
Po lic y > Po lic y C o ntro l.
Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures.
Add Edit
Click this to create a new entry. Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Export
To save an entry or entries as a file on your computer, select them and click Expo rt. Click Sa ve in the file download dialog box and then select a location and name for the file.
Custom signatures must end with the `rules' file name extension, for example, MySig.rules.
#
This is the entry's index number in the list.
ZyWALL USG FLEX Series User's Guide
671
Chapter 35 IDP
Table 274 Configuration > Security Service > IDP Advance (continued)
LA BEL
DESC RIPTIO N
SID
SID is the signature ID that uniquely identifies a signature. Click the SID header to sort
signatures in ascending or descending order. It is automatically created when you click
the Add icon to create a new signature. You can edit the ID, but it cannot already exist
and it must be in the 9000000 to 9999999 range.
Name
This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.
Customer Signature Rule Use this part of the screen to import custom signatures (previously saved to your
Importing
computer) to the Zyxel Device.
File Path
Signature Information Current Version Signature Number
Released Date Update Signatures Apply Reset
Note: The name of the complete custom signature file on the Zyxel Device is `custom.rules'. If you import a file named `custom.rules', then all custom signatures on the Zyxel Device are overwritten with the new file. If this is not your intention, make sure that the files you import are not named `custom.rules'.
Type the file path and name of the custom signature file you want to import in the text box (or click Bro wse to find it on your computer) and then click Im po rting to transfer the file to the Zyxel Device.
New signatures then display in the Zyxel Device IDP > C usto m Sig na ture s screen.
The following fields display information on the current signature set that the Zyxel Device is using.
This field displays the IDP signature set version number. This number gets larger as the set is enhanced.
This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
This field displays the date and time the set was released.
Click this link to go to the screen you can use to download signatures from the update server.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
35.5.4 Re m o ve Pro file s
To remove profiles and revert to the default general security policy style, you must first make sure to change Inspe c t b y po lic y to Inspe c t a ll tra ffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security.
Note: All profiles that you created will be removed from Se c urity Po lic y > Po lic y C o ntro l.
Run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style general Router(config)# show secure-policy-style status secure-policy-style: general
Wait a minute and then go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
ZyWALL USG FLEX Series User's Guide
672
Fig ure 443 Logout Prompt
Chapter 35 IDP
After you log in again, you will not see the profile screen for this feature.
35.6 IDP Te c hnic a l Re fe re nc e
This section contains some background information on IDP.
Ho st Intrusio ns
The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.
You must install a host IDP directly on the system being protected. It works closely with the operating system, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.
Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems.
Ne two rk Intrusio ns
Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/server. Typical "network-based intrusions" are SQL slammer, Blaster, Nimda MyDoom etc.
Sno rt Sig na ture s
You may want to refer to open source Snort signatures when creating custom Zyxel Device ones. Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header and the rule options as shown in the following example:
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 a5|"; msg:"mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are the option keywords.
The rule header contains the rule's:
· Action · Protocol
ZyWALL USG FLEX Series User's Guide
673
Chapter 35 IDP
· Source and destination IP addresses and netmasks · Source and destination ports information.
The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the Zyxel Device.
Table 275 Zyxel Device - Snort Equivalent Terms
ZYXEL DEVIC E TERM
SNO RTEQ UIVALENTTERM
Type Of Service
tos
Identification
id
Fragmentation
fragbits
Fragmentation Offset
fragoffset
Time to Live
ttl
IP Options
ipopts
Same IP
sameip
Transport Protocol
Transport Protocol: TCP
Port
(In Snort rule header)
Flow
flow
Flags
flags
Sequence Number
seq
Ack Number
ack
Window Size
window
Transport Protocol: UDP
(In Snort rule header)
Port
(In Snort rule header)
Transport Protocol: ICMP
Type
itype
Code
icode
ID
icmp_id
Sequence Number
icmp_seq
Payload Options
(Snort rule options)
Payload Size
dsize
Offset (relative to start of payload)
offset
Relative to end of last match
distance
Content
content
Case-insensitive
nocase
Decode as URI
uricontent
Note: Not all Snort functionality is supported in the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
674
C HA PTER 3 6
Em a il Se c urity
36.1 O ve rvie w
The email security feature can mark or discard spam (unsolicited commercial or junk email). Use the white list to identify legitimate email. Use the black list to identify spam email. The Zyxel Device can also check email against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
36.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Em a il Se c urity screens (Section 36.3 on page 677) to turn email security on or off and manage email security policies. Also, you can enable and configure the mail scan functions and have the Zyxel Device check email against DNS Black Lists.
· Use the Bla c k/ White List screens (Section 36.4 on page 679) to set up a black list to identify spam and a white list to identify legitimate email.
36.1.2 Wha t Yo u Ne e d to Kno w
White List
Configure white list entries to identify legitimate email. The white list entries have the Zyxel Device classify any email that is from a specified sender or uses a specified header field and header value as being legitimate (see Email Headers for more on mail headers). The email security feature checks an email against the white list entries before doing any other email security checking. If the email matches a white list entry, the Zyxel Device classifies the email as legitimate and does not perform any more email security checking on that individual email. A properly configured white list helps keep important email from being incorrectly classified as spam. The white list can also increases the Zyxel Device's email security speed and efficiency by not having the Zyxel Device perform the full email security checking process on legitimate email.
Bla c k List
Configure black list entries to identify spam. The black list entries have the Zyxel Device classify any email that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an email does not match any of the white list entries, the Zyxel Device checks it against the black list entries. The Zyxel Device classifies an email that matches a black list entry as spam and immediately takes the configured action for dealing with spam. If an email matches a blacklist entry, the Zyxel Device does not perform any more email security checking on that individual email. A properly configured black list helps catch spam email and increases the Zyxel Device's email security speed and efficiency.
ZyWALL USG FLEX Series User's Guide
675
Chapter 36 Email Security
SMTP a nd PO P3
Simple Mail Transfer Protocol (SMTP) is the Internet's message transport standard. It controls the sending of email messages between servers. Email clients (also called email applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve email. Email clients also generally use SMTP to send messages to a mail server. The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it. This is why many email applications require you to specify both the SMTP server and the POP or IMAP server (even though they may actually be the same server).
The Zyxel Device's email security feature checks SMTP (TCP port 25) and POP3 (TCP port 110) emails by default. You can also specify custom SMTP and POP3 ports for the Zyxel Device to check.
Em a il He a de rs
Every email has a header and a body. The header is structured into fields and includes the addresses of the recipient and sender, the subject, and other information about the email and its journey. The body is the actual message text and any attachments. You can have the Zyxel Device check for specific header fields with specific values.
Email programs usually only show you the To:, From:, Subject:, and Date: header fields but there are others such as Received: and Content-Type:. To see all of an email's header, you can select an email in your email program and look at its properties or details. For example, in Microsoft's Outlook Express, select a mail and click File > Pro pe rtie s > De ta ils. This displays the email's header. Click Me ssa g e So urc e to see the source for the entire mail including both the header and the body.
Em a il He a de r Buffe r Size
The Zyxel Device has a 5 K buffer for an individual email header. If an email's header is longer than 5 K, the Zyxel Device only checks up to the first 5 K.
DNSBL
A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam. A DNSBL is also known as a DNS spam blocking list. The Zyxel Device can check the routing addresses of email against DNSBLs and classify an email as spam if it was sent or forwarded by a computer with an IP address in the DNSBL.
Finding O ut Mo re
See Section 36.6 on page 689 for more background information on email security.
36.2 Be fo re Yo u Be g in
· Before using the email security features (IP Reputation, Mail Content Analysis and Virus Outbreak Detection) you must activate your email security Service license.
· Configure your zones before you configure email security.
ZyWALL USG FLEX Series User's Guide
676
Chapter 36 Email Security
36.3 The Em a il Se c urity Sc re e n
Click C o nfig ura tio n > Se c urity Se rvic e > Em a il Se c urity to open the Em a il Se c urity screen. Use this screen to turn the email security feature on or off and manage email security policies. You can also select the action the Zyxel Device takes when the mail sessions threshold is reached. Click the Em a il Se c urity icon for more information on the Zyxel Device's security features. Fig ure 444 Configuration > Security Service > Email Security
ZyWALL USG FLEX Series User's Guide
677
Chapter 36 Email Security
The following table describes the labels in this screen.
Table 276 Configuration > Security Service > Email Security
LA BEL General Settings Enable Check White List
Check Black List
Black List Spam Tag
Check Malicious Mail Malicious Mail Tag
DESC RIPTIO N
Select this check box to activate the settings in this section. Select this check box to check email against the white list. The Zyxel Device classifies email that matches a white list entry as legitimate (not spam). Select this check box to check email against the black list. The Zyxel Device classifies email that matches a black list entry as spam. Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that match the Zyxel Device's spam black list. Select this to identify spam email by content, such as malicious content. Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that are determined to spam based on the mail content analysis.
Check DNSBL DNSBL Spam Tag
This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
Select this check box to check email against the Zyxel Device's configured DNSBL domains. The Zyxel Device classifies email that matches a DNS black list as spam.
Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that have a sender or relay IP address in the header that matches a black list maintained by one of the DNSBL domains listed in the Zyxel Device.
DNSBL Domain List Add Edit Remove Activate Inactivate Status
# DNSBL Domain
Actions for Spam Mail SMTP
This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry's index number in the list. This is the name of a domain that maintains DNSBL servers. Enter the domain that is maintaining a DNSBL. Use this section to set how the Zyxel Device is to handle spam mail. Select how the Zyxel Device is to handle spam SMTP mail.
Select dro p to discard spam SMTP mail.
Select fo rwa rd to allow spam SMTP mail to go through.
POP3
Select fo rwa rd with ta g to add a spam tag to an SMTP spam mail's mail subject and send it on to the destination.
Select how the Zyxel Device is to handle spam POP3 mail.
Select fo rwa rd to allow spam POP3 mail to go through.
Select fo rwa rd with ta g to add a spam tag to an POP3 spam mail's mail subject and send it on to the destination.
Log
Select whether to have the ZyXEL device generate a log (lo g ), log and alert (lo g a le rt) or
neither (no ) by default when traffic matches a signature in this category.
ZyWALL USG FLEX Series User's Guide
678
Chapter 36 Email Security
Table 276 Configuration > Security Service > Email Security
LA BEL
DESC RIPTIO N
Action taken when mail sessions threshold is reached
An email session is when an email client and email server (or two email servers) connect through the Zyxel Device. Select how to handle concurrent email sessions that exceed the maximum number of concurrent email sessions that the email security feature can handle. See the chapter of product specifications for the threshold.
Select Fo rwa rd Se ssio n to have the Zyxel Device allow the excess email sessions without any spam filtering.
Query Timeout Settings SMTP
Select Dro p Se ssio n to have the Zyxel Device drop mail connections to stop the excess email sessions. The email client or server will have to re-attempt to send or receive email later when the number of email sessions is under the threshold.
Select how the Zyxel Device is to handle SMTP mail query timeout.
Select dro p to discard SMTP mail.
Select fo rwa rd to allow SMTP mail to go through.
POP3
Select fo rwa rd with ta g to add a tag to an SMTP query timeout mail's mail subject and send it on to the destination.
Select how the Zyxel Device is to handle POP3 mail query timeout.
Select fo rwa rd to allow POP3 mail to go through.
Timeout Value
Timeout Tag
Timeout X-Header
DNSBL Settings Max. IPs Checking Per Mail IP Selection Per Mail
Select fo rwa rd with ta g to add a tag to an POP3 query timeout mail's mail subject and send it on to the destination.
Set how long the Zyxel Device waits for a reply from the mail scan server. If there is no reply before this time period expires, the Zyxel Device takes the action defined in the relevant Ac tio ns whe n Q ue ry Tim e o ut field.
Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that the Zyxel Device forwards if queries to the mail scan servers time out.
Specify the name and value for the X-Header to be added when queries to the mail scan servers time out.
Set the maximum number of sender and relay server IP addresses in the mail header to check against the DNSBL domain servers.
Select first N IPs to have the Zyxel Device start checking from the first IP address in the mail header. This is the IP of the sender or the first server that forwarded the mail.
Apply Reset
Select la st N IPs to have the Zyxel Device start checking from the last IP address in the mail header. This is the IP of the last server that forwarded the mail.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
36.4 The Bla c k List / White List Sc re e n
Click C o nfig ura tio n > Se c urity Se rvic e > Em a il Se c urity > Bla c k /White List to display the Bla c k List / White List screen.
Configure the black list to identify spam email. You can create black list entries based on the sender's or relay server's IP address or email address. You can also create entries that check for particular email header fields with specific values or specific subject text. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.
ZyWALL USG FLEX Series User's Guide
679
Chapter 36 Email Security Fig ure 445 Configuration > Security Service > Email Security > Black/White List
The following table describes the labels in this screen.
Table 277 Configuration > Security Service > Email Security > Black/White List
LA BEL
DESC RIPTIO N
Rule Summary
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate Status
To turn off an entry, select it and click Ina c tiva te .
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#
This is the entry's index number in the list.
Type
This field displays whether the entry is based on the email's subject, source or relay IP address, source email address, or header.
Content
This field displays the subject content, source or relay IP address, source email address, or header value for which the entry checks.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
36.4.1 The Bla c k o r White List Add/ Edit Sc re e n
In the Bla c k List or White List screen, click the Add icon or an Edit icon to display the following screen.
Use this screen to configure an email security black list entry to identify spam email. You can create entries based on specific subject text, or the sender's or relay's IP address or email address. You can also create entries that check for particular header fields and values.
ZyWALL USG FLEX Series User's Guide
680
Chapter 36 Email Security
Fig ure 446 Configuration > Security Service > Email Security > Black/White List > Black List (or White List) > Add
The following table describes the labels in this screen.
Table 278 Configuration > Security Service > Email Security > Black/White List > Black/White List > Add
LA BEL Enable Rule
DESC RIPTIO N Select this to have the Zyxel Device use this entry as part of the black or white list.
Type
To actually use the entry, you must also turn on the use of the list in the corresponding list screen, enable the email security feature in the email security general screen, and configure an email security policy to use the list.
Use this field to base the entry on the email's subject, source or relay IP address, source email address, or header.
Select Subje c t to have the Zyxel Device check email for specific content in the subject line.
Select IP Addre ss to have the Zyxel Device check email for a specific source or relay IP address.
Select IPv6 Addre ss to have the Zyxel Device check email for a specific source or relay IPv6 address.
Select E- Ma il Addre ss to have the Zyxel Device check email for a specific source email address or domain name.
Select Ma il He a de r to have the Zyxel Device check email for specific header fields and values. Configure black list header entries to check for email from bulk mail programs or with content commonly used in spam. Configure white list header entries to allow certain header values that identify the email as being from a trusted source.
Mail Subject Keyword
This field displays when you select the Subje c t type. Enter up to 63 ASCII characters of text to check for in email headers. Spaces are not allowed, although you could substitute a question mark (?). See Section 36.4.2 on page 682 for more details.
Sender or Mail Relay This field displays when you select the IP Addre ss type. Enter an IP address in dotted decimal
IP Address
notation.
Sender or Mail Relay This field displays when you select the IPv6 Addre ss type. Enter an IPv6 address with prefix. IPv6 Address
Netmask
This field displays when you select the IP type. Enter the subnet mask here, if applicable.
Sender E-Mail Address
This field displays when you select the E- Ma il type. Enter a keyword (up to 63 ASCII characters). See Section 36.4.2 on page 682 for more details.
Mail Header Field Name
This field displays when you select the Ma il He a de r type.
Type the name part of an email header (the part that comes before the colon). Use up to 63 ASCII characters.
For example, if you want the entry to check the "Received:" header for a specific mail server's domain, enter "Received" here.
ZyWALL USG FLEX Series User's Guide
681
Chapter 36 Email Security
Table 278 Configuration > Security Service > Email Security > Black/White List > Black/White List > Add
LA BEL
Field Value Keyword
DESC RIPTIO N This field displays when you select the Ma il He a de r type.
Type the value part of an email header (the part that comes after the colon). Use up to 63 ASCII characters.
For example, if you want the entry to check the "Received:" header for a specific mail server's domain, enter the mail server's domain here.
OK Cancel
See Section 36.4.2 on page 682 for more details. Click O K to save your changes. Click C a nc e l to exit this screen without saving your changes.
36.4.2 Re g ula r Expre ssio ns in Bla c k o r White List Entrie s
The following applies for a black or white list entry based on an email subject, email address, or email header value.
· Use a question mark (?) to let a single character vary. For example, use "a?c" (without the quotation marks) to specify abc, acc and so on.
· You can also use a wildcard (*). For example, if you configure *def.com, any email address that ends in def.com matches. So "mail.def.com" matches.
· The wildcard can be anywhere in the text string and you can use more than one wildcard. You cannot use two wildcards side by side, there must be other characters between them.
· The Zyxel Device checks the first header with the name you specified in the entry. So if the email has more than one "Received" header, the Zyxel Device checks the first one.
36.5 Em a il Se c urity Pro file
To use multiple profiles for this feature, run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style advance Router(config)# show secure-policy-style status secure-policy-style: advance
After you run these command, go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
Fig ure 447 Logout Prompt
After you log in again, you will see the new profile screen for this feature.
ZyWALL USG FLEX Series User's Guide
682
Chapter 36 Email Security Fig ure 448 Configuration > Security Service > Email Security > Profile
The following table describes the labels in this screen.
Table 279 Configuration > Security Service > > Profile
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
Select an entry and click Re m o ve to delete the selected entry.
#
This field is a sequential value showing the number of the profile. The profile order is not
important.
Name
This displays the name of the profile created.
Description
This displays the description of the profile.
Scan Options
This displays which lists are checked for email security: White List (WL), Black List (BL), Ma lic io us Ma il, DNSBL.
36.5.1 Add o r Edit Em a il Se c urity Pro file
Click Add to create a new entry or select an existing entry and click Edit to open the following screen where you can create or modify the entry's settings.
ZyWALL USG FLEX Series User's Guide
683
Chapter 36 Email Security Fig ure 449 Configuration > Security Service > Email Security > Profile > Add/Edit
The following table describes the labels in this screen.
Table 280 Configuration > Security Service > Email Security Profile > Add/Edit
LA BEL General Settings
Name
DESC RIPTIO N
Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or
dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
Description
Log Scan Options Check White List Check Black List Check Malicious Mail Check DNSBL Actions for Spam Mail
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
Type a description for the profile rule to help identify the purpose of rule. You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a
number. This value is case-sensitive. This field is optional.
Select whether to have the ZyXEL device generate a log (lo g ), log and alert (lo g a le rt) or neither (no ) by default when traffic matches a signature in this category.
Select this check box to check email against the white list. The Zyxel Device classifies email that matches a white list entry as legitimate (not spam).
Select this check box to check email against the black list. The Zyxel Device classifies email that matches a black list entry as spam.
Select this to identify spam email by content, such as malicious content.
Select this check box to check email against the Zyxel Device's configured DNSBL domains. The Zyxel Device classifies email that matches a DNS black list as spam.
Use this section to set how the Zyxel Device is to handle spam mail.
ZyWALL USG FLEX Series User's Guide
684
Chapter 36 Email Security
Table 280 Configuration > Security Service > Email Security Profile > Add/Edit (continued)
LA BEL SMTP
DESC RIPTIO N Select how the Zyxel Device is to handle spam SMTP mail.
Select dro p to discard spam SMTP mail.
Select fo rwa rd to allow spam SMTP mail to go through.
POP3
Select fo rwa rd with ta g to add a spam tag to an SMTP spam mail's mail subject and send it on to the destination.
Select how the Zyxel Device is to handle spam POP3 mail.
Select fo rwa rd to allow spam POP3 mail to go through.
OK Cancel
Select fo rwa rd with ta g to add a spam tag to an POP3 spam mail's mail subject and send it on to the destination.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving.
36.5.2 Link a Pro file
To link a profile to a policy, go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen, select a policy, and then click Edit. In the Edit Po lic y screen under Pro file , select which profile you want to use for each security service.
ZyWALL USG FLEX Series User's Guide
685
Chapter 36 Email Security Fig ure 450 Configuration > Security Service > Policy Control > Profile
36.5.3 The Em a il Se c urity Adva nc e Sc re e n
The C o nfig ura tio n > Se c urity Se rvic e > Em a il Se c urity screen changes when using profiles.
ZyWALL USG FLEX Series User's Guide
686
Chapter 36 Email Security Fig ure 451 Configuration > Security Service > Email Security Advance
The following table describes the labels in this screen.
Table 281 Configuration > Security Service > Email Security Advance
LA BEL General Settings Enable Inspect all traffic, setting: Inspect by policy
Enable Malicious Mail Malicious Mail Tag
DESC RIPTIO N
Select this check box to activate the settings in this section. Select this to have all traffic inspected by the de fa ult_pro file . You cannot rename or delete the de fa ult_pro file profile, but you can edit it by clicking the link here. If you configured a specific profile in the Pro file tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Se c urity Po lic y >
Po lic y C o ntro l.
Select this to identify spam email by content, such as malicious content. Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that are determined to spam based on the mail content analysis.
Enable DNSBL
This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
Select this check box to check email against the Zyxel Device's configured DNSBL domains. The Zyxel Device classifies email that matches a DNS black list as spam.
ZyWALL USG FLEX Series User's Guide
687
Chapter 36 Email Security
Table 281 Configuration > Security Service > Email Security Advance (continued)
LA BEL DNSBL Spam Tag
DESC RIPTIO N
Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that have a sender or relay IP address in the header that matches a black list maintained by one of the DNSBL domains listed in the Zyxel Device.
This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
DNSBL Domain List
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#
This is the entry's index number in the list.
DNSBL Domain
This is the name of a domain that maintains DNSBL servers. Enter the domain that is maintaining a DNSBL.
Action
Action taken when mail sessions threshold is reached
An email session is when an email client and email server (or two email servers) connect through the Zyxel Device. Select how to handle concurrent email sessions that exceed the maximum number of concurrent email sessions that the email security feature can handle. See the chapter of product specifications for the threshold.
Select Fo rwa rd Se ssio n to have the Zyxel Device allow the excess email sessions without any spam filtering.
Query Timeout Settings SMTP
Select Dro p Se ssio n to have the Zyxel Device drop mail connections to stop the excess email sessions. The email client or server will have to re-attempt to send or receive email later when the number of email sessions is under the threshold.
Select how the Zyxel Device is to handle SMTP mail query timeout.
Select dro p to discard SMTP mail.
Select fo rwa rd to allow SMTP mail to go through.
POP3
Select fo rwa rd with ta g to add a tag to an SMTP query timeout mail's mail subject and send it on to the destination.
Select how the Zyxel Device is to handle POP3 mail query timeout.
Select fo rwa rd to allow POP3 mail to go through.
Timeout Value
Timeout Tag Timeout X-Header DNSBL Settings Max. IPs Checking Per Mail
Select fo rwa rd with ta g to add a tag to an POP3 query timeout mail's mail subject and send it on to the destination.
Set how long the Zyxel Device waits for a reply from the mail scan server. If there is no reply before this time period expires, the Zyxel Device takes the action defined in the relevant Ac tio ns whe n Q ue ry Tim e o ut field.
Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that the Zyxel Device forwards if queries to the mail scan servers time out.
Specify the name and value for the X-Header to be added when queries to the mail scan servers time out.
Set the maximum number of sender and relay server IP addresses in the mail header to check against the DNSBL domain servers.
ZyWALL USG FLEX Series User's Guide
688
Chapter 36 Email Security
Table 281 Configuration > Security Service > Email Security Advance (continued)
LA BEL IP Selection Per Mail
DESC RIPTIO N
Select first N IPs to have the Zyxel Device start checking from the first IP address in the mail header. This is the IP of the sender or the first server that forwarded the mail.
Apply Reset
Select la st N IPs to have the Zyxel Device start checking from the last IP address in the mail header. This is the IP of the last server that forwarded the mail.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
36.5.4 Re m o ve Pro file s
To remove profiles and revert to the default general security policy style, you must first make sure to change Inspe c t b y po lic y to Inspe c t a ll tra ffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security.
Note: All profiles that you created will be removed from Se c urity Po lic y > Po lic y C o ntro l.
Run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style general Router(config)# show secure-policy-style status secure-policy-style: general
Wait a minute and then go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
Fig ure 452 Logout Prompt
After you log in again, you will not see the profile screen for this feature.
36.6 Em a il Se c urity Te c hnic a l Re fe re nc e
Here is more detailed email security information.
DNSBL
· The Zyxel Device checks only public sender and relay IP addresses, it does not check private IP addresses.
· The Zyxel Device sends a separate query (DNS lookup) for each sender or relay IP address in the email's header to each of the Zyxel Device's DNSBL domains at the same time.
· The DNSBL servers send replies as to whether or not each IP address matches an entry in their list. Each IP address has a separate reply.
ZyWALL USG FLEX Series User's Guide
689
Chapter 36 Email Security
· As long as the replies are indicating the IP addresses do not match entries on the DNSBL lists, the Zyxel Device waits until it receives at least one reply for each IP address.
· If the Zyxel Device receives a DNSBL reply that one of the IP addresses is in the DNSBL list, the Zyxel Device immediately classifies the email as spam and takes the email security policy's configured action for spam. The Zyxel Device does not wait for any more DNSBL replies.
· If the Zyxel Device receives at least one non-spam reply for each of an email's routing IP addresses, the Zyxel Device immediately classifies the email as legitimate and forwards it.
· Any further DNSBL replies that come after the Zyxel Device classifies an email as spam or legitimate have no effect.
· The Zyxel Device records DNSBL responses for IP addresses in a cache for up to 72 hours. The Zyxel Device checks an email's sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache.
Here is an example of an email classified as spam based on DNSBL replies.
Fig ure 453 DNSBL Spam Detection Example
IPs: a.a.a.a b.b.b.b
1
4
a.ba..ba..ba.?b? a.a.a.a
Not
spam
a.a.a.a?
b.b.b.b?
b.ab..ab..ab.?a? b.b.b.b Spam
DNSBL A
2
DNSBL B
DNSBL C
3
1 The Zyxel Device receives an email that was sent from IP address a.a.a.a and relayed by an email server at IP address b.b.b.b. The Zyxel Device sends a separate query to each of its DNSBL domains for IP address a.a.a.a. The Zyxel Device sends another separate query to each of its DNSBL domains for IP address b.b.b.b.
2 DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not spam).
3 DNSBL C replies that IP address b.b.b.b matches an entry in its list.
4 The Zyxel Device immediately classifies the email as spam and takes the action for spam that you defined in the email security policy. In this example it was an SMTP mail and the defined action was to drop the mail. The Zyxel Device does not wait for any more DNSBL replies.
Here is an example of an email classified as legitimate based on DNSBL replies.
ZyWALL USG FLEX Series User's Guide
690
Chapter 36 Email Security
Fig ure 454 DNSBL Legitimate Email Detection Example
IPs: c.c.c.c d.d.d.d
1
4
c.dc..dc..dc?.d?
DNSBL A
c.c.c.c? d.d.d.d?
DNSBL B
2 d.d.d.d Not spam
d.cd..cd..cd.?c?
c.c.c.c Not spam
DNSBL C
3
1 The Zyxel Device receives an email that was sent from IP address c.c.c.c and relayed by an email server at IP address d.d.d.d. The Zyxel Device sends a separate query to each of its DNSBL domains for IP address c.c.c.c. The Zyxel Device sends another separate query to each of its DNSBL domains for IP address d.d.d.d.
2 DNSBL B replies that IP address d.d.d.d does not match any entries in its list (not spam).
3 DNSBL C replies that IP address c.c.c.c does not match any entries in its list (not spam).
4 Now that the Zyxel Device has received at least one non-spam reply for each of the email's routing IP addresses, the Zyxel Device immediately classifies the email as legitimate and forwards it. The Zyxel Device does not wait for any more DNSBL replies.
If the Zyxel Device receives conflicting DNSBL replies for an email routing IP address, the Zyxel Device classifies the email as spam. Here is an example.
ZyWALL USG FLEX Series User's Guide
691
Chapter 36 Email Security
Fig ure 455 Conflicting DNSBL Replies Example
IPs: a.b.c.d w.x.y.z
1
4
a.wb..xc..yd.?z? a.b.c.d
Not
spam
a.b.c.d?
w.x.y.z?
a.b.c.d Spam! w.ax..by..zc?.d?
DNSBL A
2
DNSBL B
3
DNSBL C
1 The Zyxel Device receives an email that was sent from IP address a.b.c.d and relayed by an email server at IP address w.x.y.z. The Zyxel Device sends a separate query to each of its DNSBL domains for IP address a.b.c.d. The Zyxel Device sends another separate query to each of its DNSBL domains for IP address w.x.y.z.
2 DNSBL A replies that IP address a.b.c.d does not match any entries in its list (not spam).
3 While waiting for a DNSBL reply about IP address w.x.y.z, the Zyxel Device receives a reply from DNSBL B saying IP address a.b.c.d is in its list.
4 The Zyxel Device immediately classifies the email as spam and takes the action for spam that you defined in the email security policy. In this example it was an SMTP mail and the defined action was to drop the mail. The Zyxel Device does not wait for any more DNSBL replies.
ZyWALL USG FLEX Series User's Guide
692
C HA PTER 3 7
SSL Inspe c tio n
37.1 O ve rvie w
Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is encrypted, and cannot be inspected using Security Service profiles such as App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Malware. The Zyxel Device uses SSL Inspection to decrypt SSL traffic, sends it to the Security Service engines for inspection, then encrypts traffic that passes inspection and forwards it to the destination server, such as Google.
An example process is shown in the following figure. User U sends a HTTPS request (SSL) to destination server D, via the Zyxel Device, Z. The traffic matches an SSL Inspection profile in a security policy, so the Zyxel Device decrypts the traffic using SSL Inspection. The decrypted traffic is then inspected by the Security Service profiles in the same security profile that matched the SSL Inspection profile. If all is OK, then the Zyxel Device re-encrypts the traffic using SSL Inspection and forwards it to the destination server D. SSL traffic could be in the opposite direction for other examples.
Fig ure 456 SSL Inspection Overview
HTTPS
SSL Inspection Decrypt
Security Service AP CF IDP Anti-Malware
SSL Inspection Encrypt
Note: Email security cannot be applied to traffic decrypted by SSL Inspection.
37.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Se c urity Se rvic e > SSL Inspe c tio n > Pro file screen (Section 37.2 on page 694) to view SSL Inspection profiles. Click the Add or Edit icon in this screen to configure the CA certificate, action and log in an SSL Inspection profile.
· Use the Se c urity Se rvic e > SSLInspe c tio n > Exc lude List screens (Section 37.3 on page 701) to create a whitelist of destination servers to which traffic is passed through uninspected.
· Use the Se c urity Se rvic e > SSL Inspe c tio n > C e rtific a te Upda te screens (Section 37.4 on page 703) to update the latest certificates of servers using SSL connections to the Zyxel Device network
ZyWALL USG FLEX Series User's Guide
693
Chapter 37 SSL Inspection
37.1.2 Wha t Yo u Ne e d To Kno w
SSL Inspection supports the following TLS protocols and encryption algorithms · SSLv3 AES-CBC · TLS1.0 AES-CBC · TLS1.2 AES-CBC/AES-GCM · TLS1.3 AES-GCM (no key update support nor 0-RTT)
· SSL Inspection does not support the following: · Compression Support · Client Authentication
37.1.3 Wha t Yo u C a n Do in this C ha pte r
· See C o nfig ura tio n > O b je c t > C e rtific a te > My C e rtific a te s for information on creating certificates on the Zyxel Device.
· See Mo nito r > Se c urity Sta tistic s > SSLInspe c tio n to get usage data and easily add a destination server to the whitelist of exclusion servers.
· See C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l > Po lic y to bind an SSL Inspection profile to a traffic flow(s).
37.1.4 Be fo re Yo u Be g in
· If you don't want to use the default Zyxel Device certificate, then create a new certificate in O bje c t > C e rtific a te > My C e rtific a te s.
· Decide what destination servers to which traffic is sent directly without inspection. This may be a matter of privacy and legality regarding inspecting an individual's encrypted session, such as financial websites. This may vary by locale.
37.2 The SSL Inspe c tio n Pro file Sc re e n
An SSL Inspection profile is a template with pre-configured certificate, action and log. Click C o nfig ura tio n > Se c urity Se rvic e > SSLInspe c tio n > Pro file to open this screen.
ZyWALL USG FLEX Series User's Guide
694
Chapter 37 SSL Inspection Fig ure 457 Configuration > Security Service > SSL Inspection > Profile
ZyWALL USG FLEX Series User's Guide
695
Chapter 37 SSL Inspection
The following table describes the fields in this screen.
Table 282 Configuration > Security Service > SSL Inspection > Profile
LA BEL General Settings
Server Signed Certificate Key Mode
DESC RIPTIO N
With SSL inspection, the Zyxel Device acts as a 'man-in-the-middle' between a client and a remote server, when the client and server are communicating using an SSL-encrypted session. Every time the client and server send data to each other, the Zyxel Device decrypts the sender's encrypted data, scans the plain data for threats, re-encrypts the data, and then sends the encrypted data to the receiver.
· For outgoing sessions from the client to the remote server, the Zyxel Device creates a virtual server to decrypt data and a virtual client to re-encrypt data.
· For incoming sessions from the remote server to the client, the Zyxel Device creates a virtual client to decrypt data, and a virtual server to re-encrypt data.
To perform SSL Inspection for clients using SSL (HTTPS, SSH, SMTP) through the Zyxel Device, the Zyxel Device must check that the server's certificate with corresponding public key are valid and were issued by a Certificate Authority (CA) listed in the Zyxel Device's list of trusted CAs. According to the selected key mode RSA 1024, RSA 2048, EC DSA- RSA- 1024 or EC DSA- RSA- 2048, the Zyxel Device will construct the corresponding self-signed certificate for the virtual server.
RSA is a public-key cryptosystem used for data encryption or signing messages. For data encryption, the encryption key is public and the decryption key is private. For signing messages, the signing key is private and the verification key is public. Elliptic Curve Cryptography (ECC) is a public-key cryptosystem based on elliptic curve theory, and more efficient than RSA. ECC allows smaller keys compared to RSA to provide equivalent security. For example, a 224-bit elliptic curve public key should provide comparable security to a 2048-bit RSA public key.
· EC DSA- RSA- 1024 indicates Zyxel Device support for clients that support both ECDSA256 and RSA-1024 with ECDSA-256 having higher priority, that is ECDSA-256 is used by the virtual server, if a client supports both ECDSA-256 and RSA-1024.
· EC DSA- RSA- 2048 indicates Zyxel Device support for clients that support both ECDSA256 and RSA-2048 with ECDSA-256 having higher priority, that is ECDSA-256 is used by the virtual server, if a client supports both ECDSA-256 and RSA-2048.
Select a mode that the client's browser, FTP client, or mail client supports. The Zyxel Device will use different keys (cryptosystems) for each client according to the client's support list.
For example, if there are three clients behind a Zyxel Device with the following key mode support:
· Client 1 - RSA- 1024 · Client 2 - RSA- 2048 and RSA- 1024 · Client 3 - ECDSA-256 and RSA- 2048.
If you set the key mode to EC DSA- RSA- 1024, then the following will be used by each client:
· Client 1 - RSA- 1024 · Client 2 - RSA- 1024 · Client 3 - EC DSA- 256.
If you set the key mode to EC DSA- RSA- 2048, then the following will be used by each client:
Profile Management Add Edit
· Client 1 - sessions will not be processed (pa ss) by SSL inspection · Client 2 - RSA- 2048 · Client 3 - EC DSA- 256.
Click Add to create a new profile. Select an entry and click this to be able to modify it.
ZyWALL USG FLEX Series User's Guide
696
Chapter 37 SSL Inspection
Table 282 Configuration > Security Service > SSL Inspection > Profile (continued)
LA BEL Remove References
# Name Description CA Certificate Reference Action
DESC RIPTIO N Select an entry and click this to delete it. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. Click Refresh to update information on this screen. This is the entry's index number in the list. This displays the name of the profile. This displays the description of the profile. This displays the CA certificate being used in this profile. This displays the number of times an object reference is used in a profile. Click this icon to apply the entry to a security policy.
Go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen to check the result.
37.2.1 Apply to a Se c urity Po lic y
Click the icon in the Ac tio n field to apply the entry to a security policy. Go to the C o nfig ura tio n > Se c urity Po lic y > Po lic y C o ntro l screen to check the result.
ZyWALL USG FLEX Series User's Guide
697
Chapter 37 SSL Inspection Fig ure 458 Configuration > Security Service > SSL Inspection > Action
The following table describes the labels in this screen.
Table 283 Configuration > Security Service > SSL Inspection > Action
LA BEL
DESC RIPTIO N
Show Filter/Hide Click Sho w Filte r to display IPv4 and IPv6 (if enabled) security policy search filters. Filter
IPv4 / IPv6 Configuration
Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on direction, application, user, source, destination and/or schedule.
From / To
Select a zone to view all security policies from a particular zone and/or to a particular zone. a ny means all zones.
ZyWALL USG FLEX Series User's Guide
698
Chapter 37 SSL Inspection
Table 283 Configuration > Security Service > SSL Inspection > Action
LA BEL IPv4 / IPv6 Source
DESC RIPTIO N
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source address object used.
IPv4 / IPv6 Destination
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination address object used.
Service User Schedule Priority
Status Name From / To
· An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7.
· An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
View all security policies based the service object used.
View all security policies based on user or user group object used.
View all security policies based on the schedule object used.
This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. De fa ult displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy.
This icon is lit when the entry is active and dimmed when the entry is inactive.
This is the name of the Security policy.
This is the direction of travel of packets. Select from which zone the packets come and to which zone they go.
Security Policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN.
From a ny displays all the Security Policies for traffic going to the selected To Zo ne .
To a ny displays all the Security Policies for traffic coming from the selected Fro m Zo ne .
From a ny to a ny displays all of the Security Policies.
To ZyWALLpolicies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device.
IPv4 / IPv6 Source This displays the IPv4 / IPv6 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
IPv4 / IPv6 Destination
This displays the IPv4 / IPv6 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
Service
This displays the service object to which this Security Policy applies.
User
This is the user name or user group name to which this Security Policy applies.
Schedule
This field tells you the schedule object that the policy uses. no ne means the policy is active at all times if enabled.
Action
This field displays whether the Security Policy silently discards packets without notification (de ny), permits the passage of packets (a llo w) or drops packets with notification (re je c t)
Log
Select whether to have the Zyxel Device generate a log (lo g ), log and alert (lo g a le rt) or not
(no ) when the policy is matched to the criteria listed above.
Profile
This field shows you which Security Service profiles (application patrol, content filter, IDP, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
699
Chapter 37 SSL Inspection
37.2.2 Add / Edit SSL Inspe c tio n Pro file s
Click C o nfig ura tio n > Se c urity Se rvic e > SSLInspe c tio n > Pro file > Add to create a new profile or select an existing profile and click Edit to change its settings. Fig ure 459 Configuration > Security Service > SSL Inspection > Profile > Add / Edit
The following table describes the fields in this screen.
Table 284 Configuration > Security Service > SSL Inspection > Profile > Add / Edit
LA BEL Name
DESC RIPTIO N
This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or
dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
· MyProfile · mYProfile · Mymy12_3-4
These are invalid profile names:
Description
CA Certificate
SSL/TLS version supported minimum
Log
· 1mYProfile · My Profile · MyProfile? · Whatalongprofilename123456789012
Enter additional information about this SSL Inspection entry. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_"). This contains the default certificate and the certificates created in O b je c t > C e rtific a te > My C e rtific a te s. Choose the certificate for this profile. SSL / TLS connections using versions lower than this setting are blocked.
These are the log options for unsupported traffic that matches traffic bound to this policy:
· no : Select this option to have the Zyxel Device create no log for unsupported traffic that matches traffic bound to this policy.
· lo g : Select this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy
· lo g a le rt: An alert is an emailed log for more serious events that may need more immediate attention. They also appear in red in the Mo nito r > Lo g screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
ZyWALL USG FLEX Series User's Guide
700
Chapter 37 SSL Inspection
Table 284 Configuration > Security Service > SSL Inspection > Profile > Add / Edit (continued)
LA BEL Action for Connection with unsupported suit
Log
DESC RIPTIO N
SSL Inspection supports these cipher suites:
· DES · 3DES · AES
Select to pa ss or b lo c k unsupported traffic (such as other cipher suites, compressed traffic, client authentication requests, and so on) that matches traffic bound to this policy here.
These are the log options for unsupported traffic that matches traffic bound to this policy:
Action for connection with untrusted cert chain
Log
· no : Select this option to have the Zyxel Device create no log for unsupported traffic that matches traffic bound to this policy.
· lo g : Select this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy
· lo g a le rt: An alert is an emailed log for more serious events that may need more immediate attention. They also appear in red in the Mo nito r > Lo g screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
A certificate chain is a certification process that involves the following certificates between the SSL/TLS server and a client. A certificate chain will fail if one of the following certificates is not correct.
· A certificate owned by a user · The certificate signed by a certification authority · A root certificate
Select to pa ss, inspe c t, or b lo c k an untrusted certification chain.
These are the log options for unsupported traffic that matches traffic bound to this policy:
OK Cancel
· no : Select this option to have the Zyxel Device create no log for unsupported traffic that matches traffic bound to this policy.
· lo g : Select this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy
· lo g a le rt: An alert is an emailed log for more serious events that may need more immediate attention. They also appear in red in the Mo nito r > Lo g screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
Click O K to save your settings to the Zyxel Device, and return to the profile summary page.
Click C a nc e l to return to the profile summary page without saving any changes.
37.3 Exc lude List Sc re e n
There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal issues may vary by locale, so it's important to check with your legal department to make sure that it's OK to intercept SSL traffic from your Zyxel Device users.
To ensure individual privacy and meet legal requirements, you can configure an exclusion list to exclude matching sessions to destination servers. This traffic is not intercepted and is passed through uninspected.
Click C o nfig ura tio n > Se c urity Se rvic e > SSLInspe c tio n > Exc lude List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Re m o ve to delete an existing entry.
ZyWALL USG FLEX Series User's Guide
701
Chapter 37 SSL Inspection Fig ure 460 Configuration > Security Service > SSL Inspection > Exclude List (> Add/Edit)
The following table describes the fields in this screen.
Table 285 Configuration > Security Service > SSL Inspection > Exclude List
LA BEL
DESC RIPTIO N
General Settings
Enable Logs for Click this to create a log for traffic that bypasses SSL Inspection. Exclude List
Exclude List Settings
Use this part of the screen to create, edit, or delete items in the SSL Inspection exclusion list.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry's index number in the list.
Exclude List of Certificate Identity
SSL traffic to a server to be excluded from SSL Inspection is identified by its certificate. Identify the certificate in one of the following ways:
· The Common Name (CN) of the certificate. The common name of the certificate can be created in the O b je c t > C e rtific a te > My C e rtific a te s screen.
· Type an IPv4 or IPv6 address. For example, type 192.168.1.35, or 2001:7300:3500::1 · Type an IPv4/IPv6 in CIDR notation. For example, type 192.168.1.1/24, or 2001:7300:3500::1/
64 · Type an IPv4/IPv6 address range. For example, type 192.168.1.1-192.168.1.35, or
2001:7300:3500::1-2001:7300:3500::35 · Type an email address. For example, type abc@zyxel.com.tw · Type a DNS name or a common name (wildcard char: '*', escape char: '\'). Use up to 127
case-insensitive characters (0-9a-zA-Z`~!@#$%^&*()-_=+[]{}\|;:',.<>/?). `*' can be used as a wildcard to match any string. Use `\*' to indicate a single wildcard character.
Alternatively, to automatically add an entry for existing SSL traffic to a destination server, go to Mo nito r > Se c urity Sta tistic s > SSL Inspe c tio n > C e rtific a te C a c he List, select an item and then click Add to Exc lude List. The item will then appear here.
Apply
Click Apply to save your settings to the Zyxel Device.
Reset
Click Re se t to return to the profile summary page without saving any changes.
ZyWALL USG FLEX Series User's Guide
702
Chapter 37 SSL Inspection
37.4 C e rtific a te Upda te Sc re e n
Use this screen to update the latest certificates of servers using SSL connections to the Zyxel Device network. User U sends an SSL request to destination server D (1), via the Zyxel Device, Z. D replies (2); Z intercepts the response from D and checks if the certificate has been previously signed. Z then replies to D (3) and also to U (4). D's latest certificate is stored at myZyxel (M) along with other server certificates and can be downloaded to the Zyxel Device. Fig ure 461 SSL Inspection Certificate Update Overview
Click C o nfig ura tio n > Se c urity Se rvic e > SSLInspe c tio n > C e rtific a te Upda te to display the following screen. Fig ure 462 Configuration > Security Service > SSL Inspection > Certificate Update
ZyWALL USG FLEX Series User's Guide
703
Chapter 37 SSL Inspection
The following table describes the fields in this screen.
Table 286 Configuration > Security Service > SSL Inspection > Certificate Update
LA BEL
DESC RIPTIO N
Certificate Information
Current Version
This displays the current certificate set version.
Released Date
This field displays the date and time the current certificate set was released.
Certificate Update
You should have Internet access and have activated SSL Inspection on the Zyxel Device at myZyxel.
Update Now
Click this button to download the latest certificate set (Windows, MAC OS X, and Android) from the myZyxel and update it on the Zyxel Device.
Auto Update
Select this to automatically have the Zyxel Device update the certificate set when a new one becomes available on myZyxel.
Apply
Click Apply to save your settings to the Zyxel Device.
Reset
Click Re se t to return to the profile summary page without saving any changes.
37.5 Insta ll a C A C e rtific a te in a Bro wse r
Certificates used in SSL Inspection profiles should be installed in user web browsers. Do the following steps to install a certificate in a computer with a Windows operating system (PC). First, save the certificate to your computer.
1 Run the certificate manager using certmgr.msc.
2 Go to Truste d Ro o t C e rtific a tio n Autho ritie s > C e rtific a te s.
ZyWALL USG FLEX Series User's Guide
704
Chapter 37 SSL Inspection
3 From the main menu, select Ac tio n > All Ta sks > Im po rt and run the C e rtific a te Im po rt Wiza rd to install the certificate on the PC.
ZyWALL USG FLEX Series User's Guide
705
Chapter 37 SSL Inspection
37.5.0.1 Fire fo x Bro wse r
If you're using a Firefox browser, in addition to the above you need to do the following to import a certificate into the browser. Click To o ls > O ptio ns > Adva nc e d > Enc ryptio n > Vie w C e rtific a te s, click Im po rt and enter the filename of the certificate you want to import. See the browser's help for further information.
ZyWALL USG FLEX Series User's Guide
706
C HA PTER 3 8 IP Exc e ptio n
38.1 O ve rvie w
IP Exception allows incoming IP packets to bypass specific security services based on the packet's source or destination address. Bypassing a security service means the security service does not intercept nor inspect the packet. IP Exception supports bypassing the following security services: · Anti-Malware · URL Threat Filter · IDP (Intrusion Detection and Prevention)
38.2 The IP Exc e ptio n Sc re e n
Use this screen to view the IP exception list for the specified services. The Zyxel Device will not inspect incoming packets that match the listed source and destination IP address(es) wit h the specified services. Click C o nfig ura tio n > Se c urity Se rvic e > IP Exc e ptio n to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Re m o ve to delete an existing entry. Fig ure 463 Configuration > Security Service > IP Exception
ZyWALL USG FLEX Series User's Guide
707
Chapter 38 IP Exception
The following table describes the fields in this screen.
Table 287 Configuration > Security Service > IP Exception
LA BEL
DESC RIPTIO N
IPv4/IPv6 Exception List Settings
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry's index number in the list.
Name
This field displays the descriptive name of this entry.
IPv4/IPv6 Source
This field displays the source IP address (or address object) of incoming traffic. It displays a ny if there is no restriction on the source IP address.
IPv4/IPv6 Destination
This field displays the destination IP address (or address object) of incoming traffic. It displays a ny if there is no restriction on the destination IP address.
Service to Bypass This field displays which services will not inspect matched packets.
Log
This field displays if the Zyxel Device will generate a log when the incoming traffic is in the
exception list.
38.2.1 The IP Exc e ptio n Add/ Edit Sc re e n
Use this screen to add or edit entries of IPv4 or IPv6 address in the IP exception list. Click C o nfig ura tio n > Se c urity Se rvic e > IP Exc e ptio n > Add/ Edit to display the following screen. Fig ure 464 Configuration > Security Service > IP Exception > Add/Edit
ZyWALL USG FLEX Series User's Guide
708
Chapter 38 IP Exception
The following table describes the fields in this screen.
Table 288 Configuration > Security Service > IP Exception > Add/Edit
LA BEL
DESC RIPTIO N
Create New Object
Use this to configure any new settings objects that you need to use in this screen.
Name
Enter a descriptive name of this entry.
Description
Enter the description for this entry. You can use up to 60 printable ASCII characters.
Source
Select a ny or an address object of the source IP address for this entry. Select a ny so there's no restriction on the source IP address.
Destination
Select a ny or an address object of the destination IP address for this entry. Select a ny so there's no restriction on the destination IP address.
Log
Select Ye s to have the Zyxel Device generate a log when the incoming traffic is in the
exception list. Otherwise, select No .
Service to Bypass
Selected services do not inspect packets that match source/destination criteria above. Nonselected services do inspect packets that match source/destination criteria above.
OK
Click O K to save your customized settings and exit this screen.
Cancel
Click C a nc e l to exit this screen without saving.
ZyWALL USG FLEX Series User's Guide
709
C HA PTER 3 9 O b je c t
39.1 Zo ne s O ve rvie w
Set up zones to configure network security and network policies in the Zyxel Device. A zone is a group of interfaces and/or VPN tunnels. The Zyxel Device uses zones instead of interfaces in many security and policy settings, such as Secure Policies rules, Security Service, and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Fig ure 465 Example: Zones
Use the Zo ne screens (see Section 39.8.2 on page 780) to manage the Zyxel Device's zones.
39.1.1 Wha t Yo u Ne e d to Kno w
Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic.
ZyWALL USG FLEX Series User's Guide
710
Chapter 39 Object
Intra - zo ne Tra ffic
· Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 465 on page 710, traffic between VLAN 2 and the Ethernet is intra-zone traffic.
Inte r- zo ne Tra ffic
Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 465 on page 710, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the normal case when zone-based security and policy settings apply.
Extra - zo ne Tra ffic
· Extra-zone traffic is traffic to or from any interface or VPN tunnel that is not assigned to a zone. For example, in Figure 465 on page 710, traffic to or from computer C is extra-zone traffic.
· Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information.
39.1.2 The Zo ne Sc re e n
The Zo ne screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click C o nfig ura tio n > O b je c t > Zo ne .
Fig ure 466 Configuration > Object > Zone
The following table describes the labels in this screen.
Table 289 Configuration > Object > Zone
LA BEL
DESC RIPTIO N
User Configuration / System Default
The Zyxel Device comes with pre-configured Syste m De fa ult zones that you cannot delete. You can create your own Use r C o nfig ura tio n zones
Add
Click this to create a new, user-configured zone.
ZyWALL USG FLEX Series User's Guide
711
Chapter 39 Object
Table 289 Configuration > Object > Zone (continued)
LA BEL
DESC RIPTIO N
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify
the entry's settings.
Remove
To remove a user-configured trunk, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. Click Refresh to update information in this screen.
#
This field is a sequential value, and it is not associated with any interface.
Name
This field displays the name of the zone.
Member
This field displays the names of the interfaces that belong to each zone.
Reference
This field displays the number of times an Object Reference is used in a policy.
39.1.2.1 Zo ne Edit
The Zo ne Edit screen allows you to add or edit a zone. To access this screen, go to the Zo ne screen (see Section 39.8.2 on page 780), and click the Add icon or an Edit icon.
Fig ure 467 Configuration > Object > Zone > Add
The following table describes the labels in this screen.
Table 290 Configuration > Object > Zone > Add/Edit
LA BEL Name
DESC RIPTIO N For a system default zone, the name is read only.
Member List
For a user-configured zone, type the name used to refer to the zone. You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be
a number. This value is case-sensitive.
Ava ila b le lists the interfaces and VPN tunnels that do not belong to any zone. Select the interfaces and VPN tunnels that you want to add to the zone you are editing, and click the right arrow button to add them.
Me m b e r lists the interfaces and VPN tunnels that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them.
ZyWALL USG FLEX Series User's Guide
712
Chapter 39 Object
Table 290 Configuration > Object > Zone > Add/Edit (continued)
LA BEL
DESC RIPTIO N
OK
Click O K to save your customized settings and exit this screen.
Cancel
Click C a nc e l to exit this screen without saving.
39.2 Use r/ G ro up O ve rvie w
This section describes how to set up user accounts, user groups, and user settings for the Zyxel Device. You can also set up rules that control when users have to log in to the Zyxel Device before the Zyxel Device routes traffic for them.
· The Use r screen (see Section 39.13.1 on page 822) provides a summary of all user accounts.
· The G ro up screen (see Section 39.2.5 on page 722) provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. User groups may consist of access users and other user groups. You cannot put admin users in user groups.
· The Se tting screen (see Section 39.2.6 on page 724) controls default settings, login settings, lockout settings, and other user settings for the Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them.
· The MAC Addre ss screen (see Section 39.2.7 on page 729) allows you to configure the MAC addresses or OUI (Organizationally Unique Identifier) of wireless clients for MAC authentication using the local user database. The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.
39.2.1 Wha t Yo u Ne e d To Kno w
Use r Ac c o unt
A user account defines the privileges of a user logged into the Zyxel Device. User accounts are used in security policies and application patrol, in addition to controlling access to configuration and services in the Zyxel Device.
Use r Type s
These are the types of user accounts the Zyxel Device uses.
Table 291 Types of User Accounts
TYPE Admin Users admin limited-admin
A BILITIES
Change Zyxel Device configuration (web, CLI) Look at Zyxel Device configuration (web, CLI)
Access Users user
Perform basic diagnostics (CLI) Access network services
guest ext-user
Browse user-mode commands (CLI) Access network services External user account
LO G IN METHO D(S) WWW, TELNET, SSH, FTP, Console WWW, TELNET, SSH, Console
WWW, TELNET, SSH WWW WWW
ZyWALL USG FLEX Series User's Guide
713
Chapter 39 Object
Table 291 Types of User Accounts (continued)
TYPE
A BILITIES
ext-group-user
External group user account
guest-manager Create dynamic guest accounts
dynamic-guest Access network services
LO G IN METHO D(S) WWW WWW Hotspot Portal
Note: The default a dm in account is always authenticated locally, regardless of the authentication method setting. (See Chapter 39 on page 794 for more information about authentication methods.)
Ext- Use r Ac c o unts
Set up an e xt- use r account if the user is authenticated by an external server and you want to set up specific policies for this user in the Zyxel Device. If you do not want to set up policies for this user, you do not have to set up an e xt- use r account.
All e xt- use r users should be authenticated by an external server, such as AD, LDAP or RADIUS. If the Zyxel Device tries to use the local database to authenticate an e xt- use r, the authentication attempt always fails. (This is related to AAA servers and authentication methods, which are discussed in those chapters in this guide.)
Note: If the Zyxel Device tries to authenticate an e xt- use r using the local database, the attempt always fails.
Once an e xt- use r user has been authenticated, the Zyxel Device tries to get the user type (see Table 291 on page 713) from the external server. If the external server does not have the information, the Zyxel Device sets the user type for this session to Use r.
For the rest of the user attributes, such as reauthentication time, the Zyxel Device checks the following places, in order.
1 User account in the remote server.
2 User account (Ext-User) in the Zyxel Device.
3 Default user account for AD users (a d- use rs), LDAP users (lda p- use rs) or RADIUS users (ra dius- use rs) in the Zyxel Device.
See Setting up User Attributes in an External Server for a list of attributes and how to set up the attributes in an external server.
Ext- G ro up- Use r Ac c o unts
Ext- G ro up- Use r accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server. See Section 39.9.5.1 on page 788 for more on the group membership attribute.
Dyna m ic - G ue st Ac c o unts
Dynamic guest accounts are guest accounts, but are created dynamically and stored in the Zyxel Device's local user database. A dynamic guest account has a dynamically-created user name and
ZyWALL USG FLEX Series User's Guide
714
Chapter 39 Object
password. A dynamic guest account user can access the Zyxel Device's services only within a given period of time and will become invalid after the expiration date/time. There are three types of dynamic guest accounts depending on how they are created or authenticated: b illing - use rs, ua - use rs and tria l- use rs. b illing - use rs are guest account created with the guest manager account or an external printer and paid by cash or created and paid via the on-line payment service. ua - use rs are users that log in from the user agreement page. tria l- use rs are free guest accounts that are created with the Free Time function.
Use r G ro ups
User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. Note: You cannot put access users and admin users in the same user group. Note: You cannot put the default a dm in account into any user group. The sequence of members in a user group is not important.
Use r Awa re ne ss
By default, users do not have to log into the Zyxel Device to use the network services it provides. The Zyxel Device automatically routes packets for everyone. If you want to restrict network services that certain users can use via the Zyxel Device, you can require them to log in to the Zyxel Device first. The Zyxel Device is then `aware' of the user who is logged in and you can create `user-aware policies' that define what services they can use. See Section 39.2.8 on page 731 for a user-aware login example.
Finding O ut Mo re
· See Section 39.2.8 on page 731 for some information on users who use an external authentication server in order to log in.
· The Zyxel Device supports TTLS using PAP so you can use the Zyxel Device's local user database to authenticate users with WPA or WPA2 instead of needing an external RADIUS server.
39.2.2 Use r/ G ro up Use r Sum m a ry Sc re e n
The Use r screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click C o nfig ura tio n > O b je c t > Use r/ G ro up.
ZyWALL USG FLEX Series User's Guide
715
Chapter 39 Object Fig ure 468 Configuration > Object > User/Group > User
The following table describes the labels in this screen.
Table 292 Configuration > Object > User/Group > User
LA BEL Add Edit
Remove
References # User Name User Type
DESC RIPTIO N
Click this to create a new entry. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with a specific user. This field displays the user name of each user. This field displays the types of user accounts the Zyxel Device uses:
Description Reference
· a dm in - this user can look at and change the configuration of the Zyxel Device · lim ite d- a dm in - this user can look at the configuration of the Zyxel Device but not to
change it · dyna m ic - g ue st - this user has access to the Zyxel Device's services but cannot look at the
configuration. · use r - this user has access to the Zyxel Device's services and can also browse user-mode
commands (CLI).
· g ue st - this user has access to the Zyxel Device's services but cannot look at the
configuration · e xt- use r - this user account is maintained in a remote server, such as RADIUS or LDAP. See
Ext-User Accounts on page 714 for more information about this type. · e xt- g ro up- use r - this user account is maintained in a remote server, such as RADIUS or
LDAP. See Ext-Group-User Accounts on page 714 for more information about this type. · g ue st- m a na g e r - this user can log in via the web configurator login screen and create
dynamic guest accounts using the Ac c o unt G e ne ra to r screen that pops up.
This field displays the description for each user.
This displays the number of times an object reference is used in a profile.
39.2.3 Use r Add/ Edit G e ne ra l Sc re e n
The Use r Add/ Edit G e ne ra l screen allows you to create a new user account or edit an existing one.
39.2.3.1 Rule s fo r Use r Na m e s
Enter a user name from 1 to 31 characters. The user name can only contain the following characters:
ZyWALL USG FLEX Series User's Guide
716
Chapter 39 Object
· Alphanumeric A-z 0-9 (there is no unicode support) · _ [underscores] · - [dashes]
The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:
· User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not `bob'.
· User names have to be different than user group names. · Here are the reserved user names:
· adm · debug · ldap-users · operator · sync
· admin
· any
· devicehaecived · ftp
· lp
· mail
· radius-users
· root
· uucp
· zyxel
· bin · games · news · shutdown
· daemon · halt · nobody · sshd
To access this screen, go to the Use r screen (see Section 39.13.1 on page 822), and click either the Add icon or an Edit icon.
Fig ure 469 Configuration > Object > User/Group > User > Add/Edit_General
ZyWALL USG FLEX Series User's Guide
717
Chapter 39 Object
The following table describes the labels in this screen.
Table 293 Configuration > Object > User/Group > User > Add/Edit_General
LA BEL User Name
User Type
DESC RIPTIO N
Type the user name for this user account. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. User names have to be different than user group names, and some words are reserved. See Section 39.2.3.1 on page 716.
This field displays the types of user accounts the Zyxel Device uses:
Password
· a dm in - this user can look at and change the configuration of the Zyxel Device · lim ite d- a dm in - this user can look at the configuration of the Zyxel Device but not to
change it · use r - this user has access to the Zyxel Device's services and can also browse user-mode
commands (CLI).
· g ue st - this user has access to the Zyxel Device's services but cannot look at the
configuration. · e xt- use r - this user account is maintained in a remote server, such as RADIUS or LDAP.
See Ext-User Accounts on page 714 for more information about this type. · e xt- g ro up- use r - this user account is maintained in a remote server, such as RADIUS or
LDAP. See Ext-Group-User Accounts on page 714 for more information about this type.
This field is not available if you select the e xt- use r or e xt- g ro up- use r type.
Retype Group Identifier
Enter a password of from 1 to 64 characters for this user account. If you selected Ena ble Pa sswo rd C o m ple xity in C o nfig ura tio n > O b je c t > Use r/ G ro up > Se tting , it must consist of at least 8 characters and at most 64. At least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+.
This field is not available if you select the e xt- use r or e xt- g ro up- use r type.
This field is available for a e xt- g ro up- use r type user account.
Associated AAA Server Object Description
Email
Mobile Number
Specify the value of the AD or LDAP server's G ro up Me m be rship Attrib ute that identifies the group to which this user belongs.
This field is available for a e xt- g ro up- use r type user account. Select the AAA server to use to authenticate this account's users.
Enter the description of each user, if any. You can use up to 60 printable ASCII characters. Default descriptions are provided.
Type one or more valid email addresses for this user so that email messages can be sent to this user if required. A valid email address must contain the @ character. For example, this is a valid email address: abc@example.com.
Type a valid mobile telephone number for this user so that SMS messages can be sent to this user if required. A valid mobile telephone number can be up to 20 characters in length, including the numbers 1~9 and the following characters in the square brackets [+*#()-].
ZyWALL USG FLEX Series User's Guide
718
Chapter 39 Object
Table 293 Configuration > Object > User/Group > User > Add/Edit_General (continued)
LA BEL Send Code
DESC RIPTIO N This button is available when the user type is a dm in or lim ite d- a dm in.
Click this and an authorization email or SMS message with a code of six digits will be sent to the email addresses or mobile telephone number you put in.
Enter the verification code to verify your email addresses or mobile telephone number.
Fig ure 470 Verification Code for Email
Fig ure 471 Verification Code for Mobile Telephone Number
Authentication Timeout Settings Lease Time
Reauthentication Time
User VLAN ID
If you want the system to use default settings, select Use De fa ult Se tting s. If you want to set authentication timeout to a value other than the default settings, select Use Ma nua l Se tting s then fill your preferred values in the fields that follow.
If you select Use De fa ult Se tting s in the Authe ntic a tio n Tim e o ut Se tting s field, the default lease time is shown.
If you select Use Ma nua l Se tting s, you need to enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Re ne w button on their screen. If you allow access users to renew time automatically (see Section 39.2.6 on page 724), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
If you select Use De fa ult Se tting s in the Authe ntic a tio n Tim e o ut Se tting s field, the default lease time is shown.
If you select Use Ma nua l Se tting s, you need to type the number of minutes this user can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Le a se Tim e , the user has no opportunity to renew the session without logging out.
This field is available for a e xt- g ro up- use r type user account.
Select this option to enable dynamic VLAN assignment on the Zyxel Device. When a user is authenticated successfully, all data traffic from this user is tagged with the VLAN ID number you specify here.
This allows you to assign a user of the e xt- g ro up- use r type to a specific VLAN based on the user credentials instead of using an AAA server.
ZyWALL USG FLEX Series User's Guide
719
Chapter 39 Object
Table 293 Configuration > Object > User/Group > User > Add/Edit_General (continued)
LA BEL
DESC RIPTIO N
Configuration Validation
Use a user account from the group specified above to test if the configuration is correct. Enter the account's user name in the Use r Na m e field and click Te st.
OK
Click O K to save your changes back to the Zyxel Device and close the screen.
Cancel Save
Click C a nc e l to exit this screen without saving your changes.
This button is only available when adding a new user. Click Sa ve to save your changes back to the Zyxel Device and then go to the Two - fa c to r Authe ntic a tio n screen.
39.2.4 Use r Add/ Edit Two - fa c to r Authe ntic a tio n Sc re e n
The Use r Add/ Edit Two - fa c to r Authe ntic a tio n screen allows you to create two-factor security for VPN access or admin access for this user to the Zyxel Device.
Two-factor authentication adds an extra layer of security for users logging into the Zyxel Device. When two-factor authentication is enabled, a user has to first enter their username and password, and then click on a temporary link or enter a one-time password when logging in.
You can enable two-factor authentication for users who are logging into the Zyxel Device to create a VPN tunnel (VPN access), and for administrator and limited admin users who are logging into the Web Configurator or CLI (admin access) to configure the Zyxel Device.
Table 294 Two Factor Authentication Methods
AC C ESS TYPE
TWO - FAC TO R AUTHENTIC ATIO N METHO DS
VPN
SMS
VPN
Email
Admin
SMS
Admin
Email
Admin
Google Authenticator app
FAC TO R 2 PASSWO RD Code Link Code Link Code
You must first enable two-factor authentication on the Zyxel Device in O b je c t > Auth. Me tho d > Two fa c to r Authe ntic a tio n > VPN Ac c e ss and O b je c t > Auth. Me tho d > Two - fa c to r Authe ntic a tio n > Adm in Ac c e ss. See Section 39.10.4 on page 797 and Section 39.10.6 on page 801 for more prerequisites and other information.
In O b je c t > Use r/ G ro up > Use r, click Add to create a new entry or select an entry and click Edit to modify the entry.
ZyWALL USG FLEX Series User's Guide
720
Chapter 39 Object Fig ure 472 Configuration > Object > User/Group > User > Add/Edit_Two-factor Authentication
Fig ure 473 Configuration > Object > User/Group > User > Add/Edit_Two-factor Authentication_Verified
ZyWALL USG FLEX Series User's Guide
721
Chapter 39 Object
The following table describes the labels in this screen.
Table 295 Configuration > Object > User/Group > User > Add_Two-factor Authentication
LA BEL
DESC RIPTIO N
Enable Two-factor Authentication for VPN Access.
Select this to require two-factor authentication for this user to use a pre-configured VPN tunnel for secure access to a network behind the Zyxel Device. Select the types of VPN allowed in O b je c t > Auth. Me tho d > Two - fa c to r Authe ntic a tio n > VPN Ac c e ss. You may choose from:
Enable Two-factor Authentication for Admin Access.
· SSL VPN Ac c e ss
· IPSe c VPN A c c e ss
· L2TP/ IPSe c VPN Ac c e ss.
Select this to require two-factor authentication for an admin user to access the Zyxel Device. Select the types of access allowed in O b je c t > Auth. Me tho d > Two - fa c to r Authe ntic a tio n > Adm in Ac c e ss. You may choose from:
Two-factor Auth. Method Set up Google Authenticator
View your backup codes Verify your device
Revoke OK Cancel
· We b · SSH · TELNET
Select De fa ult or Use r De fine d and select from PIN c o de b y SMS/ Em a il or G o o g le
Authe ntic a to r
If you chose G o o g le Authe ntic a to r for offline two-factor authentication, on your mobile device, go to an app store to download Google Authenticator. To add your account to Google Authenticator, press the plus (+) icon, select Sc a n Ba rc o de , then use your mobile device's camera to scan the barcode. Finally enter the verification code you receive on your mobile device in Ve rify yo ur de vic e .
You see this after successful Google authentication. In the event that you do not have access to email or your mobile device, click Do wnlo a d to create backup codes as second-factor authentication. Make sure to put them in a safe place.
In the event that you do not have access to email or your mobile device, enter a backup code here as second factor authentication. You can use each code only once. If you generate a new set of backup codes (Re g e ne ra te b a c kup c o de s), the old set become obsolete.
Click this to cancel Google authentication as second-factor authentication for Adm in Ac c e ss. You must then use a PIN code by SMS or email as second-factor authentication instead.
Click O K to save your changes back to the Zyxel Device and close the screen.
Click C a nc e l to exit this screen without saving your changes.
39.2.5 Use r/ G ro up G ro up Sum m a ry Sc re e n
User groups consist of access users and other user groups. You cannot put admin users in user groups. The G ro up screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. To access this screen, login to the Web Configurator, and click C o nfig ura tio n > O b je c t > Use r/ G ro up > G ro up.
Fig ure 474 Configuration > Object > User/Group > Group
ZyWALL USG FLEX Series User's Guide
722
Chapter 39 Object
The following table describes the labels in this screen. See Section 39.2.5.1 on page 723 for more information as well.
Table 296 Configuration > Object > User/Group > Group
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Removing a group does not remove the user accounts in the group.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific user group.
Group Name
This field displays the name of each user group.
Description
This field displays the description for each user group.
Member
This field lists the members in the user group. Each member is separated by a comma.
Reference
This displays the number of times an object reference is used in a profile.
39.2.5.1 G ro up Add/ Edit Sc re e n
The G ro up Add/ Edit screen allows you to create a new user group or edit an existing one. To access this screen, go to the G ro up screen (see Section 39.2.5 on page 722), and click either the Add icon or an Edit icon.
Fig ure 475 Configuration > Object > User/Group > Group > Add
The following table describes the labels in this screen.
Table 297 Configuration > Object > User/Group > Group > Add
LA BEL
DESC RIPTIO N
Name
Type the name for this user group. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. User group names have to be different than user names.
Description
Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces.
ZyWALL USG FLEX Series User's Guide
723
Chapter 39 Object
Table 297 Configuration > Object > User/Group > Group > Add (continued)
LA BEL Member List
DESC RIPTIO N
The Me m b e r list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select users and groups from the Ava ila b le list that you want to be members of this group and move them to the Me m b e r list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.
OK Cancel
Move any members you do not want included to the Ava ila b le list. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
39.2.6 Use r/ G ro up Se tting Sc re e n
The Se tting screen controls default settings, login settings, lockout settings, and other user settings for the Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them.
To access this screen, login to the Web Configurator, and click C o nfig ura tio n > O b je c t > Use r/ G ro up > Se tting .
ZyWALL USG FLEX Series User's Guide
724
Chapter 39 Object Fig ure 476 Configuration > Object > User/Group > Setting
The following table describes the labels in this screen.
Table 298 Configuration > Object > User/Group > Setting
LA BEL
DESC RIPTIO N
User Authentication Timeout Settings
Default Authentication Timeout Settings
These authentication timeout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry's settings.
ZyWALL USG FLEX Series User's Guide
725
Chapter 39 Object
Table 298 Configuration > Object > User/Group > Setting (continued)
LA BEL #
User Type
DESC RIPTIO N This field is a sequential value, and it is not associated with a specific entry. These are the kinds of user account the Zyxel Device supports.
Lease Time
· a dm in - this user can look at and change the configuration of the Zyxel Device
· lim ite d- a dm in - this user can look at the configuration of the Zyxel Device but not to change it
· use r - this user has access to the Zyxel Device's services but cannot look at the configuration
· g ue st - this user has access to the Zyxel Device's services but cannot look
at the configuration · e xt- use r - this user account is maintained in a remote server, such as RADIUS
or LDAP. See Ext-User Accounts on page 714 for more information about this type. · e xt- g ro up- use r - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-Group-User Accounts on page 714 for more information about this type.
This is the default lease time in minutes for each type of user account. It defines the number of minutes the user has to renew the current session before the user is logged out.
Reauthentication Time
Miscellaneous Settings Allow renewing lease time automatically Enable user idle detection
Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Re ne w button on their screen. If you allow access users to renew time automatically (see Section 39.2.6 on page 724), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
This is the default reauthentication time in minutes for each type of user account. It defines the number of minutes the user can be logged into the Zyxel Device in one session before having to log in again. Unlike Le a se Tim e , the user has no opportunity to renew the session without logging out.
Select this check box if access users can renew lease time automatically, as well as manually, simply by selecting the Upda ting le a se tim e a uto m a tic a lly check box on their screen.
This is applicable for access users.
User idle timeout
Select this check box if you want the Zyxel Device to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The Zyxel Device automatically logs out the access user once the Use r idle tim e o ut has been reached.
This is applicable for access users.
Login Security Password must changed every (days): Password reset link (FQDN/ IP):
Enable Password Complexity
This field is effective when Ena b le use r idle de te c tio n is checked. Type the number of minutes each access user can be logged in and idle before the Zyxel Device automatically logs out the access user.
Enter how often users must change their password when they log into the Zyxel Device. You can choose from once a day to once a year.
Associate the password expiration to a specific Zyxel Device. De fa ult is this Zyxel Device (myrouter) or select C usto m and enter the IP address or Fully Qualified Domain Name (FQDN).
Select this to enforce the following conditions in a user password. Requiring a strong password is good for security. The conditions are that the password must consist of at least 8 characters and at most 64. At least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+.
ZyWALL USG FLEX Series User's Guide
726
Chapter 39 Object
Table 298 Configuration > Object > User/Group > Setting (continued)
LA BEL
DESC RIPTIO N
User Logon Settings
Limit the number of simultaneous logons for administration account
Select this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses.
Maximum number per administration account
This field is effective when Lim it ... fo r a dm inistra tio n a c c o unt is checked. Type the maximum number of simultaneous logins by each admin user.
Limit the number of simultaneous logons for access account
Select this check box if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses.
Maximum number per access account
This field is effective when Lim it ... fo r a c c e ss a c c o unt is checked. Type the maximum number of simultaneous logins by each access user.
User Lockout Settings
Enable logon retry limit
Select this check box to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.
Maximum retry count
This field is effective when Ena b le lo g o n re try lim it is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lo c ko ut pe rio d. The number must be between 1 and 99.
Lockout period
This field is effective when Ena b le lo g o n re try lim it is checked. Type the number of minutes the user must wait to try to login again, if lo g o n re try lim it is enabled and the m a xim um re try c o unt is reached. This number must be between 1 and 65,535 (about 45.5 days).
Apply Reset
Click Apply to save the changes. Click Re se t to return the screen to its last-saved settings.
39.2.6.1 De fa ult Use r Authe ntic a tio n Tim e o ut Se tting s Edit Sc re e ns
The De fa ult Authe ntic a tio n Tim e o ut Se tting s Edit screen allows you to set the default authentication timeout settings for the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings.
To access this screen, go to the C o nfig ura tio n > O b je c t > Use r/ G ro up > Se tting screen (see Section 39.2.6 on page 724), and click one of the De fa ult Authe ntic a tio n Tim e o ut Se tting s section's Edit icons.
Fig ure 477 Configuration > Object > User/Group > Setting > Edit
ZyWALL USG FLEX Series User's Guide
727
Chapter 39 Object
The following table describes the labels in this screen.
Table 299 Configuration > Object > User/Group > Setting > Edit
LA BEL User Type
DESC RIPTIO N
This read-only field identifies the type of user account for which you are configuring the default settings.
Lease Time
· a dm in - this user can look at and change the configuration of the Zyxel Device · lim ite d- a dm in - this user can look at the configuration of the Zyxel Device but not to
change it. · dyna m ic - g ue st - this user has access to the Zyxel Device's services but cannot look at
the configuration. · use r - this user has access to the Zyxel Device's services but cannot look at the
configuration.
· g ue st - this user has access to the Zyxel Device's services but cannot look at the
configuration. · e xt- use r - this user account is maintained in a remote server, such as RADIUS or LDAP.
See Ext-User Accounts on page 714 for more information about this type. · e xt- g ro up- use r - this user account is maintained in a remote server, such as RADIUS or
LDAP. See Ext-Group-User Accounts on page 714 for more information about this type. · g ue st- m a na g e r - this user can log in via the web configurator login screen and create
dynamic guest accounts using the Ac c o unt G e ne ra to r screen that pops up.
Enter the number of minutes this type of user account has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited.
Reauthentication Time
OK Cancel
Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Re ne w button on their screen. If you allow access users to renew time automatically (see Section 39.2.6 on page 724), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
Type the number of minutes this type of user account can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Le a se Tim e , the user has no opportunity to renew the session without logging out.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving your changes.
39.2.6.2 Use r Awa re Lo g in Exa m ple
Access users cannot use the Web Configurator to browse the configuration of the Zyxel Device. Instead, after access users log into the Zyxel Device, the following screen appears.
ZyWALL USG FLEX Series User's Guide
728
Chapter 39 Object Fig ure 478 Web Configurator for Non-Admin Users
The following table describes the labels in this screen.
Table 300 Web Configurator for Non-Admin Users
LA BEL
User-defined lease time (max ... minutes)
Renew
DESC RIPTIO N Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified.
Access users can click this button to reset the lease time, the amount of time remaining before the Zyxel Device automatically logs them out. The Zyxel Device sets this amount of time according to the:
Updating lease time automatically
Remaining time before lease timeout
Remaining time before auth. timeout
· Use r- de fine d le a se tim e field in this screen · Le a se tim e field in the Use r Add/ Edit screen (see Section 39.13.1.1 on page 823) · Le a se tim e field in the Se tting screen (see Section 39.2.6 on page 724).
This box appears if you checked the Allo w re ne wing le a se tim e a uto m a tic a lly box in the Se tting screen. (See Section 39.2.6 on page 724.) Access users can select this check box to reset the lease time automatically 30 seconds before it expires. Otherwise, access users have to click the Re ne w button to reset the lease time.
This field displays the amount of lease time that remains, though the user might be able to reset it.
This field displays the amount of time that remains before the Zyxel Device automatically logs the access user out, regardless of the lease time.
39.2.7 Use r/ G ro up MAC Addre ss Sum m a ry Sc re e n
This screen shows the MAC addresses of wireless clients, which can be authenticated by their MAC addresses using the local user database. Click C o nfig ura tio n > O bje c t > Use r/ G ro up > MAC Addre ss to open this screen.
Note: You need to configure an SSID security profile's MAC authentication settings to have the AP use the Zyxel Device's local database to authenticate wireless clients by their MAC addresses.
ZyWALL USG FLEX Series User's Guide
729
Chapter 39 Object Fig ure 479 Configuration > Object > User/Group > MAC Address
The following table describes the labels in this screen.
Table 301 Configuration > Object > User/Group > MAC Address
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
MAC Address/ OUI
This field displays the MAC address or OUI (Organizationally Unique Identifier of computer hardware manufacturers) of wireless clients using MAC authentication with the Zyxel Device local user database.
Description
This field displays a description of the device identified by the MAC address or OUI.
39.2.7.1 MAC Addre ss Add/ Edit Sc re e n
This screen allows you to create a new allowed device or edit an existing one. To access this screen, go to the MAC Addre ss screen (see Section 39.2.7 on page 729), and click either the Add icon or an Edit icon.
Fig ure 480 Configuration > Object > User/Group > MAC Address > Add
The following table describes the labels in this screen.
Table 302 Configuration > Object > User/Group > MAC Address > Add
LA BEL
DESC RIPTIO N
MAC Address/ OUI
Type the MAC address (six hexadecimal number pairs separated by colons or hyphens) or OUI (three hexadecimal number pairs separated by colons or hyphens) to identify specific wireless clients for MAC authentication using the Zyxel Device local user database. The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.
Description
Enter an optional description of the wireless device(s) identified by the MAC or OUI. You can use up to 60 characters, punctuation marks, and spaces.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
730
Chapter 39 Object
39.2.8 Use r / G ro up Te c hnic a l Re fe re nc e
This section provides some information on users who use an external authentication server in order to log in.
Se tting up Use r Attrib ute s in a n Exte rna l Se rve r
To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file.
Table 303 LDAP/RADIUS: Keywords for User Attributes
KEYWO RD
C O RRESPO NDING ATTRIBUTE IN WEB C O NFIG URATO R
type
Use r Type . Possible Values: admin, limited-admin, dynamic-guest, user, guest.
leaseTime reauthTime
Le a se Tim e . Possible Values: 1-1440 (minutes). Re a uthe ntic a tio n Tim e . Possible Values: 1-1440 (minutes).
The following examples show you how you might set up user attributes in LDAP and RADIUS servers.
Fig ure 481 LDAP Example: Keywords for User Attributes type: admin leaseTime: 99 reauthTime: 199
Fig ure 482 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222
C re a ting a La rg e Num b e r o f Ext- Use r Ac c o unts
If you plan to create a large number of Ext- Use r accounts, you might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.
39.3 AP Pro file O ve rvie w
This section shows you how to configure preset profiles for the Access Points (APs) connected to your Zyxel Device's wireless network.
· The Ra dio screen (Section 39.3.1 on page 733) creates radio configurations that can be used by the APs.
· The SSID screen (Section 39.3.2 on page 740) configures three different types of profiles for your networked APs.
39.3.0.1 Wha t Yo u Ne e d To Kno w
The following terms and concepts may help as you read this section.
ZyWALL USG FLEX Series User's Guide
731
Chapter 39 Object
Wire le ss Pro file s
At the heart of all wireless AP configurations on the Zyxel Device are profiles. A profile represents a group of saved settings that you can use across any number of connected APs. You can set up the following wireless profile types:
· Ra dio - This profile type defines the properties of an AP's radio transmitter. You can have a maximum of 32 radio profiles on the Zyxel Device.
· SSID - This profile type defines the properties of a single wireless network signal broadcast by an AP. Each radio on a single AP can broadcast up to 8 SSIDs. You can have a maximum of 32 SSID profiles on the Zyxel Device.
· Se c urity - This profile type defines the security settings used by a single SSID. It controls the encryption method required for a wireless client to associate itself with the SSID. You can have a maximum of 32 security profiles on the Zyxel Device.
· MAC Filte ring - This profile provides an additional layer of security for an SSID, allowing you to block access or allow access to that SSID based on wireless client MAC addresses. If a client's MAC address is on the list, then it is either allowed or denied, depending on how you set up the MAC Filter profile. You can have a maximum of 32 MAC filtering profiles on the Zyxel Device.
SSID
The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it.
WEP
WEP (Wired Equivalent Privacy) encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications private. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.
WPA a nd WPA2
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA(2) and WEP are improved data encryption and user authentication.
IEEE 802.1x
The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication is done using an external RADIUS server.
WiFi6 / IEEE 802.11a x
WiFi6 is backwards compatible with IEEE 802.11a/b/g/n/ac and is most suitable in areas with a high concentration of users. WiFi6 devices support Target Wakeup Time (TWT) allowing them to automatically power down when they are inactive.
ZyWALL USG FLEX Series User's Guide
732
Chapter 39 Object
The following table displays the comparison of the different WiFi standards. The maximum link rate is for reference under ideal conditions only.
Table 304 WiFI Standards Comparison
WIFI STANDARD
MAXIMUM LINK RATE *
802.11b
11 Mbps
802.11a/g
54 Mbps
802.11n
600 Mbps
802.11ac
6.93 Gbps
802.11ax
2.4 Gbps 9.61 Gbps
BA ND 2.4 GHz 2.4 GHz and 5 GHz 2.4 GHz and 5 GHz 5 GHz 2.4 GHz 5 GHz and 6 GHz
SIMULTANEO US C O NNEC TIO NS 1 1 1 4
128
39.3.1 Ra dio Sc re e n
This screen allows you to create radio profiles for the APs on your network. A radio profile is a list of settings that a supported managed AP (NWA5121-N for example) can use to configure either one of its two radio transmitters. To access this screen click C o nfig ura tio n > O b je c t > AP Pro file .
Note: You can have a maximum of 32 radio profiles on the Zyxel Device.
Fig ure 483 Configuration > Object > AP Profile > Radio
The following table describes the labels in this screen.
Table 305 Configuration > Object > AP Profile > Radio
LA BEL
DESC RIPTIO N
Add
Click this to add a new radio profile.
Edit
Click this to edit the selected radio profile.
Remove
Click this to remove the selected radio profile.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate References
To turn off an entry, select it and click Ina c tiva te . Click this to view which other objects are linked to the selected radio profile.
#
This field is a sequential value, and it is not associated with a specific profile.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Profile Name
This field indicates the name assigned to the radio profile.
ZyWALL USG FLEX Series User's Guide
733
Chapter 39 Object
Table 305 Configuration > Object > AP Profile > Radio (continued)
LA BEL
DESC RIPTIO N
Frequency Band This field indicates the frequency band which this radio profile is configured to use.
Schedule
This field displays the schedule object which defines when this radio profile can be used.
Apply Reset
Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
734
Chapter 39 Object
39.3.1.1 Add/ Edit Ra dio Pro file
This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Fig ure 484 Configuration > Object > AP Profile > Add/Edit Radio Profile
ZyWALL USG FLEX Series User's Guide
735
Chapter 39 Object
The following table describes the labels in this screen.
Table 306 Configuration > Object > AP Profile > Add/Edit Radio Profile
LA BEL Hide / Show Advanced Settings Create New Object General Settings
Activate Profile Name
Schedule 802.11 Band
DESC RIPTIO N Click this to hide or show the Adva nc e d Se tting s in this window.
Use this to configure any new settings objects that you need to use in this screen.
Select this option to make this profile active. Enter up to 31 alphanumeric characters to be used as this profile's name. Spaces and underscores are allowed. This field displays the schedule object which defines when this radio profile can be used. Select how to let wireless clients connect to the AP.
If 802.11 Ba nd is set to 2.4G:
· 11b / g : allows either IEEE 802.11b or IEEE 802.11g compliant WLAN devices to associate with the AP. The AP adjusts the transmission rate automatically according to the wireless standard supported by the wireless devices.
· 11n: allows IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the AP.
If 802.11 Ba nd is set to 5G:
· 11a : allows only IEEE 802.11a compliant WLAN devices to associate with the AP. · 11a / n: allows both IEEE802.11n and IEEE802.11a compliant WLAN devices to associate
with the AP. The transmission rate of your AP might be reduced. · 11a c : allows only IEEE802.11ac compliant WLAN devices to associate with the AP. · 11a x: allows IEEE802.11n, IEEE802.11a, IEEE802.11ac, and IEEE802.11ax compliant WLAN
devices to associate with the AP. If the WLAN device isn't compatible with 802.11ax, the AP will communicate with the WLAN device using 802.11ac, and so on
Channel Width
Note: If you select 11a c but the WLAN devices in the network do not support IEEE 802.11ac, the Zyxel Device automatically sets the AP to use 11a / n.
Select the wireless channel bandwidth you want the AP to use.
A standard 20 MHz channel offers transfer speeds of up to 144Mbps (2.4GHz) or 217Mbps (5GHZ) whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps (2.4GHz) or 450Mbps (5GHZ). An IEEE 802.11ac-specific 80MHz channel offers speeds of up to 1.3Gbps.
40 MHz (channel bonding or dual channel) bonds two adjacent radio channels to increase throughput. A 80 MHz channel consists of two adjacent 40 MHz channels. The wireless clients must also support 40 MHz or 80 MHz. It is often better to use the 20 MHz setting in a location where the environment hinders the wireless signal.
Because not all devices support 40 MHz and/or 80 MHz channels, select 20/ 40MHz or 20/ 40/ 80MHz to allow the AP to adjust the channel bandwidth automatically.
Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding.
Note: If the environment has poor signal-to-noise (SNR), the Zyxel Device will switch to a lower bandwidth.
ZyWALL USG FLEX Series User's Guide
736
Chapter 39 Object
Table 306 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued)
LA BEL Channel Selection
DESC RIPTIO N
Select the wireless channel which this radio profile should use.
It is recommended that you choose the channel least in use by other APs in the region where this profile will be implemented. This will reduce the amount of interference between wireless clients and the AP to which this profile is assigned.
Select DC S to have the AP automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices.
Select Ma nua l and specify the channels the AP uses.
Blacklist DFS channels in presence of radar
This field is available if 802.11 Ba nd is set to 5G and C ha nne l Se le c tio n is set to DC S.
Enable this to temporarily blacklist the wireless channels in the Dynamic Frequency Selection (DFS) range whenever a radar signal is detected by the AP.
Enable DCS Client Aware
This field is available when you set C ha nne l Se le c tio n to DC S.
Select this to have the AP wait until all connected clients have disconnected before switching channels.
If you disable this then the AP switches channels immediately regardless of any client connections. In this instance, clients that are connected to the AP when it switches channels are dropped.
2.4 GHz Channel Selection Method
This field is available when you set C ha nne l Se le c tio n to DC S.
Select a uto to have the AP search for available channels automatically in the 2.4 GHz band. The available channels vary depending on what you select in the 2.4 G Hz C ha nne l De plo ym e nt field.
Channel ID
Select m a nua l and specify the channels the AP uses in the 2.4 GHz band.
This field is available only when you set C ha nne l Se le c tio n to DC S and set 2.4 G Hz C ha nne l Se le c tio n Me tho d to m a nua l.
Time Interval 2.4 GHz Channel Deployment
Select the check boxes of the channels that you want the AP to use.
Select this option to have the AP survey the other APs within its broadcast radius at the end of the specified time interval.
This field is available only when you set C ha nne l Se le c tio n to DC S and set 2.4 G Hz C ha nne l Se le c tio n Me tho d to a uto .
Select Thre e - C ha nne l De plo ym e nt to limit channel switching to channels 1,6, and 11, the three channels that are sufficiently attenuated to have almost no impact on one another. In other words, this allows you to minimize channel interference by limiting channelhopping to these three "safe" channels.
Select Fo ur- C ha nne l De plo ym e nt to limit channel switching to four channels. Depending on the country domain, if the only allowable channels are 1-11 then the Zyxel Device uses channels 1, 4, 7, 11 in this configuration; otherwise, the Zyxel Device uses channels 1, 5, 9, 13 in this configuration. Four channel deployment expands your pool of possible channels while keeping the channel interference to a minimum.
DCS Time Interval
Note: For US and Canada models, country code is fixed to US or Canada respectively and is not user selectable.
This field is available when you set C ha nne l Se le c tio n to DC S.
Enter a number of minutes. This regulates how often the AP surveys the other APs within its broadcast radius. If the channel on which it is currently broadcasting suddenly comes into use by another AP, the AP will then dynamically select the next available clean channel or a channel with lower interference.
ZyWALL USG FLEX Series User's Guide
737
Chapter 39 Object
Table 306 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued)
LA BEL Channel ID
DESC RIPTIO N
This field is available only when you set C ha nne l Se le c tio n to DC S and set 2.4 G Hz C ha nne l Se le c tio n Me tho d to m a nua l.
Schedule Start Time Week Days Enable 5 GHz DFS Aware
Select the check boxes of the channels that you want the AP to use.
Select this option to have the AP survey the other APs within its broadcast radius at a specific time on selected days of the week.
Specify the time of the day (in 24-hour format) to have the AP use DCS to automatically scan and find a less-used channel.
Select each day of the week to have the AP use DCS to automatically scan and find a lessused channel.
This field is available only when you select 11a , 11a / n or 11a c in the 802.11 Ba nd field.
Select this if your APs are operating in an area known to have RADAR devices. This allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected, thus preventing it from interfering with that signal.
Enabling this forces the AP to select a non-DFS channel.
5 GHz Channel This shows a uto and allows the AP to search for available channels automatically in the 5 Selection Method GHz band.
Advanced Settings
Country Code
Select the country code of APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located/installed.
The available channels vary depending on the country you select. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.
Guard Interval
Enable A-MPDU Aggregation A-MPDU Limit A-MPDU Subframe Enable A-MSDU Aggregation
A-MSDU Limit
Note: For US and Canada models, country code is fixed to US or Canada respectively and is not user selectable.
This field is available only when the 802.11 Ba nd is set to 5G and 802.11 Mo de is set to 11n or 11ac .
Set the guard interval for this radio profile to either Sho rt or Lo ng .
The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the interval increases data transfer rates but also increases interference. Increasing the interval reduces data transfer rates but also reduces interference.
Select this to enable A-MPDU aggregation.
Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates.
Enter the maximum frame size to be aggregated.
Enter the maximum number of frames to be aggregated each time.
Select this to enable A-MSDU aggregation.
Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header. This method is useful for increasing bandwidth throughput. It is also more efficient than A-MPDU except in environments that are prone to high error rates.
Enter the maximum frame size to be aggregated.
ZyWALL USG FLEX Series User's Guide
738
Chapter 39 Object
Table 306 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued)
LA BEL
DESC RIPTIO N
RTS/CTS Threshold
Use RTS/CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transmits. This stops wireless clients from transmitting packets at the same time (and causing data collisions).
Beacon Interval DTIM Enable Signal Threshold
A wireless client sends an RTS for all packets larger than the number (of bytes) that you enter here. Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/ CTS off.
When a wirelessly networked device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power mode before waking up to handle the beacon. A high value helps save current consumption of the access point.
Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 255.
Select the check box to use the signal threshold to ensure wireless clients receive good throughput. This allows only wireless clients with a strong signal to connect to the AP.
Station Signal Threshold
Clear the check box to not require wireless clients to have a minimum signal strength to connect to the AP.
Set a minimum client signal strength. A wireless client is allowed to connect to the AP only when its signal strength is stronger than the specified threshold.
Disassociate Station Threshold
-20 dBm is the strongest signal you can require and -76 is the weakest.
Set a minimum kick-off signal strength. When a wireless client's signal strength is lower than the specified threshold, the Zyxel Device disconnects the wireless client from the AP.
Allow Station Connection after Multiple Retries Station Retry Count Allow 802.11n/ ac/ax stations only Multicast Settings Transmission Mode
-20 dBm is the strongest signal you can require and -90 is the weakest. Select this option to allow a wireless client to try to associate with the AP again after it is disconnected due to weak signal strength.
Set the maximum number of times a wireless client can attempt to re-connect to the AP
Select this option to allow only 802.11 n/ac/ax stations to connect, and reject 802.11a/b/g stations.
Use this section to set a transmission mode and maximum rate for multicast traffic. Set how the AP handles multicast traffic.
Select Multic a st to Unic a st to broadcast wireless multicast traffic to all of the wireless clients as unicast traffic. Unicast traffic dynamically changes the data rate based on the application's bandwidth requirements. The retransmit mechanism of unicast traffic provides more reliable transmission of the multicast traffic, although it also produces duplicate packets.
Multicast Rate (Mbps)
OK Cancel
Select Fixe d Multic a st Ra te to send wireless multicast traffic at a single data rate. You must know the multicast application's bandwidth requirements and set it in the following field.
If you set the multicast transmission mode to fixed multicast rate, set the data rate for multicast traffic here. For example, to deploy 4 Mbps video, select a fixed multicast rate higher than 4 Mbps.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
739
Chapter 39 Object
39.3.2 SSID Sc re e n
The SSID screens allow you to configure three different types of profiles for your networked APs: an SSID list, which can assign specific SSID configurations to your APs; a security list, which can assign specific encryption methods to the APs when allowing wireless clients to connect to them; and a MAC filter list, which can limit connections to an AP based on wireless clients MAC addresses.
39.3.2.1 SSID List
This screen allows you to create and manage SSID configurations that can be used by the APs. An SSID, or Service Set IDentifier, is basically the name of the wireless network to which a wireless client can connect. The SSID appears as readable text to any device capable of scanning for wireless frequencies (such as the WiFi adapter in a laptop), and is displayed as the wireless network name when a person makes a connection to it.
To access this screen click C o nfig ura tio n > O b je c t > AP Pro file > SSID.
Note: You can have a maximum of 32 SSID profiles on the Zyxel Device.
Fig ure 485 Configuration > Object > AP Profile > SSID List
The following table describes the labels in this screen.
Table 307 Configuration > Object > AP Profile > SSID List
LA BEL
DESC RIPTIO N
Add
Click this to add a new SSID profile.
Edit
Click this to edit the selected SSID profile.
Remove
Click this to remove the selected SSID profile.
References
Click this to view which other objects are linked to the selected SSID profile (for example, radio profile).
#
This field is a sequential value, and it is not associated with a specific profile.
Profile Name
This field indicates the name assigned to the SSID profile.
SSID
This field indicates the SSID name as it appears to wireless clients.
Security Profile
This field indicates which (if any) security profile is associated with the SSID profile.
QoS
This field indicates the QoS type associated with the SSID profile.
MAC Filtering Profile
This field indicates which (if any) MAC Filter Profile is associated with the SSID profile.
VLAN ID
This field indicates the VLAN ID associated with the SSID profile.
ZyWALL USG FLEX Series User's Guide
740
Chapter 39 Object
39.3.2.2 Add/ Edit SSID Pro file
This screen allows you to create a new SSID profile or edit an existing one. To access this screen, click the Add button or select an SSID profile from the list and click the Edit button. Fig ure 486 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile
The following table describes the labels in this screen.
Table 308 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile
LA BEL
DESC RIPTIO N
Create new Object
Select an object type from the list to create a new one associated with this SSID profile.
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.
SSID
Enter the SSID name for this profile. This is the name visible on the network to wireless clients. Enter up to 32 characters, spaces and underscores are allowed.
Security Profile
Select a security profile from this list to associate with this SSID. If none exist, you can use the C re a te ne w O b je c t menu to create one.
MAC Filtering Profile
Note: It is highly recommended that you create security profiles for all of your SSIDs to enhance your network security.
Select a MAC filtering profile from the list to associate with this SSID. If none exist, you can use the C re a te ne w O b je c t menu to create one.
MAC filtering allows you to limit the wireless clients connecting to your network through a particular SSID by wireless client MAC addresses. Any clients that have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections.
The disa b le setting means no MAC filtering is used.
ZyWALL USG FLEX Series User's Guide
741
Chapter 39 Object
Table 308 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued)
LA BEL QoS
DESC RIPTIO N
Select a Quality of Service (QoS) access category to associate with this SSID. Access categories minimize the delay of data packets across a wireless network. Certain categories, such as video or voice, are given a higher priority due to the time sensitive nature of their data packets.
QoS access categories are as follows:
disa b le : Turns off QoS for this SSID. All data packets are treated equally and not tagged with access categories.
WMM: Enables automatic tagging of data packets. The Zyxel Device assigns access categories to the SSID by examining data as it passes through it and making a best guess effort. If something looks like video traffic, for instance, it is tagged as such.
WMM_VO IC E: All wireless traffic to the SSID is tagged as voice data. This is recommended if an SSID is used for activities like placing and receiving VoIP phone calls.
WMM_VIDEO : All wireless traffic to the SSID is tagged as video data. This is recommended for activities like video conferencing.
WMM_BEST_EFFO RT: All wireless traffic to the SSID is tagged as "best effort," meaning the data travels the best route it can without displacing higher priority traffic. This is good for activities that do not require the best bandwidth throughput, such as surfing the Internet.
Rate Limiting (Per Station Traffic Rate)
Downlink:
Uplink:
Band Select:
WMM_BAC KG RO UND: All wireless traffic to the SSID is tagged as low priority or "background traffic", meaning all other access categories take precedence over this one. If traffic from an SSID does not have strict throughput requirements, then this access category is recommended. For example, an SSID that only has network printers connected to it.
Define the maximum incoming and outgoing transmission data rate per wireless station
Define the maximum incoming transmission data rate (either in Mbps or Kbps) on a per-station basis.
Define the maximum outgoing transmission data rate (either in Mbps or Kbps) on a per-station basis.
To improve network performance and avoid interference in the 2.4 GHz frequency band, you can enable this feature to use the 5 GHz band first. You should set 2.4GHz and 5 GHz radio profiles to use the same SSID and security settings.
Select sta nda rd to have the AP try to connect the wireless clients to the same SSID using the 5 GHZ band. Connections to an SSID using the 2.4GHz band are still allowed.
Otherwise, select disa b le to turn off this feature.
Stop Threshold
This field is not available when you disable Ba nd Se le c t.
Select this option and set the threshold number of the connected wireless clients at which the Zyxel Device disables the band select feature.
Balance Ratio This field is not available when you disable Ba nd Se le c t.
Select this option and set a ratio of the wireless clients using the 5 GHz band to the wireless clients using the 2.4 GHz band.
Forwarding Mode Select a forwarding mode (Tunne l or Lo c a l b ridg e ) for traffic from wireless stations in this wireless network (SSID). In earlier firmware, you could only forward traffic from this wireless network with a tunnel using an existing VLAN interface in Ne two rk > Inte rfa c e > VLAN > Add.
VLAN ID
From firmware version 4.60, you can select an existing VLAN interface or a local Ethernet interface (la n1, la n2) for forwarding traffic from wireless stations in this wireless network using a tunnel. These interfaces cannot be bridge members (Ne two rk > Inte rfa c e > Bridg e ).
If you selected Lo c a l Bridg e forwarding mode, enter the VLAN ID that will be used to tag all traffic originating from this SSID if the VLAN is different from the native VLAN. All the wireless station's traffic goes through the associated AP's gateway.
ZyWALL USG FLEX Series User's Guide
742
Chapter 39 Object
Table 308 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued)
LA BEL VLAN Interface Hidden SSID
DESC RIPTIO N
If you selected the Tunne l forwarding mode, select a VLAN interface. All the wireless station's traffic is forwarded to the Zyxel Device first.
Select this if you want to "hide" your SSID from wireless clients. This tells any wireless clients in the vicinity of the AP using this SSID profile not to display its SSID name as a potential connection. Not all wireless clients respect this flag and display it anyway.
When an SSID is "hidden" and a wireless client cannot see it, the only way you can connect to the SSID is by manually entering the SSID name in your wireless connection setup screen(s) (these vary by client, client connectivity software, and operating system).
Enable Intra-BSS Traffic Blocking
Select this option to prevent crossover traffic from within the same SSID.
Enable U-APSD
Select this option to enable Unscheduled Automatic Power Save Delivery (U-APSD), which is also known as WMM-Power Save. This helps increase battery life for battery-powered wireless clients connected to the Zyxel Device using this SSID profile.
Enable ARP Proxy The Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a MAC address. An ARP broadcast is sent to all devices on the same Ethernet network to request the MAC address of a target IP address.
Select this option to allow the Zyxel Device to answer ARP requests for an IP address on behalf of a client associated with this SSID. This can reduce broadcast traffic and improve network performance.
802.11 k/v
Select this option to enable IEEE 802.11k/v assisted roaming on the Zyxel Device. When the
Assisted Roaming connected clients request 802.11k neighbor lists, the Zyxel Device will response with a list of
neighbor APs that can be candidates for roaming.
Schedule SSID
Select this option and set whether the SSID is enabled or disabled on each day of the week. You also need to select the hour and minute (in 24-hour format) to specify the time period of each day during which the SSID is enabled/enabled.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
39.3.2.3 Se c urity List
This screen allows you to manage wireless security configurations that can be used by your SSIDs. Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it.
To access this screen click C o nfig ura tio n > O b je c t > AP Pro file > SSID > Se c urity List.
Note: You can have a maximum of 32 security profiles on the Zyxel Device.
Fig ure 487 Configuration > Object > AP Profile > SSID > Security List
ZyWALL USG FLEX Series User's Guide
743
Chapter 39 Object
The following table describes the labels in this screen.
Table 309 Configuration > Object > AP Profile > SSID > Security List
LA BEL
DESC RIPTIO N
Add
Click this to add a new security profile.
Edit
Click this to edit the selected security profile.
Remove
Click this to remove the selected security profile.
References
Click this to view which other objects are linked to the selected security profile (for example, SSID profile).
#
This field is a sequential value, and it is not associated with a specific profile.
Profile Name
This field indicates the name assigned to the security profile.
Security Mode
This field indicates this profile's security mode (if any).
39.3.2.4 Add/ Edit Se c urity Pro file
This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button.
Note: This screen's options change based on the Se c urity Mo de selected.
Fig ure 488 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: open
ZyWALL USG FLEX Series User's Guide
744
Chapter 39 Object
The following table describes the labels in this screen.
Table 310 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: open
LA BEL
DESC RIPTIO N
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.
Security Mode
Select a security mode from the list: o pe n, e nha nc e d o pe n, we p, wpa 2, or wpa 2- m ix, wpa 3.
Authentication Settings
Enterprise
Select this to enable 802.1x secure authentication with a RADIUS server.
Reauthenticatio Enter the interval (in seconds) between authentication requests. Enter a 0 for unlimited time. n Timer
Idle Timeout
Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued.
Radius Settings
Primary / Secondary Select this to have the Zyxel Device use the specified RADIUS server. Radius Server Activate
Radius Server IP Enter the IP address of the RADIUS server to be used for authentication. Address
Radius Server Port
Enter the port number of the RADIUS server to be used for authentication.
Radius Server Secret
Enter the shared secret password of the RADIUS server to be used for authentication.
Primary / Secondary Select the check box to enable user accounting through an external authentication server. Accounting Server Activate
Accounting
Enter the IP address of the external accounting server in dotted decimal notation.
Server IP Address
Accounting Server Port
Enter the port number of the external accounting server. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
Accounting Share Secret
Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the Zyxel Device. The key must be the same on the external accounting server and your Zyxel Device. The key is not sent over the network.
Accounting Interim This field is available only when you enable user accounting through an external
Update
authentication server.
Select this to have the Zyxel Device send subscriber status updates to the accounting server at the interval you specify.
Interim Update Interval
Specify the time interval for how often the Zyxel Device is to send a subscriber status update to the accounting server.
MAC Authentication Select this to use an external server or the Zyxel Device's local database to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails.
Delimiter (Account) Case (Account)
An external server can use the wireless client's account (username/password) or Calling Station ID for MAC authentication. Configure the ones the external server uses.
Select the separator the external server uses for the two-character pairs within account MAC addresses.
Select the case (uppe r or lo we r) the external server requires for letters in the account MAC addresses.
ZyWALL USG FLEX Series User's Guide
745
Chapter 39 Object
Table 310 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: open (continued)
LA BEL
DESC RIPTIO N
Delimiter (Calling RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute. Station ID)
Select the separator the external server uses for the pairs in calling station MAC addresses.
Case (Calling Station ID)
Select the case (uppe r or lo we r) the external server requires for letters in the calling station MAC addresses.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
Fig ure 489 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: enhanced-open
ZyWALL USG FLEX Series User's Guide
746
Chapter 39 Object
The following table describes the labels in this screen.
Table 311 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: enhanced-open
LA BEL
DESC RIPTIO N
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.
Security Mode
Select a security mode from the list: o pe n, e nha nc e d o pe n, we p, wpa 2, or wpa 2- m ix, wpa 3.
Authentication Settings
Transition Mode
Enable this for backwards compatibility. This option is only available if the Se c urity Mo de is wpa 3 or e nha nc e d- o pe n. This creates two virtual APs (VAPs) with a primary (wpa 3 or e nha nc e d- o pe n) and fallback (wpa 2 or no ne ) security method.
If the Se c urity Mo de is wpa 3, enabling this will force Ma na g e m e nt Fra m e Pro te c tio n to be set to O ptio na l. If this is disabled or if the Se c urity Mo de is e nha nc e d- o pe n, Ma na g e m e nt Fra m e Pro te c tio n will be set to Re q uire d.
Idle Timeout
Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued.
Radius Settings
Primary / Secondary Select this to have the Zyxel Device use the specified RADIUS server. Radius Server Activate
Radius Server IP Enter the IP address of the RADIUS server to be used for authentication. Address
Radius Server Port
Enter the port number of the RADIUS server to be used for authentication.
Radius Server Secret
Enter the shared secret password of the RADIUS server to be used for authentication.
Primary / Secondary Select the check box to enable user accounting through an external authentication server. Accounting Server Activate
Accounting
Enter the IP address of the external accounting server in dotted decimal notation.
Server IP Address
Accounting Server Port
Enter the port number of the external accounting server. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
Accounting Share Secret
Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the Zyxel Device. The key must be the same on the external accounting server and your Zyxel Device. The key is not sent over the network.
Accounting Interim This field is available only when you enable user accounting through an external
Update
authentication server.
Select this to have the Zyxel Device send subscriber status updates to the accounting server at the interval you specify.
Interim Update Interval
Specify the time interval for how often the Zyxel Device is to send a subscriber status update to the accounting server.
MAC Authentication Select this to use an external server or the Zyxel Device's local database to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails.
Delimiter (Account)
An external server can use the wireless client's account (username/password) or Calling Station ID for MAC authentication. Configure the ones the external server uses.
Select the separator the external server uses for the two-character pairs within account MAC addresses.
ZyWALL USG FLEX Series User's Guide
747
Chapter 39 Object
Table 311 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: enhanced-open (continued)
LA BEL
DESC RIPTIO N
Case (Account) Select the case (uppe r or lo we r) the external server requires for letters in the account MAC addresses.
Delimiter (Calling RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute. Station ID)
Select the separator the external server uses for the pairs in calling station MAC addresses.
Case (Calling Station ID)
Select the case (uppe r or lo we r) the external server requires for letters in the calling station MAC addresses.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
Fig ure 490 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wep
ZyWALL USG FLEX Series User's Guide
748
Chapter 39 Object
The following table describes the labels in this screen.
Table 312 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wep
LA BEL
DESC RIPTIO N
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.
Security Mode
Select a security mode from the list: o pe n, e nha nc e d o pe n, we p, wpa 2, or wpa 2- m ix, wpa 3.
Authentication Settings
Enterprise
Select this to enable 802.1x secure authentication with a RADIUS server.
Reauthenticatio Enter the interval (in seconds) between authentication requests. Enter a 0 for unlimited time. n Timer
Idle Timeout
Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued.
Authentication Type Select a WEP authentication method. Choices are O pe n or Sha re key.
Key Length
Select the bit-length of the encryption key to be used in WEP connections.
If you select WEP- 64:
· Enter 10 hexadecimal digits in the range of "A-F", "a-f" and "0-9" (for example, 0x11AA22BB33) for each Ke y used.
or
· Enter 5 ASCII characters (case sensitive) ranging from "a-z", "A-Z" and "0-9" (for example, MyKey) for each Ke y used.
If you select WEP- 128:
· Enter 26 hexadecimal digits in the range of "A-F", "a-f" and "0-9" (for example, 0x00112233445566778899AABBCC) for each Ke y used.
or
· Enter 13 ASCII characters (case sensitive) ranging from "a-z", "A-Z" and "0-9" (for example, MyKey12345678) for each Ke y used.
Key 1~4
Based on your Ke y Le ng th selection, enter the appropriate length hexadecimal or ASCII key.
Radius Settings
Primary / Secondary Select this to have the Zyxel Device use the specified RADIUS server. Radius Server Activate
Radius Server IP Enter the IP address of the RADIUS server to be used for authentication. Address
Radius Server Port
Enter the port number of the RADIUS server to be used for authentication.
Radius Server Secret
Enter the shared secret password of the RADIUS server to be used for authentication.
Primary / Secondary Select the check box to enable user accounting through an external authentication server. Accounting Server Activate
Accounting
Enter the IP address of the external accounting server in dotted decimal notation.
Server IP Address
Accounting Server Port
Enter the port number of the external accounting server. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
Accounting Share Secret
Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the Zyxel Device. The key must be the same on the external accounting server and your Zyxel Device. The key is not sent over the network.
ZyWALL USG FLEX Series User's Guide
749
Chapter 39 Object
Table 312 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wep (continued)
LA BEL
Accounting Interim Update
DESC RIPTIO N
This field is available only when you enable user accounting through an external authentication server.
Select this to have the Zyxel Device send subscriber status updates to the accounting server at the interval you specify.
Interim Update Interval
Specify the time interval for how often the Zyxel Device is to send a subscriber status update to the accounting server.
MAC Authentication Select this to use an external server or the Zyxel Device's local database to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails.
An external server can use the wireless client's account (username/password) or Calling Station ID for MAC authentication. Configure the ones the external server uses.
Delimiter (Account)
Select the separator the external server uses for the two-character pairs within account MAC addresses.
Case (Account) Select the case (uppe r or lo we r) the external server requires for letters in the account MAC addresses.
Delimiter (Calling RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute. Station ID)
Select the separator the external server uses for the pairs in calling station MAC addresses.
Case (Calling Station ID)
Select the case (uppe r or lo we r) the external server requires for letters in the calling station MAC addresses.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
750
Chapter 39 Object Fig ure 491 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile>
Security Mode: wpa2/ wpa2-mix
ZyWALL USG FLEX Series User's Guide
751
Chapter 39 Object
The following table describes the labels in this screen.
Table 313 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wpa2/ wpa2-mix
LA BEL
DESC RIPTIO N
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.
Security Mode
Select a security mode from the list: o pe n, e nha nc e d o pe n, we p, wpa 2, or wpa 2- m ix, wpa 3.
Authentication Settings
Enterprise
Select this to enable 802.1x secure authentication with a RADIUS server.
Reauthenticatio Enter the interval (in seconds) between authentication requests. Enter a 0 for unlimited time. n Timer
Personal
This field is available when you select the wpa 2, wpa 2- m ix or wpa 3 security mode.
Pre-Shared Key Cipher Type
Select this option to use a Pre-Shared Key (PSK) with WPA2 encryption or Simultaneous Authentication of Equals (SAE) with WPA3 encryption.
Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.
Select an encryption cipher type from the list.
Idle Timeout
Group Key Update Timer Management Frame Protection
· a uto - This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection.
· a e s - This is the Advanced Encryption Standard encryption method. It is a more recent development over TKIP and considerably more robust. Not all wireless clients may support this.
Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued. Enter the interval (in seconds) at which the AP updates the group WPA2 encryption key.
This field is available only when you select wpa 2 in the Se c urity Mo de field and set C iphe r Type to a e s.
Data frames in 802.11 WLANs can be encrypted and authenticated with WEP, WPA or WPA2. But 802.11 management frames, such as beacon/probe response, association request, association response, de-authentication and disassociation are always unauthenticated and unencrypted. IEEE 802.11w Protected Management Frames allows APs to use the existing security mechanisms (encryption and authentication methods defined in IEEE 802.11i WPA/WPA2) to protect management frames. This helps prevent wireless DoS attacks.
Select the check box to enable management frame protection (MFP) to add security to 802.11 management frames.
Select O ptio na l if you do not require the wireless clients to support MFP. Management frames will be encrypted if the clients support MFP.
Fast Roaming Settings
Select Re quire d and wireless clients must support MFP in order to join the Zyxel Device's wireless network.
IEEE 802.11r fast roaming, which is also known as Fast BSS Transition (FT), allows wireless clients to quickly move from one AP to another in a WiFi network that uses WPA2 with 802.1x authentication. Information from the original association is passed to the target AP when the client roams. The client doesn't need to perform the whole 802.1x authentication process. Messages exchanged between the target AP and client are reduced and performed using one of the two methods:
· Over-the-DS: The wireless client communicates with the target AP via the current AP. The communication is sent to the target AP through the wired Ethernet connection.
· Over-the-Air: The wireless client communicates directly with the target AP.
ZyWALL USG FLEX Series User's Guide
752
Chapter 39 Object
Table 313 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wpa2/ wpa2-mix (continued)
LA BEL
DESC RIPTIO N
802.11r
Select this to turn on IEEE 802.11r fast roaming on the AP (Zyxel Device). This is good for wireless clients that transport a lot of real-time interactive traffic, such as voice and video. Wireless clients should also support WPA2 and fast roaming to associate with the AP (Zyxel Device) and roam seamlessly.
Radius Settings
Primary / Secondary Select this to have the Zyxel Device use the specified RADIUS server. Radius Server Activate
Radius Server IP Enter the IP address of the RADIUS server to be used for authentication. Address
Radius Server Port
Enter the port number of the RADIUS server to be used for authentication.
Radius Server Secret
Enter the shared secret password of the RADIUS server to be used for authentication.
Primary / Secondary Select the check box to enable user accounting through an external authentication server. Accounting Server Activate
Accounting
Enter the IP address of the external accounting server in dotted decimal notation.
Server IP Address
Accounting Server Port
Enter the port number of the external accounting server. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
Accounting Share Secret
Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the Zyxel Device. The key must be the same on the external accounting server and your Zyxel Device. The key is not sent over the network.
Accounting Interim This field is available only when you enable user accounting through an external
Update
authentication server.
Select this to have the Zyxel Device send subscriber status updates to the accounting server at the interval you specify.
Interim Update Interval
Specify the time interval for how often the Zyxel Device is to send a subscriber status update to the accounting server.
MAC Authentication Select this to use an external server or the Zyxel Device's local database to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails.
An external server can use the wireless client's account (username/password) or Calling Station ID for MAC authentication. Configure the ones the external server uses.
Delimiter (Account)
Select the separator the external server uses for the two-character pairs within account MAC addresses.
Case (Account) Select the case (uppe r or lo we r) the external server requires for letters in the account MAC addresses.
Delimiter (Calling RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute. Station ID)
Select the separator the external server uses for the pairs in calling station MAC addresses.
Case (Calling Station ID)
Select the case (uppe r or lo we r) the external server requires for letters in the calling station MAC addresses.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
753
Chapter 39 Object
Fig ure 492 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wpa3
The following table describes the labels in this screen.
Table 314 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wpa3
LA BEL
DESC RIPTIO N
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.
Security Mode
Select a security mode from the list: o pe n, e nha nc e d o pe n, we p, wpa 2, or wpa 2- m ix, wpa 3.
Authentication Settings
Enterprise
Select this to enable 802.1x secure authentication with a RADIUS server.
Reauthenticatio Enter the interval (in seconds) between authentication requests. Enter a 0 for unlimited time. n Timer
Personal
This field is available when you select the wpa 2, wpa 2- m ix or wpa 3 security mode.
Pre-Shared Key
Select this option to use a Pre-Shared Key (PSK) with WPA2 encryption or Simultaneous Authentication of Equals (SAE) with WPA3 encryption.
Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.
ZyWALL USG FLEX Series User's Guide
754
Chapter 39 Object
Table 314 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wpa3 (continued)
LA BEL Transition Mode
DESC RIPTIO N
Enable this for backwards compatibility. This option is only available if the Se c urity Mo de is wpa 3 or e nha nc e d- o pe n. This creates two virtual APs (VAPs) with a primary (wpa 3 or e nha nc e d- o pe n) and fallback (wpa 2 or no ne ) security method.
Idle Timeout
Group Key Update Timer Management Frame Protection
If the Se c urity Mo de is wpa 3, enabling this will force Ma na g e m e nt Fra m e Pro te c tio n to be set to O ptio na l. If this is disabled or if the Se c urity Mo de is e nha nc e d- o pe n, Ma na g e m e nt Fra m e Pro te c tio n will be set to Re q uire d.
Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued.
Enter the interval (in seconds) at which the AP updates the group WPA2 encryption key.
This field is available only when you select wpa 2 in the Se c urity Mo de field and set C iphe r Type to a e s.
Data frames in 802.11 WLANs can be encrypted and authenticated with WEP, WPA or WPA2. But 802.11 management frames, such as beacon/probe response, association request, association response, de-authentication and disassociation are always unauthenticated and unencrypted. IEEE 802.11w Protected Management Frames allows APs to use the existing security mechanisms (encryption and authentication methods defined in IEEE 802.11i WPA/WPA2) to protect management frames. This helps prevent wireless DoS attacks.
Select the check box to enable management frame protection (MFP) to add security to 802.11 management frames.
Select O ptio na l if you do not require the wireless clients to support MFP. Management frames will be encrypted if the clients support MFP.
Select Re quire d and wireless clients must support MFP in order to join the Zyxel Device's wireless network.
Radius Settings
Primary / Secondary Select this to have the Zyxel Device use the specified RADIUS server. Radius Server Activate
Radius Server IP Enter the IP address of the RADIUS server to be used for authentication. Address
Radius Server Port
Enter the port number of the RADIUS server to be used for authentication.
Radius Server Secret
Enter the shared secret password of the RADIUS server to be used for authentication.
Primary / Secondary Select the check box to enable user accounting through an external authentication server. Accounting Server Activate
Accounting
Enter the IP address of the external accounting server in dotted decimal notation.
Server IP Address
Accounting Server Port
Enter the port number of the external accounting server. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
Accounting Share Secret
Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the Zyxel Device. The key must be the same on the external accounting server and your Zyxel Device. The key is not sent over the network.
Accounting Interim This field is available only when you enable user accounting through an external
Update
authentication server.
Select this to have the Zyxel Device send subscriber status updates to the accounting server at the interval you specify.
ZyWALL USG FLEX Series User's Guide
755
Chapter 39 Object
Table 314 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wpa3 (continued)
LA BEL
DESC RIPTIO N
Interim Update Interval
Specify the time interval for how often the Zyxel Device is to send a subscriber status update to the accounting server.
MAC Authentication Select this to use an external server or the Zyxel Device's local database to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails.
An external server can use the wireless client's account (username/password) or Calling Station ID for MAC authentication. Configure the ones the external server uses.
Delimiter (Account)
Select the separator the external server uses for the two-character pairs within account MAC addresses.
Case (Account) Select the case (uppe r or lo we r) the external server requires for letters in the account MAC addresses.
Delimiter (Calling RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute. Station ID)
Select the separator the external server uses for the pairs in calling station MAC addresses.
Case (Calling Station ID)
Select the case (uppe r or lo we r) the external server requires for letters in the calling station MAC addresses.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
39.3.2.5 MAC Filte r List
This screen allows you to create and manage security configurations that can be used by your SSIDs. To access this screen click C o nfig ura tio n > O b je c t > AP Pro file > SSID > MAC Filte r List.
Note: You can have a maximum of 32 MAC filtering profiles on the Zyxel Device.
Fig ure 493 Configuration > Object > AP Profile > SSID > MAC Filter List
The following table describes the labels in this screen.
Table 315 Configuration > Object > AP Profile > SSID > MAC Filter List
LA BEL
DESC RIPTIO N
Add
Click this to add a new MAC filtering profile.
Edit
Click this to edit the selected MAC filtering profile.
Remove
Click this to remove the selected MAC filtering profile.
References
Click this to view which other objects are linked to the selected MAC filtering profile (for example, SSID profile).
#
This field is a sequential value, and it is not associated with a specific profile.
Profile Name
This field indicates the name assigned to the MAC filtering profile.
Filter Action
This field indicates this profile's filter action (if any).
ZyWALL USG FLEX Series User's Guide
756
Chapter 39 Object
39.3.2.6 Add/ Edit MAC Filte r Pro file
This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button. Fig ure 494 SSID > MAC Filter List > Add/Edit MAC Filter Profile
The following table describes the labels in this screen.
Table 316 SSID > MAC Filter List > Add/Edit MAC Filter Profile
LA BEL
DESC RIPTIO N
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.
Filter Action
Select a llo w to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID; select de ny to block the wireless clients with the specified MAC addresses.
Add
Click this to add a MAC address to the profile's list.
Edit
Click this to edit the selected MAC address in the profile's list.
Remove
Click this to remove the selected MAC address from the profile's list.
#
This field is a sequential value, and it is not associated with a specific profile.
MAC
This field specifies a MAC address associated with this profile.
Description
This field displays a description for the MAC address associated with this profile. You can click the description to make it editable. Enter up to 60 characters, spaces and underscores allowed.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
39.4 MO N Pro file
39.4.1 O ve rvie w
This screen allows you to set up monitor mode configurations that allow your connected APs to scan for other wireless devices in the vicinity. Once detected, you can use the Ro g ue AP screen (Section 8.4 on page 220) to classify them as either rogue or friendly and then manage them accordingly.
ZyWALL USG FLEX Series User's Guide
757
Chapter 39 Object
The MO N Pro file screen (Section 39.4.2 on page 758) creates preset monitor mode configurations that can be used by the APs.
39.4.1.1 Wha t Yo u Ne e d To Kno w
The following terms and concepts may help as you read this chapter.
Ac tive Sc a n
An active scan is performed when an 802.11-compatible wireless monitoring device is explicitly triggered to scan a specified channel or number of channels for other wireless devices broadcasting on the 802.11 frequencies by sending probe request frames.
Pa ssive Sc a n
A passive scan is performed when an 802.11-compatible monitoring device is set to periodically listen to a specified channel or number of channels for other wireless devices broadcasting on the 802.11 frequencies.
39.4.2 C o nfig uring MO N Pro file
This screen allows you to create monitor mode configurations that can be used by the APs. To access this screen, login to the Web Configurator, and click C o nfig ura tio n > O b je c t > MO N Pro file . Fig ure 495 Configuration > Object > MON Profile
The following table describes the labels in this screen.
Table 317 Configuration > Object > MON Profile
LA BEL
DESC RIPTIO N
Add
Click this to add a new monitor mode profile.
Edit
Click this to edit the selected monitor mode profile.
Remove
Click this to remove the selected monitor mode profile.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
References
Click this to view which other objects are linked to the selected monitor mode profile (for example, an AP management profile).
#
This field is a sequential value, and it is not associated with a specific user.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
ZyWALL USG FLEX Series User's Guide
758
Chapter 39 Object
Table 317 Configuration > Object > MON Profile (continued)
LA BEL
DESC RIPTIO N
Profile Name
This field indicates the name assigned to the monitor profile.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
39.4.3 Add/ Edit MO N Pro file
This screen allows you to create a new monitor mode profile or edit an existing one. To access this screen, click the Add button or select and existing monitor mode profile and click the Edit button.
Fig ure 496 Configuration > Object > MON Profile > Add/Edit MON Profile
The following table describes the labels in this screen.
Table 318 Configuration > Object > MON Profile > Add/Edit MON Profile
LA BEL
DESC RIPTIO N
Activate
Select this to activate this monitor mode profile.
Profile Name
This field indicates the name assigned to the monitor mode profile.
ZyWALL USG FLEX Series User's Guide
759
Chapter 39 Object
Table 318 Configuration > Object > MON Profile > Add/Edit MON Profile (continued)
LA BEL Channel dwell time
Scan Channel Mode
DESC RIPTIO N
Enter the interval (in milliseconds) before the AP switches to another channel for monitoring.
Select a uto to have the AP switch to the next sequential channel once the C ha nne l dwe ll tim e expires.
Country Code
Select m a nua l to set specific channels through which to cycle sequentially when the C ha nne l dwe ll tim e expires. Selecting this options makes the Sc a n C ha nne l List options available.
Select the country code of APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located/installed.
The available channels vary depending on the country you selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.
Note: For US and Canada models, country code is fixed to US or Canada respectively and is not user selectable.
Set Scan Channel List (2.4 GHz)
Move a channel from the Ava ila b le c ha nne ls column to the C ha nne ls se le c te d column to have the APs using this profile scan that channel when Sc a n C ha nne l Mo de is set to manual.
Set Scan Channel List (5 GHz)
These channels are limited to the 2 GHz range (802.11 b/g/n).
Move a channel from the Ava ila b le c ha nne ls column to the C ha nne ls se le c te d column to have the APs using this profile scan that channel when Sc a n C ha nne l Mo de is set to manual.
OK Cancel
These channels are limited to the 5 GHz range (802.11 a/n). Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
39.4.4 Te c hnic a l Re fe re nc e
The following section contains additional technical information about the features described in this chapter.
Ro g ue APs
Rogue APs are wireless access points operating in a network's coverage area that are not under the control of the network's administrators, and can open up holes in a network's security. Attackers can take advantage of a rogue AP's weaker (or non-existent) security to gain access to the network, or set up their own rogue APs in order to capture information from wireless clients. If a scan reveals a rogue AP, you can use commercially-available software to physically locate it.
ZyWALL USG FLEX Series User's Guide
760
Chapter 39 Object
Fig ure 497 Rogue AP Example
In the example above, a corporate network's security is compromised by a rogue AP (RG ) set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly (A). The company's legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available encryption-cracking software. In this example, the attacker now has access to the company network, including sensitive data stored on the file server (C).
Frie ndly APs
If you have more than one AP in your wireless network, you should also configure a list of "friendly" APs. Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from recognized networks, for example). It is recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points.
39.5 ZyMe sh O ve rvie w
This section shows you how to configure ZyMesh profiles for the Zyxel Device to apply to the managed APs. ZyMesh is a Zyxel proprietary protocol that creates wireless mesh links between managed APs to expand the wireless network. Managed APs can provide services or forward traffic between the Zyxel Device and wireless clients. ZyMesh also allows the Zyxel Device to use CAPWAP to automatically update the configuration settings on the managed APs (in repeater mode) through wireless connections. The managed APs (in repeater mode) are provisioned hop by hop. The managed APs in a ZyMesh must use the same SSID, channel number and pre-shared key. A manged AP can be either a root AP or repeater in a ZyMesh.
ZyWALL USG FLEX Series User's Guide
761
Chapter 39 Object Note: All managed APs should be connected to the Zyxel Device directly to get the
configuration file before being deployed to build a ZyMesh. Ensure you restart the managed AP after you change its operating mode using the C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt screen (see Section 8.3 on page 204). · Root AP: a managed AP that can transmit and receive data from the Zyxel Device via a wired Ethernet connection. · Repeater: a managed AP that transmits and/or receives data from the Zyxel Device via a wireless connection through a root AP. Note: When managed APs are deployed to form a ZyMesh for the first time, the root AP must be connected to an AP controller (the Zyxel Device). In the following example, managed APs 1 and 2 act as a root AP and managed APs A, B and C are repeaters.
The maximum number of hops (the repeaters between a wireless client and the root AP) you can have in a ZyMesh varies according to how many wireless clients a managed AP can support. Note: A ZyMesh link with more hops has lower throughput. Note: When the wireless connection between the root AP and the repeater is up, in order to
prevent bridge loops, the repeater would not be able to transmit data through its Ethernet port(s). The repeater then could only receive power from a PoE device if you use PoE to provide power to the managed AP via an 8-ping Ethernet cable.
ZyWALL USG FLEX Series User's Guide
762
Chapter 39 Object
39.5.1 ZyMe sh Pro file
This screen allows you to manage and create ZyMesh profiles that can be used by the APs. To access this screen, click C o nfig ura tio n > O b je c t > ZyMe sh Pro file . Fig ure 498 Configuration > Object > ZyMesh Profile
The following table describes the labels in this screen.
Table 319 Configuration > Object > ZyMesh Profile
LA BEL
Hide / Show Advanced Settings
ZyMesh Provision Group
DESC RIPTIO N Click this to display a greater or lesser number of configuration fields.
By default, this shows the MAC address used by the Zyxel Device's first Ethernet port. Say you have two AP controllers (Zyxel Devices) in your network and the primary AP controller is not reachable. You may want to deploy the second/backup AP controller in your network to replace the primary AP controller. In this case, it is recommended that you enter the primary AP controller's ZyMe sh Pro visio n G ro up MAC address in the second AP controller's ZyMe sh Pro visio n G ro up field.
If you didn't change the second AP controller's MAC address, managed APs in an existing ZyMesh can still access the networks through the second AP controller and communicate with each other. But new managed APs will not be able to communicate with the managed APs in the existing ZyMesh, which is set up with the primary AP controller's MAC address.
Next
Add Edit Remove #
To allow all managed APs to communicate in the same ZyMesh, you can just set the second AP controller to use the primary AP controller's MAC address. Otherwise, reset all managed APs to the factory defaults and set up a new ZyMesh with the second AP controller's MAC address.
Click this button and follow the on-screen instructions to update the AP controller's MAC address.
Click this to add a new profile.
Click this to edit the selected profile.
Click this to remove the selected profile.
This field is a sequential value, and it is not associated with a specific profile.
ZyWALL USG FLEX Series User's Guide
763
Chapter 39 Object
Table 319 Configuration > Object > ZyMesh Profile (continued)
LA BEL
DESC RIPTIO N
Profile Name
This field indicates the name assigned to the profile.
ZyMesh SSID
This field shows the SSID specified in this ZyMesh profile.
39.5.2 Add/ Edit ZyMe sh Pro file
This screen allows you to create a new ZyMesh profile or edit an existing one. To access this screen, click the Add button or select and existing profile and click the Edit button.
Fig ure 499 Configuration > Object > ZyMesh Profile > Add/Edit ZyMesh Profile
The following table describes the labels in this screen.
Table 320 Configuration > Object > ZyMesh Profile > Add/Edit ZyMesh Profile
LA BEL
DESC RIPTIO N
Profile Name
Enter up to 31 alphanumeric characters for the profile name.
ZyMesh SSID
Enter the SSID with which you want the managed AP to connect to a root AP or repeater to build a ZyMesh link.
Pre-Shared Key
OK Cancel
Note: The ZyMesh SSID is hidden in the outgoing beacon frame so a wireless device cannot obtain the SSID through scanning using a site survey tool.
Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.
The key is used to encrypt the wireless traffic between the APs. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
39.6 Addre ss/ G e o IP O ve rvie w
Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups.
· The Addre ss screen (Section 39.6.2 on page 765) provides a summary of all addresses in the Zyxel Device. Use the Addre ss Add/ Edit screen to create a new address or edit an existing one.
· Use the Addre ss G ro up summary screen (Section 39.6.3 on page 769) and the Addre ss G ro up Add/ Edit screen, to maintain address groups in the Zyxel Device.
· Use the G e o IP screen (Section 39.6.4 on page 771) to update the database of country-to-IP address mappings and to manually configure country-to-IP address mappings.
ZyWALL USG FLEX Series User's Guide
764
Chapter 39 Object
39.6.1 Wha t Yo u Ne e d To Kno w
Address objects and address groups are used in dynamic routes, security policies, application patrol, content filtering, and VPN connection policies. For example, addresses are used to specify where content restrictions apply in content filtering. Please see the respective sections for more information about how address objects and address groups are used in each one.
Address groups are composed of address objects and address groups. The sequence of members in the address group is not important.
39.6.2 Addre ss Sum m a ry Sc re e n
The address screens are used to create, maintain, and remove addresses. There are the types of address objects:
· HO ST- the object uses an IP Addre ss to de fine a host address · RANG E - the object uses a range address defined by a Sta rting IP Addre ss and an Ending IP Addre ss · SUBNET- the object uses a network address defined by a Ne two rk IP address and Ne tm a sk subnet
mask · INTERFAC E IP - the object uses the IP address of one of the Zyxel Device's interfaces · INTERFAC E SUBNET- the object uses the subnet mask of one of the Zyxel Device's interfaces · INTERFAC E G ATEWAY - the object uses the gateway IP address of one of the Zyxel Device's interfaces · G EO G RAPHY - the object uses the IP addresses of a country to represent a country
FQ DN - the object uses a FQDN (Fully Qualified Domain Name). An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where "www" is the host, "zyxel" is the second-level domain, and "com" is the top level domain. mail.myZyxel.com.tw is also an FQDN, where "mail" is the host, "myZyxel" is the third-level domain, "com" is the second-level domain, and "tw" is the top level domain.
Table 321 FQDN Example
HTTP:/ /
WWW.
ZYXEL.
host name
second-level domain name
FQ DN
Uniform Resource Locator (URL)
COM top-level domain name
In an address FQDN object, you can also use one wildcard. For example, *.zyxel.com. An FQDN is resolved to its IP address using the DNS server configured on the Zyxel Device.
The Addre ss screen provides a summary of all addresses in the Zyxel Device. To access this screen, click C o nfig ura tio n > O b je c t > Addre ss > Addre ss. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.
ZyWALL USG FLEX Series User's Guide
765
Chapter 39 Object Fig ure 500 Configuration > Object > Address/Geo IP > Address
The following table describes the labels in this screen. See Section 39.6.2.1 on page 767 for more information as well.
Table 322 Configuration > Object > Address/Geo IP > Address
LA BEL
DESC RIPTIO N
IPv4 Address Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References #
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with a specific address.
Name
This field displays the configured name of each address object.
Type
This field displays the type of each address object. "INTERFAC E" means the object uses the settings of one of the Zyxel Device's interfaces.
IPv4 Address
This field displays the IPv4 addresses represented by each address object. If the object's settings are based on one of the Zyxel Device's interfaces, the name of the interface displays first followed by the object's current address settings.
ZyWALL USG FLEX Series User's Guide
766
Chapter 39 Object
Table 322 Configuration > Object > Address/Geo IP > Address (continued)
LA BEL
DESC RIPTIO N
Reference
This displays the number of times an object reference is used in a profile.
IPv6 Address Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References #
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with a specific address.
Name
This field displays the configured name of each address object.
Type
This field displays the type of each address object. "INTERFAC E" means the object uses the settings of one of the Zyxel Device's interfaces.
IPv6 Address
This field displays the IPv6 addresses represented by each address object. If the object's settings are based on one of the Zyxel Device's interfaces, the name of the interface displays first followed by the object's current address settings.
Reference
This displays the number of times an object reference is used in a profile.
39.6.2.1 IPv4 Addre ss Add/ Edit Sc re e n
The C o nfig ura tio n > O b je c t > Addre ss/ G e o IP > Addre ss > Add/ Edit (IPv4) screen allows you to create a new address or edit an existing one. To access this screen, go to the Addre ss screen (see Section 39.6.2 on page 765), and click either the Add icon or an Edit icon in the IPv4 Addre ss C o nfig ura tio n section.
Fig ure 501 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv4) t
The following table describes the labels in this screen.
Table 323 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv4)
LA BEL
DESC RIPTIO N
Name
Type the name used to refer to the address. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
Address Type
Select the type of address you want to create.
IP Address
Starting IP Address
Note: The Zyxel Device automatically updates address objects that are based on an interface's IP address, subnet, or gateway if the interface's IP address settings change. For example, if you change 1's IP address, the Zyxel Device automatically updates the corresponding interface-based, LAN subnet address object.
This field is only available if the Addre ss Type is HO ST. This field cannot be blank. Enter the IP address that this address object represents.
This field is only available if the Addre ss Type is RANG E. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.
ZyWALL USG FLEX Series User's Guide
767
Chapter 39 Object
Table 323 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv4)
LA BEL
DESC RIPTIO N
Ending IP Address This field is only available if the Addre ss Type is RANG E. This field cannot be blank. Enter the end of the range of IP address that this address object represents.
Network
This field is only available if the Addre ss Type is SUBNET, in which case this field cannot be blank. Enter the IP address of the network that this address object represents.
Netmask
This field is only available if the Addre ss Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format.
Interface Region
If you selected INTERFAC E IP, INTERFAC E SUBNET, or INTERFAC E G ATEWAY as the Addre ss Type , use this field to select the interface of the network that this address object represents.
If you selected G EO G RAPHY as the Addre ss Type , use this field to select a country or continent.
Country FQDN OK Cancel
A G EO G RAPHY object uses the data from the country-to-IP/continent-to-IP address database. Go to the C o nfig ura tio n > O b je c t > Addre ss/ G e o IP > G e o IP screen to configure the custom country-to-IP/continent-to-IP address mappings for a G EO G RAPHY object.
If you selected G e o g ra phy as the Addre ss Type , use this field to select a country.
If you selected FQ DN as the Addre ss Type , use this field to enter a fully qualified domain name.
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving your changes.
39.6.2.2 IPv6 Addre ss Add/ Edit Sc re e n
The C o nfig ura tio n > O b je c t > Addre ss/ G e o IP > Addre ss > Add/ Edit (IPv6) screen allows you to create a new address or edit an existing one. To access this screen, go to the Addre ss screen (see Section 39.6.2 on page 765), and click either the Add icon or an Edit icon in the IPv6 Addre ss C o nfig ura tio n section.
Fig ure 502 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv6)
The following table describes the labels in this screen.
Table 324 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv6)
LA BEL
DESC RIPTIO N
Name
Type the name used to refer to the address. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
Object Type
Select the type of address you want to create.
IPv6 Address
Note: The Zyxel Device automatically updates address objects that are based on an interface's IP address, subnet, or gateway if the interface's IP address settings change. For example, if you change 1's IP address, the Zyxel Device automatically updates the corresponding interface-based, LAN subnet address object.
This field is only available if the Addre ss Type is HO ST. This field cannot be blank. Enter the IP address that this address object represents.
ZyWALL USG FLEX Series User's Guide
768
Chapter 39 Object
Table 324 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv6)
LA BEL
DESC RIPTIO N
IPv6 Starting Address
This field is only available if the Addre ss Type is RANG E. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.
IPv6 Ending Address
This field is only available if the Addre ss Type is RANG E. This field cannot be blank. Enter the end of the range of IP address that this address object represents.
IPv6 Address Prefix
This field is only available if the Addre ss Type is SUBNET. This field cannot be blank. Enter the IPv6 address prefix that the Zyxel Device uses for the LAN IPv6 address.
Interface
If you selected INTERFAC E IP, INTERFAC E SUBNET, or INTERFAC E G ATEWAY as the Addre ss Type , use this field to select the interface of the network that this address object represents.
IPv6 Address Type Select whether the IPv6 address is a link-local IP address (LINK LO C AL), static IP address (STATIC ), an IPv6 StateLess Address Auto Configuration IP address (SLAAC ), or is obtained from a DHCPv6 server (DHC Pv6).
Region
If you selected G e o g ra phy as the Addre ss Type , use this field to select a country or continent.
FQDN
If you selected FQ DN as the Addre ss Type , use this field to enter a fully qualified domain name.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
39.6.3 Addre ss G ro up Sum m a ry Sc re e n
The Addre ss G ro up screen provides a summary of all address groups. To access this screen, click C o nfig ura tio n > O b je c t > Addre ss/ G e o IP > Addre ss G ro up. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.
Fig ure 503 Configuration > Object > Address/Geo IP > Address Group
The following table describes the labels in this screen. See Section 39.6.3.1 on page 770 for more information as well.
Table 325 Configuration > Object > Address/Geo IP > Address Group
LA BEL
DESC RIPTIO N
IPv4 Address Group Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References #
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with a specific address group.
Name
This field displays the name of each address group.
ZyWALL USG FLEX Series User's Guide
769
Chapter 39 Object
Table 325 Configuration > Object > Address/Geo IP > Address Group (continued)
LA BEL
DESC RIPTIO N
Description
This field displays the description of each address group, if any.
Reference
This displays the number of times an object reference is used in a profile.
IPv6 Address Group Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific address group.
Name
This field displays the name of each address group.
Description
This field displays the description of each address group, if any.
Reference
This displays the number of times an object reference is used in a profile.
39.6.3.1 Addre ss G ro up Add/ Edit Sc re e n
The Addre ss G ro up Add/ Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Addre ss G ro up screen (see Section 39.6.3 on page 769), and click either the Add icon or an Edit icon in the IPv4 Addre ss G ro up C o nfig ura tio n or IPv6 Addre ss G ro up C o nfig ura tio n section.
Fig ure 504 IPv4/IPv6 Address Group Configuration > Add
The following table describes the labels in this screen.
Table 326 IPv4/IPv6 Address Group Configuration > Add
LA BEL
DESC RIPTIO N
Name
Enter a name for the address group. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
Description
This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces.
ZyWALL USG FLEX Series User's Guide
770
Chapter 39 Object
Table 326 IPv4/IPv6 Address Group Configuration > Add (continued)
LA BEL
DESC RIPTIO N
Address Type
Select the type of address you want to create.
Member List
Note: The Zyxel Device automatically updates address objects that are based on an interface's IP address, subnet, or gateway if the interface's IP address settings change. For example, if you change 1's IP address, the Zyxel Device automatically updates the corresponding interface-based, LAN subnet address object.
The Me m b e r list displays the names of the address and address group objects that have been added to the address group. The order of members is not important.
Select items from the Ava ila b le list that you want to be members and move them to the Me m b e r list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.
Move any members you do not want included to the Ava ila b le list.
OK Cancel
Note: Only objects of the same address type can be added to a address group.
Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
39.6.4 G e o IP Sum m a ry Sc re e n
Use this screen to update the database of country-to-IP and continent-to-IP address mappings and manually configure custom country-to-IP and continent-to-IP address mappings in geographic address objects. You can then use geographic address objects in security policies to forward or deny traffic to whole countries or regions.
Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.
ZyWALL USG FLEX Series User's Guide
771
Chapter 39 Object Fig ure 505 Configuration > Object > Address/Geo IP > Geo IP
ZyWALL USG FLEX Series User's Guide
772
Chapter 39 Object
The following table describes the labels in this screen.
Table 327 Configuration > Object > Address/Geo IP > Geo IP
LA BEL
DESC RIPTIO N
Country Database Update
Latest Version
This is the latest country-to-IP address database version on myZyxel. You need to have a registered Content Filter Service license.
Current Version This is the country-to-IP address database version currently on the Zyxel Device.
Update Now
Click this to check for the latest country-to-IP address database version on myZyxel. The latest version is downloaded to the Zyxel Device and replaces the current version if it is newer. There are logs to show the update status. You need to have a registered Content Filter Service license.
Auto Update
If you want the Zyxel Device to check weekly for the latest country-to-IP address database version on myZyxel, select the checkbox, choose a day and time each week and then click Apply. The default day and time displayed is the Zyxel Device current day and time.
Custom IPv4/IPv6 to Geography Rules
IPv4/IPv6 to Geography
Enter an IP address, then click this button to query which country this IP address belongs to.
Add
Click this to create a new entry.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
#
This field is a sequential value, and it is not associated with a specific entry.
Geolocation
This field displays the name of the country or region that is associated with this IP address.
Type
This field displays whether this address object is HO ST, RANG E or SUBNET.
IPv4/IPv6 Address This field displays the IPv4/IPv6 addresses represented by the type of address object.
Region vs. Continent
Region
Enter a country name, then click the Re g io n to C o ntine nt button to query which continent this country belongs to.
Continent
Select a continent, then click the Re g io n List button to query which countries belong to the continent.
Apply
Click Apply to save the changes.
Reset
Click Re se t to return the screen to its last-saved settings.
39.6.4.1 Add C usto m IPv4/ IPv6 Addre ss to G e o g ra phy Sc re e n
This screen allows you to create a new geography-to-IP address mapping. To access this screen, go to the G e o IP screen (see Section 39.6.4 on page 771), and click the Add icon in the C usto m IPv4 to G e o g ra phy Rule s or C usto m IPv6 to G e o g ra phy Rule s section.
ZyWALL USG FLEX Series User's Guide
773
Fig ure 506 Geo IP > Add
Chapter 39 Object
The following table describes the labels in this screen.
Table 328 Geo IP > Add
LA BEL
DESC RIPTIO N
Region
Select the country or continent that maps to this IP address.
Address Type
Select the type of address you want to create. Choices are: HO ST, RANG E, SUBNET.
IP Address
This field is only available if the Addre ss Type is HO ST. This field cannot be blank. Enter the IP address that this address object represents.
IP Starting Address
This field is only available if the Addre ss Type is RANG E. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.
IP Ending Address This field is only available if the Addre ss Type is RANG E. This field cannot be blank. Enter the end of the range of IP address that this address object represents.
Network / Netmask
These fields are only available if the IPv4 Addre ss Type is SUBNET. They cannot be blank. Enter the network IP and subnet mask that defines the IPv4 subnet.
IPv6 Address Prefix
This field is only available if the IPv6 Addre ss Type is SUBNET. This field cannot be blank. Enter the IPv6 address prefix that the Zyxel Device uses for the LAN IPv6 address.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
39.7 Se rvic e O ve rvie w
Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. · Use the Se rvic e screens (Section 39.7.2 on page 775) to view and configure the Zyxel Device's list of
services and their definitions. · Use the Se rvic e G ro up screens (Section 39.7.2 on page 775) to view and configure the Zyxel Device's
list of service groups.
39.7.1 Wha t Yo u Ne e d to Kno w
IP Pro to c o ls
IP protocols are based on the eight-bit protocol field in the IP header. This field represents the next-level protocol that is sent in this packet. This section discusses three of the most common IP protocols.
ZyWALL USG FLEX Series User's Guide
774
Chapter 39 Object
Computers use Transmission Control Protocol (TCP, IP protocol 6) and User Datagram Protocol (UDP, IP protocol 17) to exchange data with each other. TCP guarantees reliable delivery but is slower and more complex. Some uses are FTP, HTTP, SMTP, and TELNET. UDP is simpler and faster but is less reliable. Some uses are DHCP, DNS, RIP, and SNMP. TCP creates connections between computers to exchange data. Once the connection is established, the computers exchange data. If data arrives out of sequence or is missing, TCP puts it in sequence or waits for the data to be re-transmitted. Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Some port numbers have been standardized and are used by low-level system processes; many others have no particular meaning. Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send error messages or to investigate problems. For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it.
Se rvic e O b je c ts a nd Se rvic e G ro ups
Use service objects to define IP protocols. · TCP applications · UDP applications · ICMP messages · user-defined services (for other types of IP protocols) These objects are used in policy routes, security policies, and IDP profiles. Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service. Service groups may consist of services and other service groups. The sequence of members in the service group is not important.
39.7.2 The Se rvic e Sum m a ry Sc re e n
The Se rvic e summary screen provides a summary of all services and their definitions. In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click C o nfig ura tio n > O b je c t > Se rvic e > Se rvic e . Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.
ZyWALL USG FLEX Series User's Guide
775
Chapter 39 Object Fig ure 507 Configuration > Object > Service > Service
The following table describes the labels in this screen.
Table 329 Configuration > Object > Service > Service
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific service.
Name
This field displays the name of each service.
Content
This field displays a description of each service.
Reference
This displays the number of times an object reference is used in a profile.
39.7.2.1 The Se rvic e Add/ Edit Sc re e n
The Se rvic e Add/ Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Se rvic e screen (see Section 39.7.2 on page 775), and click either the Add icon or an Edit icon.
Fig ure 508 Configuration > Object > Service > Service > Edit
ZyWALL USG FLEX Series User's Guide
776
Chapter 39 Object
The following table describes the labels in this screen.
Table 330 Configuration > Object > Service > Service > Edit
LA BEL Name
IP Protocol Starting Port Ending Port ICMP Type
DESC RIPTIO N
Type the name used to refer to the service. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
Select the protocol the service uses. Choices are: TC P, UDP, IC MP, IC MPv6, and Use r De fine d.
This field appears if the IP Pro to c o l is TC P or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If you fill in both fields, the service uses the range of ports.
This field appears if the IP Pro to c o l is IC MP or IC MPv6.
IP Protocol Number
OK Cancel
Select the ICMP message used by this service. This field displays the message text, not the message number. This field appears if the IP Pro to c o l is Use r De fine d.
Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
39.7.3 The Se rvic e G ro up Sum m a ry Sc re e n
The Se rvic e G ro up summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups.
Note: If you want to access the Zyxel Device using HTTP, HTTPS, SSH, and/or, TELNET, you must add them in the O b je c t > Se rvic e > Se rvic e G ro up > De fa ult_Allo w_WAN_To _ZyWALL service group, which is used in the WAN_to _De vic e security policy.
To access this screen, log in to the Web Configurator, and click C o nfig ura tio n > O b je c t > Se rvic e > Se rvic e G ro up.
Fig ure 509 Configuration > Object > Service > Service Group
ZyWALL USG FLEX Series User's Guide
777
Chapter 39 Object
The following table describes the labels in this screen. See Section 39.7.3.1 on page 778 for more information as well.
Table 331 Configuration > Object > Service > Service Group
LA BEL Add Edit Remove
References # Family
DESC RIPTIO N
Click this to create a new entry. Double-click an entry or select it and click Edit to be able to modify the entry's settings. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with a specific service group. This field displays the Server Group supported type, which is according to your configurations in the Se rvic e G ro up Add/ Edit screen.
There are 3 types of families:
Name
·
: Supports IPv4 only
·
: Supports IPv6 only
·
: Supports both IPv4 and IPv6
This field displays the name of each service group.
Description Reference
By default, the Zyxel Device uses services starting with "Default_Allow_" in the security policies to allow certain services to connect to the Zyxel Device.
This field displays the description of each service group, if any.
This displays the number of times an object reference is used in a profile.
39.7.3.1 The Se rvic e G ro up Add/ Edit Sc re e n
The Se rvic e G ro up Add/ Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Se rvic e G ro up screen (see Section 39.7.3 on page 777), and click either the Add icon or an Edit icon.
Fig ure 510 Configuration > Object > Service > Service Group > Edit
ZyWALL USG FLEX Series User's Guide
778
Chapter 39 Object
The following table describes the labels in this screen.
Table 332 Configuration > Object > Service > Service Group > Edit
LA BEL Name
Description Configuration
DESC RIPTIO N
Enter the name of the service group. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
Enter a description of the service group, if any. You can use up to 60 printable ASCII characters.
The Me m b e r list displays the names of the service and service group objects that have been added to the service group. The order of members is not important.
Select items from the Ava ila b le list that you want to be members and move them to the Me m b e r list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.
OK Cancel
Move any members you do not want included to the Ava ila b le list. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
39.8 Sc he dule O ve rvie w
Use schedules to set up one-time and recurring schedules for policy routes, security policies, application patrol, and content filtering. The Zyxel Device supports one-time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the Zyxel Device.
Note: Schedules are based on the Zyxel Device's current date and time.
· Use the Sc he dule summary screen (Section 39.8.2 on page 780) to see a list of all schedules in the Zyxel Device.
· Use the O ne - Tim e Sc he dule Add/ Edit screen (Section 39.8.2.1 on page 781) to create or edit a onetime schedule.
· Use the Re c urring Sc he dule Add/ Edit screen (Section 39.8.2.2 on page 782) to create or edit a recurring schedule.
· Use the Schedule Group screen (Section 39.8.3 on page 783) to merge individual schedule objects as one object.
39.8.1 Wha t Yo u Ne e d to Kno w
O ne - tim e Sc he dule s
One-time schedules begin on a specific start date and time and end on a specific stop date and time. One-time schedules are useful for long holidays and vacation periods.
Re c urring Sc he dule s
Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and offwork hours.
ZyWALL USG FLEX Series User's Guide
779
Chapter 39 Object
39.8.2 The Sc he dule Sc re e n
The Sc he dule screen provides a summary of all schedules in the Zyxel Device. To access this screen, click C o nfig ura tio n > O b je c t > Sc he dule . Fig ure 511 Configuration > Object > Schedule
The following table describes the labels in this screen. See Section 39.8.2.1 on page 781 and Section 39.8.2.2 on page 782 for more information as well.
Table 333 Configuration > Object > Schedule
LA BEL
DESC RIPTIO N
One Time
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific schedule.
Name
This field displays the name of the schedule, which is used to refer to the schedule.
Start Day / Time
This field displays the date and time at which the schedule begins.
Stop Day / Time
This field displays the date and time at which the schedule ends.
Reference
This displays the number of times an object reference is used in a profile.
Recurring
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific schedule.
Name
This field displays the name of the schedule, which is used to refer to the schedule.
Start Time
This field displays the time at which the schedule begins.
Stop Time
This field displays the time at which the schedule ends.
Reference
This displays the number of times an object reference is used in a profile.
ZyWALL USG FLEX Series User's Guide
780
Chapter 39 Object
39.8.2.1 The O ne - Tim e Sc he dule Add/ Edit Sc re e n
The O ne - Tim e Sc he dule Add/ Edit screen allows you to define a one-time schedule or edit an existing one. To access this screen, go to the Sc he dule screen (see Section 39.8.2 on page 780), and click either the Add icon or an Edit icon in the O ne Tim e section. Fig ure 512 Configuration > Object > Schedule > Edit (One Time)
The following table describes the labels in this screen.
Table 334 Configuration > Object > Schedule > Edit (One Time)
LA BEL Configuration
Name
Day Time StartDate
DESC RIPTIO N
Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number. This
value is case-sensitive.
Specify the year, month, and day when the schedule begins.
StartTime
· Ye a r - 1900 - 2999 · Mo nth - 1 - 12 · Da y - 1 - 31 (it is not possible to specify illegal dates, such as February 31.)
Specify the hour and minute when the schedule begins.
StopDate
· Ho ur - 0 - 23 · Minute - 0 - 59
Specify the year, month, and day when the schedule ends.
StopTime
· Ye a r - 1900 - 2999 · Mo nth - 1 - 12 · Da y - 1 - 31 (it is not possible to specify illegal dates, such as February 31.)
Specify the hour and minute when the schedule ends.
OK Cancel
· Ho ur - 0 - 23 · Minute - 0 - 59
Click O K to save your changes back to the Zyxel Device.
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
781
Chapter 39 Object
39.8.2.2 The Re c urring Sc he dule Add/ Edit Sc re e n
The Re c urring Sc he dule Add/ Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Sc he dule screen (see Section 39.8.2 on page 780), and click either the Add icon or an Edit icon in the Re c urring section. Fig ure 513 Configuration > Object > Schedule > Edit (Recurring)
The Ye a r, Mo nth, and Da y columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen.
Table 335 Configuration > Object > Schedule > Edit (Recurring)
LA BEL Configuration
Name
Date Time StartTime
DESC RIPTIO N
Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number. This
value is case-sensitive.
Specify the hour and minute when the schedule begins each day.
StopTime
· Ho ur - 0 - 23 · Minute - 0 - 59
Specify the hour and minute when the schedule ends each day.
Weekly Week Days
OK Cancel
· Ho ur - 0 - 23 · Minute - 0 - 59
Select each day of the week the recurring schedule is effective. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
782
Chapter 39 Object
39.8.3 The Sc he dule G ro up Sc re e n
The Sc he dule G ro up screen provides a summary of all groups of schedules in the Zyxel Device. To access this screen, click C o nfig ura tio n > O b je c t > Sc he dule >G ro up. Fig ure 514 Configuration > Object > Schedule > Schedule Group
The following table describes the fields in the above screen.
Table 336 Configuration > Object > Schedule > Schedule Group
LA BEL
DESC RIPTIO N
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's
settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific schedule.
Name
This field displays the name of the schedule group, which is used to refer to the schedule.
Description
This field displays the description of the schedule group.
Members
This field lists the members in the schedule group. Each member is separated by a comma.
Reference
This displays the number of times an object reference is used in a profile.
39.8.3.1 The Sc he dule G ro up Add/ Edit Sc re e n
The Sc he dule G ro up Add/ Edit screen allows you to define a schedule group or edit an existing one. To access this screen, go to the Sc he dule screen (see), and click either the Add icon or an Edit icon in the Sc he dule G ro up section.
ZyWALL USG FLEX Series User's Guide
783
Chapter 39 Object Fig ure 515 Configuration > Schedule > Schedule Group > Add
The following table describes the fields in the above screen.
Table 337 Configuration > Schedule > Schedule Group > Add
LA BEL
DESC RIPTIO N
Group Members
Name Description
Member List
Type the name used to refer to the recurring schedule. You may use 1-31
alphanumeric characters, underscores(_), or dashes (-), but the first character
cannot be a number. This value is case-sensitive.
Enter a description of the service group, if any. You can use up to 60 printable ASCII characters.
The Me m b e r list displays the names of the service and service group objects that have been added to the service group. The order of members is not important.
Select items from the Ava ila b le list that you want to be members and move them to the Me m b e r list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.
OK Cancel
Move any members you do not want included to the Ava ila b le list. Click O K to save your changes back to the Zyxel Device. Click C a nc e l to exit this screen without saving your changes.
39.9 AAA Se rve r O ve rvie w
You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Se rve r screens to create and manage objects that contain settings for using AAA servers. You use AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 39 on page 794).
ZyWALL USG FLEX Series User's Guide
784
Chapter 39 Object
39.9.1 Dire c to ry Se rvic e (AD/ LDAP)
LDAP/AD allows a client (the Zyxel Device) to connect to a server to retrieve information from a directory. A network example is shown next. Fig ure 516 Example: Directory Service Client and Server
The following describes the user authentication procedure via an LDAP/AD server. 1 A user logs in with a user name and password pair. 2 The Zyxel Device tries to bind (or log in) to the LDAP/AD server. 3 When the binding process is successful, the Zyxel Device checks the user information in the directory
against the user name and password pair. 4 If it matches, the user is allowed access. Otherwise, access is blocked.
39.9.2 RADIUS Se rve r
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. Fig ure 517 RADIUS Server Network Example
39.9.3 ASAS
ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a Zyxel Device OTP package in order to use this feature. The package contains server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS' CD for details.
ZyWALL USG FLEX Series User's Guide
785
Chapter 39 Object
1 Install the ASAS server software on a computer. 2 Create user accounts on the Zyxel Device and in the ASAS server. 3 Import each token's database file (located on the included CD) into the server. 4 Assign users to OTP tokens (on the ASAS server). 5 Configure the ASAS as a RADIUS server in the Zyxel Device's C o nfig ura tio n > O b je c t > AAA Se rve r
screens. 6 Give the OTP tokens to (local or remote) users.
· Use the C o nfig ura tio n > O b je c t > AAA Se rve r > Ac tive Dire c to ry (or LDAP) screens (Section 39.9.5 on page 787) to configure Active Directory or LDAP server objects.
· Use the C o nfig ura tio n > O b je c t > AAA Se rve r > RADIUS screen (Section 39.9.2 on page 785) to configure the default external RADIUS server to use for user authentication.
39.9.4 Wha t Yo u Ne e d To Kno w
AAA Se rve rs Suppo rte d b y the Zyxe l De vic e
The following lists the types of authentication server the Zyxel Device supports. · Local user database
The Zyxel Device uses the built-in local user database to authenticate administrative users logging into the Zyxel Device's Web Configurator or network access users logging into the network through the Zyxel Device. You can also use the local user database to authenticate VPN users. · Directory Service (LDAP/AD) LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server. · RADIUS RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location.
Dire c to ry Struc ture
The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or organizational boundaries. The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals.
ZyWALL USG FLEX Series User's Guide
786
Chapter 39 Object
Fig ure 518 Basic Directory Structure
Root
US Japan
Sprint UPS NEC
Sales RD3 QA CSO Sales RD
Countries (c)
Organizations (o) Organization Units (ou)
Unique Common Name (cn)
Disting uishe d Na m e (DN)
A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same "parent DN" ("cn=domain1.com, ou=Sales, o=MyCompany" in the following examples).
cn=domain1.com, ou = Sales, o=MyCompany, c=US cn=domain1.com, ou = Sales, o=MyCompany, c=JP
Ba se DN
A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country.
Bind DN
A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin allows the Zyxel Device to log into the LDAP/AD server using the user name of zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the Zyxel Device will try to log in as an anonymous user. If the bind password is incorrect, the login will fail.
39.9.5 Ac tive Dire c to ry o r LDAP Se rve r Sum m a ry
Use the Ac tive Dire c to ry or LDAP screen to manage the list of AD or LDAP servers the Zyxel Device can use in authenticating users.
Click C o nfig ura tio n > O b je c t > AAA Se rve r > Ac tive Dire c to ry (or LDAP) to display the Ac tive Dire c to ry (or LDAP) screen.
ZyWALL USG FLEX Series User's Guide
787
Chapter 39 Object Fig ure 519 Configuration > Object > AAA Server > Active Directory (or LDAP)
The following table describes the labels in this screen.
Table 338 Configuration > Object > AAA Server > Active Directory (or LDAP)
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific AD or LDAP server.
Name
This field displays the name of the Active Directory.
Server Address This is the address of the AD or LDAP server.
Base DN
This specifies a directory. For example, o=Zyxel, c=US.
39.9.5.1 Adding a n Ac tive Dire c to ry o r LDAP Se rve r
Click O b je c t > AAA Se rve r > Ac tive Dire c to ry (or LDAP) to display the Ac tive Dire c to ry (or LDAP) screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one.
ZyWALL USG FLEX Series User's Guide
788
Chapter 39 Object Fig ure 520 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add
The following table describes the labels in this screen.
Table 339 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add
LA BEL
DESC RIPTIO N
Name
Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Description
Enter the description of each server, if any. You can use up to 60 printable ASCII characters.
Server Address
Enter the address of the AD or LDAP server.
Backup Server Address
If the AD or LDAP server has a backup server, enter its address here.
ZyWALL USG FLEX Series User's Guide
789
Chapter 39 Object
Table 339 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued)
LA BEL Port
DESC RIPTIO N
Specify the port number on the AD or LDAP server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.
Base DN
This port number should be the same on all AD or LDAP server(s) in this group.
Specify the directory (up to 127 alphanumerical characters). For example, o=Zyxel, c=US.
Use SSL Search time limit
This is only for LDAP.
Select Use SSL to establish a secure connection to the AD or LDAP server(s).
Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the AD or LDAP server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down.
Case-sensitive User Select this if the server checks the case of the usernames. Names
Bind DN
Specify the bind DN for logging into the AD or LDAP server. Enter up to 127 alphanumerical characters.
Password
Retype to Confirm Login Name Attribute Alternative Login Name Attribute Group Membership Attribute
For example, cn=zywallAdmin specifies zywallAdmin as the user name.
If required, enter the password (up to 15 alphanumerical characters) for the Zyxel Device to bind (or log in) to the AD or LDAP server.
Retype your new password for confirmation.
Enter the type of identifier the users are to use to log in. For example "name" or "email address".
If there is a second type of identifier that the users can use to log in, enter it here. For example "name" or "email address".
An AD or LDAP server defines attributes for its accounts. Enter the name of the attribute that the Zyxel Device is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add e xt- g ro up- use r user objects to identify groups based on these group identifier values.
Domain Authentication for MSChap
User Name
For example you could have an attribute named "memberOf" with values like "sales", "RD", and "management". Then you could also create a e xt- g ro up- use r user object for each group. One with "sales" as the group identifier, another for "RD" and a third for "management".
Select the Ena ble checkbox to enable domain authentication for MSChap.
This is only for Ac tive Dire c to ry.
Enter the user name for the user who has rights to add a machine to the domain.
User Password
This is only for Ac tive Dire c to ry. Enter the password for the associated user name.
This is only for Ac tive Dire c to ry. Retype to Confirm Retype your new password for confirmation.
Realm
This is only for Ac tive Dire c to ry. Enter the realm FQDN.
NetBIOS Name
This is only for Ac tive Dire c to ry.
Type the NetBIOS name. This field is optional. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa.
ZyWALL USG FLEX Series User's Guide
790
Chapter 39 Object
Table 339 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued)
LA BEL
DESC RIPTIO N
Configuration Validation
Use a user account from the server specified above to test if the configuration is correct. Enter the account's user name in the Use rna m e field and click Te st.
OK
Click O K to save the changes.
Cancel
Click C a nc e l to discard the changes.
39.9.6 RADIUS Se rve r Sum m a ry
Use the RADIUS screen to manage the list of RADIUS servers the Zyxel Device can use in authenticating users. Click C o nfig ura tio n > O b je c t > AAA Se rve r > RADIUS to display the RADIUS screen. Fig ure 521 Configuration > Object > AAA Server > RADIUS
The following table describes the labels in this screen.
Table 340 Configuration > Object > AAA Server > RADIUS
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field displays the index number.
Name
This is the name of the RADIUS server entry.
Server Address This is the address of the AD or LDAP server.
39.9.6.1 Adding a RADIUS Se rve r
Click C o nfig ura tio n > O b je c t > AAA Se rve r > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one.
ZyWALL USG FLEX Series User's Guide
791
Chapter 39 Object Fig ure 522 Configuration > Object > AAA Server > RADIUS > Add
The following table describes the labels in this screen.
Table 341 Configuration > Object > AAA Server > RADIUS > Add
LA BEL
DESC RIPTIO N
Name
Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Description
Enter the description of each server, if any. You can use up to 60 printable ASCII characters.
Server Address Enter the address of the RADIUS server.
Authentication Port
Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.
Backup Server Address
If the RADIUS server has a backup server, enter its address here.
Backup Authentication Port
Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.
ZyWALL USG FLEX Series User's Guide
792
Chapter 39 Object
Table 341 Configuration > Object > AAA Server > RADIUS > Add (continued)
LA BEL Key
DESC RIPTIO N
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Zyxel Device.
Change of Authorization
The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device.
The external RADIUS server can change its authentication policy and send CoA (Change of Authorization) or RADIUS Disconnect messages in order to terminate the subscriber's service.
Server Address Accounting Port
Backup Server Address Backup Accounting Port Key
Select this option to allow the Zyxel Device to disconnect wireless clients based on the information (such as client's user name and MAC address) specified in CoA or RADIUS Disconnect messages sent by the RADIUS server.
Enter the IP address or Fully-Qualified Domain Name (FQDN) of the RADIUS accounting server.
Specify the port number on the RADIUS server to which the Zyxel Device sends accounting information. Enter a number between 1 and 65535.
If the RADIUS server has a backup accounting server, enter its address here.
Specify the port number on the RADIUS server to which the Zyxel Device sends accounting information. Enter a number between 1 and 65535.
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Zyxel Device.
Maximum Retry Count
The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device.
At times the Zyxel Device may not be able to use the primary RADIUS accounting server. Specify the number of times the Zyxel Device should reattempt to use the primary RADIUS server before attempting to use the secondary RADIUS server. This also sets how many times the Zyxel Device will attempt to use the secondary RADIUS server.
For example, you set this field to 3. If the Zyxel Device does not get a response from the primary RADIUS server, it tries again up to three times. If there is no response, the Zyxel Device tries the secondary RADIUS server up to three times.
Enable Accounting Interim Update Interim Interval
Timeout
If there is also no response from the secondary RADIUS server, the Zyxel Device stops attempting to authenticate the subscriber. The subscriber will see a message that says the RADIUS server was not found.
This field is configurable only after you configure a RADIUS accounting server address. Select this to have the Zyxel Device send subscriber status updates to the RADIUS server at the interval you specify.
Specify the time interval for how often the Zyxel Device is to send a subscriber status update to the RADIUS server.
Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the RADIUS server. In this case, user authentication fails.
NAS IP Address NAS Identifier
Case-sensitive User Names
Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
Type the IP address of the NAS (Network Access Server).
If the RADIUS server requires the Zyxel Device to provide the Network Access Server identifier attribute with a specific value, enter it here.
Select this if you want configure your username as case-sensitive.
ZyWALL USG FLEX Series User's Guide
793
Chapter 39 Object
Table 341 Configuration > Object > AAA Server > RADIUS > Add (continued)
LA BEL
Group Membership Attribute
DESC RIPTIO N
A RADIUS server defines attributes for its accounts. Select the name and number of the attribute that the Zyxel Device is to check to determine to which group a user belongs. If it does not display, select user-defined and specify the attribute's number.
This attribute's value is called a group identifier; it determines to which group a user belongs. You can add e xt- g ro up- use r user objects to identify groups based on these group identifier values.
OK Cancel
For example you could have an attribute named "memberOf" with values like "sales", "RD", and "management". Then you could also create a e xt- g ro up- use r user object for each group. One with "sales" as the group identifier, another for "RD" and a third for "management".
Click O K to save the changes.
Click C a nc e l to discard the changes.
39.10 Auth. Me tho d O ve rvie w
Authentication method objects set how the Zyxel Device authenticates wireless, HTTP/HTTPS clients, and peer IPSec routers (extended authentication) clients. Configure authentication method objects to have the Zyxel Device use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the Zyxel Device are authenticated locally.
· Use the C o nfig ura tio n > O b je c t > Auth. Me tho d screens (Section 39.10.3 on page 795) to create and manage authentication method objects.
· Use the C o nfig ura tio n > O b je c t > Auth. Me tho d > Two - Fa c to r Authe ntic a tio n screen (Section 39.10.4 on page 797) to configure double-layer security to access a secured network behind the Zyxel Device via a VPN tunnel, or access the Zyxel Device using Web Configurator, SSH, or Telnet.
39.10.1 Be fo re Yo u Be g in
Configure AAA server objects before you configure authentication method objects.
39.10.2 Exa m ple : Se le c ting a VPN Authe ntic a tio n Me tho d
After you set up an authentication method object in the Auth. Me tho d screens, you can use it in the VPN G a te wa y screen to authenticate VPN users for establishing a VPN connection. Refer to the chapter on VPN for more information.
Follow the steps below to specify the authentication method for a VPN connection.
1 Access the C o nfig ura tio n > VPN > IPSe c VPN > VPN G a te wa y > Edit screen.
2 Click Sho w Adva nc e Se tting and select Ena b le Exte nde d Authe ntic a tio n.
3 Select Se rve r Mo de and select an authentication method object from the drop-down list box.
4 Click O K to save the settings.
ZyWALL USG FLEX Series User's Guide
794
Chapter 39 Object Fig ure 523 Example: Using Authentication Method in VPN
39.10.3 Authe ntic a tio n Me tho d O b je c ts
Click C o nfig ura tio n > O b je c t > Auth. Me tho d to display the screen as shown. Note: You can create up to 16 authentication method objects. Fig ure 524 Configuration > Object > Auth. Method
The following table describes the labels in this screen.
Table 342 Configuration > Object > Auth. Method
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field displays the index number.
Method Name This field displays a descriptive name for identification purposes.
Method List
This field displays the authentication method(s) for this entry.
39.10.3.1 C re a ting a n Authe ntic a tio n Me tho d O b je c t
Follow the steps below to create an authentication method object.
1 Click C o nfig ura tio n > O b je c t > Auth. Me tho d. 2 Click Add.
ZyWALL USG FLEX Series User's Guide
795
Chapter 39 Object
3 Specify a descriptive name for identification purposes in the Na m e field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, "My_Device".
4 Click Add to insert an authentication method in the table.
5 Select a server object from the Me tho d List drop-down list box.
6 You can add up to four server objects to the table. The ordering of the Me tho d List column is important. The Zyxel Device authenticates the users using the databases (in the local user database or the external authentication server) in the order they appear in this screen. If two accounts with the same username exist on two authentication servers you specify, the Zyxel Device does not continue the search on the second authentication server when you enter the username and password that doesn't match the one on the first authentication server.
Note: You can NOT select two server objects of the same type.
7 Click O K to save the settings or click C a nc e l to discard all changes and return to the previous screen. Fig ure 525 Configuration > Object > Auth. Method > Add
The following table describes the labels in this screen.
Table 343 Configuration > Object > Auth. Method > Add
LA BEL Name
DESC RIPTIO N Specify a descriptive name for identification purposes.
Add Edit Remove Move
You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, "My_Device".
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
To change a method's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
The ordering of your methods is important as Zyxel Device authenticates the users using the authentication methods in the order they appear in this screen.
#
This field displays the index number.
ZyWALL USG FLEX Series User's Guide
796
Chapter 39 Object
Table 343 Configuration > Object > Auth. Method > Add (continued)
LA BEL Method List
DESC RIPTIO N
Select a server object from the drop-down list box. You can create a server object in the AAA Se rve r screen.
The Zyxel Device authenticates the users using the databases (in the local user database or the external authentication server) in the order they appear in this screen.
OK Cancel
If two accounts with the same username exist on two authentication servers you specify, the Zyxel Device does not continue the search on the second authentication server when you enter the username and password that doesn't match the one on the first authentication server.
Click O K to save the changes.
Click C a nc e l to discard the changes.
39.10.4 Two - Fa c to r Authe ntic a tio n
Use two-factor authentication to have double-layer security to access a secured network behind the Zyxel Device via a VPN tunnel, Web Configurator, SSH, or Telnet.
The first layer is the VPN client/Zyxel Device's login user name / password and the second layer is an authorized SMS (via mobile phone number) or email address.
39.10.4.1 O ve rvie w
This section introduces how two-factor authentication works.
Fig ure 526 Two-Factor Authentication
ZyWALL USG FLEX Series User's Guide
797
Chapter 39 Object
VPN Ac c e ss Via a VPN tunne l
1 A user runs a VPN client and logs in with the user name and password for this VPN tunnel.
2 The VPN client connects to the Zyxel Device and authenticates using the specified username and password.
3 The Zyxel Device requests the user's user-name, password and mobile phone number or email address from the Active Directory, RADIUS server or local Zyxel Device database in order to authenticate this user (factor 1). If they are not found, then the Zyxel Device terminates the connection.
4 If all correct credentials are found, then the Zyxel Device performs one of the following actions: · Emails an authorization link to the admin user · Requests that the Email-to-SMS cloud system send an SMS with the authorization link
5 The client must open the authorization link or enter the authorization code within a specified deadline (Va lid Tim e ).
6 If the authorization is correct and received on time, then the client can access the secured network through the VPN tunnel. If the authorization deadline has expired, then the client has to log into the Zyxel Device again. If authorization credentials are incorrect or if the SMS/email was not received, then the client should contact the network administrator.
Adm in Ac c e ss Via the We b C o nfig ura to r, SSH, o r Te lne t
1 An admin user connects to the Zyxel Device through the Web Configurator, SSH, or Telnet.
2 The Zyxel Device requests the admin user's user-name, password and mobile phone number or email address from the Active Directory, RADIUS server or local Zyxel Device database in order to authenticate this admin user.
3 If all correct credentials are found, then the Zyxel Device performs one of the following actions: · Requests the Google Authenticator code · Emails an authorization link or code to the admin user · Requests that the Email-to-SMS cloud system send an SMS with an authorization link or code
4 The admin user must open the authorization link or enter the authorization code within a specified deadline (Va lid Tim e ).
5 If the authorization is correct and received on time, then the admin user can log into Zyxel Device. If the authorization deadline has expired, then the admin user has to log in again. If authorization credentials are incorrect code was received, then the admin user should contact the network administrator.
39.10.4.2 Pre - c o nfig ura tio n
Before configuration, you must:
· Set up the user's user-name, password and email address or mobile number in the Active Directory, RADIUS server or local Zyxel Device database
· Enable Two-factor Authentication in O b je c t > Use r/ G ro up > Use r > Edit > Two - fa c to r Authe ntic a tio n for a specific user
ZyWALL USG FLEX Series User's Guide
798
Chapter 39 Object
· Enable Two-factor Authentication in O b je c t > Auth. Me tho d > Two - fa c to r Authe ntic a tio n for the Zyxel Device
· Enable HTTP and/or HTTPS in Syste m > WWW > Se rvic e C o ntro l · Enable SSH and/or Te lne t in Syste m > SSH and/or Syste m > TELNET · Add HTTP, HTTPS, SSH, and/or, TELNETin the O b je c t > Se rvic e > Se rvic e G ro up >
De fa ult_Allo w_WAN_To _ZyWALLservice group. This service group defines the default services allowed in the WAN_to _De vic e security policy. · For VPN access, configure the VPN tunnel for this user on the Zyxel Device
Em a il Authe ntic a tio n
· Configure Ma il Se rve r in Syste m > No tific a tio n > Ma il Se rve r.
SMS Authe ntic a tio n
· Configure Ma il Se rve r in Syste m > No tific a tio n > Ma il Se rve r. · Configure SMS in Syste m > No tific a tio n > SMS. · Have an account with an Email-to-SMS cloud provider to be able to send SMS authorization requests
G o o g le Authe ntic a tio n
· Install Google Authenticator
Two-Factor authentication will fail under the following conditions:
· You omit any of the pre-configuration items. Make sure to perform all pre-configuration items. · The user cannot receive the authorization SMS or email. Make sure the mobile telephone number or
email address of the user in the Active Directory, RADIUS Server or local Zyxel Device database is configured correctly. · Email-to-SMS cloud system authentication fails. Make sure that SMS is enabled and credentials are correct in Syste m > No tific a tio n > SMS. · Mail server authentication fails. Make sure the Syste m > No tific a tio n > Ma il Se rve r settings are correct. · Authorization times out. Extend the Va lid Tim e in C o nfig ura tio n > O b je c t > Auth. Me tho d > Two - fa c to r Authe ntic a tio n > VPN Ac c e ss. · You are unable to access Google Authenticator (you lost your phone or uninstalled the app). Log in using one of the backup codes. · You get a Google Authenticator verification error. You must enter the code within the time displayed in Google Authenticator. The time on your cellphone and the time on the Zyxel Device must be the same.
39.10.5 Two - Fa c to r Authe ntic a tio n VPN Ac c e ss
Use this screen to select the users and VPN services that requires two-factor authentication.
Go to C o nfig ura tio n > O b je c t > Auth. Me tho d > Two - fa c to r Authe ntic a tio n > VPN Ac c e ss and configure the following screen as shown.
ZyWALL USG FLEX Series User's Guide
799
Chapter 39 Object Fig ure 527 Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access
The following table describes the labels in this screen.
Table 344 Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access
LA BEL
DESC RIPTIO N
General Settings
Enable
Select the check box to require double-layer security to access a secured network behind the Zyxel Device via a VPN tunnel.
Valid Time
Enter the maximum time (in minutes) that the user must click or tap the authorization link in the SMS or email in order to get authorization for the VPN connection.
Two-factor Authentication for Services:
Select which kinds of VPN tunnels require Two-Factor Authentication. You should have configured the VPN tunnel first.
· SSL VPN Access · IPSec VPN Access · L2TP/IPSec VPN Access
ZyWALL USG FLEX Series User's Guide
800
Chapter 39 Object
Table 344 Configuration > Object > Auth. Method > Two-factor Authentication > VPN
LA BEL User/Group
DESC RIPTIO N
This list displays the names of the users and user groups that can be selected for two-factor authentication. The order of members is not important. Select users and groups from the Se le c ta b le Use r/ G ro up O b je c ts list that require two-factor authentication for VPN access to a secured network behind the Zyxel Device and move them to the Se le c te d Use r/ G ro up O b je c ts list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.
Delivery Settings Deliver Authorize Link Method:
Authorize Link URL Address:
Similarly, move user/groups that do not you do not require two-factor authentication back to the Se le c ta b le Use r/ G ro up O b je c ts list.
Use this section to configure how to send an SMS or email for authorization.
Select one or both methods:
· SMS: O b je c t > Use r/ G ro up > Use r must contain a valid mobile telephone number. A valid mobile telephone number can be up to 20 characters in length, including the numbers 1~9 and the following characters in the square brackets [+*#()-].
· Email: O b je c t > Use r/ G ro up > Use r must contain a valid email address. A valid email address must contain the @ character. For example, this is a valid email address: abc@example.com
Configure the link that the user will receive in the SMS or email. The user must be able to access the link.
Message
· http/https: you must enable HTTP or HTTPS in Syste m > WWW > Se rvic e C o ntro l · Fro m Inte rfa c e /Use r- De fine d: select the Zyxel Device WAN interface (wa n1/2) or select
Use r- De fine d and then enter an IP address.
You can either create a default message in the text box or upload a message file (Use Multiling ua l file ) from your computer. The message file must be named '2FA-msg.txt' and be in UTF-8 format. To create the file, click Do wnlo a d the de fa ult 2FA- m sg .txt e xa m ple and edit the file for your needs. (If you make a mistake, use Re sto re C usto m ize d File to De fa ult to restore your customized file to the default.) Use Se le c t a File Pa th to locate the final file on your computer and then click Uplo a d to transfer it to the Zyxel Device.
Apply Reset
The message in either the text box or the file must contain the <url> variable within angle brackets, while the <user>, <host>, and <time> variables are optional.
Click Apply to save the changes.
Click Re se t to return the screen to its last-saved settings.
39.10.6 Two - Fa c to r Authe ntic a tio n Adm in Ac c e ss
Use this screen to select the service (We b, SSH, and TELNET) that requires two-factor authentication for the admin user.
Go to C o nfig ura tio n > O b je c t > Auth. Me tho d > Two - fa c to r Authe ntic a tio n > Adm in Ac c e ss and configure the following screen as shown.
ZyWALL USG FLEX Series User's Guide
801
Chapter 39 Object Fig ure 528 Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access
The following table describes the labels in this screen.
Table 345 Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access
LA BEL
DESC RIPTIO N
General Settings
Enable
Select the check box to require double-layer security to access a secured network behind the Zyxel Device via the Web Configurator, SSH, or Telnet.
Valid Time
Enter the maximum time (in minutes) that the user must click or tap the authorization link in the SMS or email in order to get authorization for logins via the Web Configurator, SSH, or Telnet.
Two-factor Authentication for Services:
Select which services require Two-Factor Authentication for the admin user.
· Web · SSH · TELNET
Delivery Settings Use this section to configure how to send an SMS or email for authorization.
Verification Code Delivery Method
Select one or both (All) methods:
· SMS: O b je c t > Use r/ G ro up > Use r must contain a valid mobile telephone number. A valid mobile telephone number can be up to 20 characters in length, including the numbers 1~9 and the following characters in the square brackets [+*#()-].
· Em a il: O b je c t > Use r/ G ro up > Use r must contain a valid email address. A valid email address must contain the @ character. For example, this is a valid email address: abc@example.com
Apply
Click Apply to save the changes.
Reset
Click Re se t to return the screen to its last-saved settings.
39.11 C e rtific a te O ve rvie w
The Zyxel Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner's identity and public key. Certificates provide a way to exchange public keys for use in authentication.
· Use the My C e rtific a te s screens (see Section 39.11.3 on page 805 to Section 39.11.3.3 on page 813) to generate and export self-signed certificates or certification requests and import the CA-signed certificates.
ZyWALL USG FLEX Series User's Guide
802
Chapter 39 Object
· Use the Truste d C e rtific a te s screens (see Section 39.11.4 on page 814 to Section 39.11.4.2 on page 818) to save CA certificates and trusted remote host certificates to the Zyxel Device. The Zyxel Device trusts any valid certificate that you have imported as a trusted certificate. It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate.
39.11.1 Wha t Yo u Ne e d to Kno w
When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure.
These keys work like a handwritten signature (in fact, certificates are often referred to as "digital signatures"). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key "writes" your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows.
1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).
2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not.
3 Tim uses his private key to sign the message and sends it to Jenny.
4 Jenny receives the message and uses Tim's public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim's private key).
5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny's public key to verify the message.
The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the certification authority's public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a certificate. The Zyxel Device does not trust a certificate if any certificate on its path has expired or been revoked.
Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The Zyxel Device can check a peer's certificate against a directory server's list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).
Adva nta g e s o f C e rtific a te s
Certificates offer the following benefits.
ZyWALL USG FLEX Series User's Guide
803
Chapter 39 Object
· The Zyxel Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
· Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.
Se lf- sig ne d C e rtific a te s
You can have the Zyxel Device act as a certification authority and sign its own certificates.
Fa c to ry De fa ult C e rtific a te
The Zyxel Device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate.
C e rtific a te File Fo rm a ts
Any certificate that you want to import has to be in one of these file formats:
· Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. · PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase
letters and numerals to convert a binary X.509 certificate into a printable form. · Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures)
that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The Zyxel Device currently allows the importation of a PKS#7 file that contains a single certificate. · PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. · Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device. Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this
to occur since many programs use text files by default.
39.11.2 Ve rifying a C e rtific a te
Before you import a trusted certificate into the Zyxel Device, you should verify that you have the correct certificate. You can do this using the certificate's fingerprint. A certificate's fingerprint is a message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate's fingerprint to verify that you have the actual certificate.
1 Browse to where you have the certificate saved on your computer.
2 Make sure that the certificate has a ".cer" or ".crt" file name extension.
ZyWALL USG FLEX Series User's Guide
804
Chapter 39 Object Fig ure 529 Remote Host Certificates
3 Double-click the certificate's icon to open the C e rtific a te window. Click the De ta ils tab and scroll down to the Thum b print Alg o rithm and Thum b print fields. Fig ure 530 Certificate Details
4 Use a secure method to verify that the certificate owner has the same information in the Thum bprint Alg o rithm and Thum b print fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
39.11.3 The My C e rtific a te s Sc re e n
Click C o nfig ura tio n > O b je c t > C e rtific a te > My C e rtific a te s to open the My C e rtific a te s screen. This is the Zyxel Device's summary list of certificates and certification requests.
ZyWALL USG FLEX Series User's Guide
805
Chapter 39 Object Fig ure 531 Configuration > Object > Certificate > My Certificates
The following table describes the labels in this screen.
Table 346 Configuration > Object > Certificate > My Certificates
LA BEL PKI Storage Space in Use Add Edit Remove
References
Download
DESC RIPTIO N
This bar displays the percentage of the Zyxel Device's PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Click this to go to the screen where you can have the Zyxel Device generate a certificate or a certification request.
Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.
The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.
You cannot delete certificates that any of the Zyxel Device's features are configured to use. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
Click this and the following screen will appear.
Type the selected certificate's password and save the selected certificate to your computer.
Fig ure 532 Download a Certificate
ZyWALL USG FLEX Series User's Guide
806
Chapter 39 Object
Table 346 Configuration > Object > Certificate > My Certificates (continued)
LA BEL Email
DESC RIPTIO N
Click this to email the selected certificate to the configured email address(es) for SSL connection establishment. This enables you to establish an SSL connection on your laptops, tablets, or smartphones.
Click this and the following screen will appear.
Here are the field descriptions:
· Ma il Sub je c t: Type the subject line for outgoing email from the Zyxel Device.
· Ma il To : Type the email address (or addresses) to which the outgoing email is delivered.
· Se nd C e rtific a te with Priva te Ke y: Select the check box to send the selected certificate with a private key.
· Pa sswo rd: Enter a private key of up to 31 keyboard characters for the certificate. The special characters listed in the brackets [;\|`~!@#$%^&*()_+\\{}':,./<>=-"] are allowed.
· E- m a il C o nte nt: Create the email content in English, and use up to 250 keyboard characters. The special characters listed in the brackets [;\|`~!@#$%^&*()_+\\{}':,./<>=-"] are allowed.
· C o m pre ss a s a ZIP File : Select the check box to compress the selected certificate. Make sure the endpoint devices can decompress ZIP files before sending the compressed certificate. It's recommended to compress the certificate with a private key. Some email servers block PKCS #12 files.
· Se nd Em a il: Click this to send the selected certificate. · C a nc e l: Click this to return to the previous screen without saving your changes. Fig ure 533 Email My Certificate
# Name
This field displays the certificate index number. The certificates are listed in alphabetical order. This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name.
ZyWALL USG FLEX Series User's Guide
807
Chapter 39 Object
Table 346 Configuration > Object > Certificate > My Certificates (continued)
LA BEL Type
DESC RIPTIO N This field displays what kind of certificate this is.
REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My C e rtific a te Im po rt screen to import the certificate and replace the request.
SELF represents a self-signed certificate.
Subject
Issuer
Valid From Valid To Import Refresh
C ERTrepresents a certificate issued by a certification authority.
This field displays identifying information about the certificate's owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
This field displays identifying information about the certificate's issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subje c t field.
This field displays the date that the certificate becomes applicable.
This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.
Click Im po rt to open a screen where you can save a certificate to the Zyxel Device.
Click Re fre sh to display the current validity status of the certificates.
39.11.3.1 The My C e rtific a te s Add Sc re e n
Click C o nfig ura tio n > O b je c t > C e rtific a te > My C e rtific a te s and then the Add icon to open the My C e rtific a te s Add screen. Use this screen to have the Zyxel Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.
ZyWALL USG FLEX Series User's Guide
808
Chapter 39 Object Fig ure 534 Configuration > Object > Certificate > My Certificates > Add
The following table describes the labels in this screen.
Table 347 Configuration > Object > Certificate > My Certificates > Add
LA BEL
DESC RIPTIO N
Name Subject Information
Type a name to identify this certificate. You can use up to 31 alphanumeric and ;`~!@#$%^&()_+[]{}',.=- characters.
Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although you must specify a Ho st IP Addre ss, Ho st IPv6 Addre ss, Ho st Do m a in Na m e , or E- Ma il. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.
Select a radio button to identify the certificate's owner by IP address, domain name or email address. Type the IP address (in dotted decimal notation), domain name or email address in the field provided. The domain name or email address is for identification purposes only and can be any string.
A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.
Organizational Unit Organization Town (City)
An email address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.
Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Identify the town or city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
ZyWALL USG FLEX Series User's Guide
809
Chapter 39 Object
Table 347 Configuration > Object > Certificate > My Certificates > Add (continued)
LA BEL
DESC RIPTIO N
State, (Province)
Identify the state or province where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Country
Enter a two-letter country code to Identify the nation where the certificate owner is located.
Key Type
Select RSA to use the Rivest, Shamir and Adleman public-key algorithm.
Key Length LifeTimes
Select DSA to use the Digital Signature Algorithm public-key algorithm.
Select a number from the drop-down list box to determine how many bits the key should use (1024 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.
Select how long the certificate is valid. It can be valid from 2 to 10 years.
Extended Key Usage
Server Authentication Client Authentication
Select this to have Zyxel Device generate and store a request for server authentication certificate.
Select this to have Zyxel Device generate and store a request for client authentication certificate.
IKE Intermediate
Select this to have Zyxel Device generate and store a request for IKE Intermediate authentication certificate.
Create a self-signed certificate
Select this to have the Zyxel Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.
Create a certification request and save it locally for later manual enrollment
OK Cancel
Select this to have the Zyxel Device generate and store a request for a certificate. Use the My C e rtific a te De ta ils screen to view the certification request and copy it to send to the certification authority.
Copy the certification request from the My C e rtific a te De ta ils screen (see Section 39.11.3.2 on page 810) and then send it to the certification authority.
Click O K to begin certificate or certification request generation.
Click C a nc e l to quit and return to the My C e rtific a te s screen.
If you configured the My C e rtific a te C re a te screen to have the Zyxel Device enroll a certificate and the certificate enrollment is not successful, you see a screen with a Re turn button that takes you back to the My C e rtific a te C re a te screen. Click Re turn and check your information in the My C e rtific a te C re a te screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the Zyxel Device to enroll a certificate online.
39.11.3.2 The My C e rtific a te s Edit Sc re e n
Click C o nfig ura tio n > O b je c t > C e rtific a te > My C e rtific a te s and then the Edit icon to open the My C e rtific a te Edit screen. You can use this screen to view in-depth certificate information and change the certificate's name.
ZyWALL USG FLEX Series User's Guide
810
Chapter 39 Object Fig ure 535 Configuration > Object > Certificate > My Certificates > Edit
The following table describes the labels in this screen.
Table 348 Configuration > Object > Certificate > My Certificates > Edit
LA BEL Name
Certification Path
DESC RIPTIO N
This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;`~!@#$%^&()_+[]{}',.=- characters.
This field displays for a certificate, not a certification request.
Click the Re fre sh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).
Refresh
If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The Zyxel Device does not trust the certificate and displays "Not trusted" in this field if any certificate on the path has expired or been revoked.
Click Re fre sh to display the certification path.
ZyWALL USG FLEX Series User's Guide
811
Chapter 39 Object
Table 348 Configuration > Object > Certificate > My Certificates > Edit (continued)
LA BEL Certificate Information Type
Version Serial Number Subject Issuer
DESC RIPTIO N
These read-only fields display detailed information about the certificate.
This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate's owner signed the certificate (not a certification authority). "X.509" means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
This field displays the X.509 version number.
This field displays the certificate's identification number given by the certification authority or generated by the Zyxel Device.
This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C).
This field displays identifying information about the certificate's issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.
With self-signed certificates, this is the same as the Sub je c t Na m e field.
"none" displays for a certification request.
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate. The Zyxel Device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. "none" displays for a certification request.
Valid To
This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. "none" displays for a certification request.
Key Algorithm
This field displays the type of algorithm that was used to generate the certificate's key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Subject Alternative Name
This field displays the certificate owner`s IP address (IP), domain name (DNS) or email address (EMAIL).
Key Usage
This field displays for what functions the certificate's key can be used. For example, "DigitalSignature" means that the key can be used to sign certificates and "KeyEncipherment" means that the key can be used to encrypt text.
Extended Key Usage This field displays how the Zyxel Device generates and stores a request for server authentication, client authentication, or IKE Intermediate authentication certificate.
Basic Constraint
This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority's certificate and "Path Length Constraint=1" means that there can only be one certification authority in the certificate's path. This field does not display for a certification request.
MD5 Fingerprint
This is the certificate's message digest that the Zyxel Device calculated using the MD5 algorithm.
SHA1 Fingerprint
This is the certificate's message digest that the Zyxel Device calculated using the SHA1 algorithm.
ZyWALL USG FLEX Series User's Guide
812
Chapter 39 Object
Table 348 Configuration > Object > Certificate > My Certificates > Edit (continued)
LA BEL
Certificate in PEM (Base-64) Encoded Format
DESC RIPTIO N
This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.
You can copy and paste a certification request into a certification authority's web page, an email that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.
Export Certificate Only
Password
Export Certificate with Private Key
OK Cancel
You can copy and paste a certificate into an email to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via external storage device for example).
Use this button to save a copy of the certificate without its private key. Click this button and then Sa ve in the File Do wnlo a d screen. The Sa ve As screen opens, browse to the location that you want to use and click Sa ve .
If you want to export the certificate with its private key, create a password and type it here. Make sure you keep this password in a safe place. You will need to use it if you import the certificate to another device.
Use this button to save a copy of the certificate with its private key. Type the certificate's password and click this button. Click Sa ve in the File Do wnlo a d screen. The Sa ve As screen opens, browse to the location that you want to use and click Sa ve .
Click O K to save your changes back to the Zyxel Device. You can only change the name.
Click C a nc e l to quit and return to the My C e rtific a te s screen.
39.11.3.3 The My C e rtific a te s Im po rt Sc re e n
Click C o nfig ura tio n > O b je c t > C e rtific a te > My C e rtific a te s > Im po rt to open the My C e rtific a te Im po rt screen. Follow the instructions in this screen to save an existing certificate to the Zyxel Device.
Note: You can import a certificate that matches a corresponding certification request that was generated by the Zyxel Device. You can also import a certificate in PKCS#12 format, including the certificate's public and private keys.
The certificate you import replaces the corresponding request in the My C e rtific a te s screen. You must remove any spaces from the certificate's filename before you can import it. Fig ure 536 Configuration > Object > Certificate > My Certificates > Import
ZyWALL USG FLEX Series User's Guide
813
Chapter 39 Object
The following table describes the labels in this screen.
Table 349 Configuration > Object > Certificate > My Certificates > Import
LA BEL
DESC RIPTIO N
File Path
Type in the location of the file you want to upload in this field or click Bro wse to find it.
You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.
Browse Password
Click Bro wse to find the certificate file you want to upload.
This field only applies when you import a binary PKCS#12 format file. Type the file's password that was created when the PKCS #12 file was exported.
OK Cancel
Click O K to save the certificate on the Zyxel Device. Click C a nc e l to quit and return to the My C e rtific a te s screen.
39.11.4 The Truste d C e rtific a te s Sc re e n
Click C o nfig ura tio n > O b je c t > C e rtific a te > Truste d C e rtific a te s to open the Truste d C e rtific a te s screen. This screen displays a summary list of certificates that you have set the Zyxel Device to accept as trusted. The Zyxel Device also accepts any valid certificate signed by a certificate on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates.
Fig ure 537 Configuration > Object > Certificate > Trusted Certificates
The following table describes the labels in this screen.
Table 350 Configuration > Object > Certificate > Trusted Certificates
LA BEL
DESC RIPTIO N
PKI Storage Space This bar displays the percentage of the Zyxel Device's PKI storage space that is currently in
in Use
use. When the storage space is almost full, you should consider deleting expired or
unnecessary certificates before adding more certificates.
Edit
Double-click an entry or select it and click Edit to open a screen with an in-depth list of
information about the certificate.
Remove
The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.
References
You cannot delete certificates that any of the Zyxel Device's features are configured to use. Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field displays the certificate index number. The certificates are listed in alphabetical order.
ZyWALL USG FLEX Series User's Guide
814
Chapter 39 Object
Table 350 Configuration > Object > Certificate > Trusted Certificates (continued)
LA BEL
DESC RIPTIO N
Name
This field displays the name used to identify this certificate.
Subject
This field displays identifying information about the certificate's owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Issuer
This field displays identifying information about the certificate's issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subje c t field.
Valid From
This field displays the date that the certificate becomes applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.
Import
Click Im po rt to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the Zyxel Device.
Refresh
Click this button to display the current validity status of the certificates.
39.11.4.1 The Truste d C e rtific a te s Edit Sc re e n
Click C o nfig ura tio n > O b je c t > C e rtific a te > Truste d C e rtific a te s and then a certificate's Edit icon to open the Truste d C e rtific a te s Edit screen. Use this screen to view in-depth information about the certificate, change the certificate's name and set whether or not you want the Zyxel Device to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority.
ZyWALL USG FLEX Series User's Guide
815
Chapter 39 Object Fig ure 538 Configuration > Object > Certificate > Trusted Certificates > Edit
ZyWALL USG FLEX Series User's Guide
816
Chapter 39 Object
The following table describes the labels in this screen.
Table 351 Configuration > Object > Certificate > Trusted Certificates > Edit
LA BEL Name Certification Path
Refresh Enable X.509v3 CRL Distribution Points and OCSP checking OCSP Server
URL ID
Password LDAP Server
Address Port ID
Password Certificate Information Type
Version Serial Number Subject Issuer
DESC RIPTIO N
This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;`~!@#$%^&()_+[]{}',.=- characters.
Click the Re fre sh button to have this read-only text box display the end entity's certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity's certificate. If the issuing certification authority is one that you have imported as a trusted certificate, it may be the only certification authority in the list (along with the end entity's own certificate). The Zyxel Device does not trust the end entity's certificate and displays "Not trusted" in this field if any certificate on the path has expired or been revoked.
Click Re fre sh to display the certification path.
Select this check box to turn on/off certificate revocation. When it is turned on, the Zyxel Device validates a certificate by getting Certificate Revocation List (CRL) through HTTP or LDAP (can be configured after selecting the LDAP Se rve r check box) and online responder (can be configured after selecting the O C SP Se rve r check box).
Select this check box if the directory server uses OCSP (Online Certificate Status Protocol).
Type the protocol, IP address and path name of the OCSP server.
The Zyxel Device may need to authenticate itself in order to assess the OCSP server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).
Type the password (up to 31 ASCII characters) from the entity maintaining the OCSP server (usually a certification authority).
Select this check box if the directory server uses LDAP (Lightweight Directory Access Protocol). LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates.
Type the IP address (in dotted decimal notation) of the directory server.
Use this field to specify the LDAP server port number. You must use the same server port number that the directory server uses. 389 is the default server port number for LDAP.
The Zyxel Device may need to authenticate itself in order to assess the CRL directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).
Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority).
These read-only fields display detailed information about the certificate.
This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate's owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
This field displays the X.509 version number.
This field displays the certificate's identification number given by the certification authority.
This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
This field displays identifying information about the certificate's issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.
With self-signed certificates, this is the same information as in the Sub je c t Na m e field.
ZyWALL USG FLEX Series User's Guide
817
Chapter 39 Object
Table 351 Configuration > Object > Certificate > Trusted Certificates > Edit (continued)
LA BEL
DESC RIPTIO N
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
Key Algorithm
This field displays the type of algorithm that was used to generate the certificate's key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Subject Alternative Name
This field displays the certificate's owner`s IP address (IP), domain name (DNS) or email address (EMAIL).
Key Usage
This field displays for what functions the certificate's key can be used. For example, "DigitalSignature" means that the key can be used to sign certificates and "KeyEncipherment" means that the key can be used to encrypt text.
Extended Key Usage This field displays the method that the Zyxel Device generates and stores a request for server authentication, client authentication, or IKE Intermediate authentication certificate.
Basic Constraint
This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority's certificate and "Path Length Constraint=1" means that there can only be one certification authority in the certificate's path.
MD5 Fingerprint
This is the certificate's message digest that the Zyxel Device calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
SHA1 Fingerprint
This is the certificate's message digest that the Zyxel Device calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
Certificate
This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.
Export Certificate
OK Cancel
You can copy and paste the certificate into an email to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via external storage device for example).
Click this button and then Sa ve in the File Do wnlo a d screen. The Sa ve As screen opens, browse to the location that you want to use and click Sa ve .
Click O K to save your changes back to the Zyxel Device. You can only change the name.
Click C a nc e l to quit and return to the Truste d C e rtific a te s screen.
39.11.4.2 The Truste d C e rtific a te s Im po rt Sc re e n
Click C o nfig ura tio n > O b je c t > C e rtific a te > Truste d C e rtific a te s > Im po rt to open the Truste d C e rtific a te s Im po rt screen. Follow the instructions in this screen to save a trusted certificate to the Zyxel Device.
Note: You must remove any spaces from the certificate's filename before you can import the certificate.
ZyWALL USG FLEX Series User's Guide
818
Chapter 39 Object Fig ure 539 Configuration > Object > Certificate > Trusted Certificates > Import
The following table describes the labels in this screen.
Table 352 Configuration > Object > Certificate > Trusted Certificates > Import
LA BEL File Path
DESC RIPTIO N Type in the location of the file you want to upload in this field or click Bro wse to find it.
Browse OK Cancel
You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device. Click Bro wse to find the certificate file you want to upload. Click O K to save the certificate on the Zyxel Device. Click C a nc e l to quit and return to the previous screen.
39.11.5 C e rtific a te s Te c hnic a l Re fe re nc e
O C SP
OCSP (Online Certificate Status Protocol) allows an application or device to check whether a certificate is valid. With OCSP the Zyxel Device checks the status of individual certificates instead of downloading a Certificate Revocation List (CRL). OCSP has two main advantages over a CRL. The first is real-time status information. The second is a reduction in network traffic since the Zyxel Device only gets information on the certificates that it needs to verify, not a huge list. When the Zyxel Device requests certificate status information, the OCSP server returns a "expired", "current" or "unknown" response.
39.12 ISP Ac c o unt O ve rvie w
Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP/L2TP interfaces. An ISP account is a profile of settings for Internet access using PPPoE, PPTP or L2TP. Use the O b je c t > ISP Ac c o unt screens (Section 39.12.1 on page 819) to create and manage ISP accounts in the Zyxel Device.
39.12.1 ISP Ac c o unt Sum m a ry
This screen provides a summary of ISP accounts in the Zyxel Device. To access this screen, click C o nfig ura tio n > O b je c t > ISP Ac c o unt.
ZyWALL USG FLEX Series User's Guide
819
Chapter 39 Object Fig ure 540 Configuration > Object > ISP Account
The following table describes the labels in this screen. See the ISP Account Add/Edit section below for more information as well.
Table 353 Configuration > Object > ISP Account
LA BEL
DESC RIPTIO N
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific entry.
Profile Name
This field displays the profile name of the ISP account. This name is used to identify the ISP account.
Protocol
This field displays the protocol used by the ISP account.
Authentication Type
This field displays the authentication type used by the ISP account.
User Name
This field displays the user name of the ISP account.
39.12.1.1 ISP Ac c o unt Add/ Edit
The ISP Ac c o unt Add/ Edit screen lets you add information about new accounts and edit information about existing accounts. To open this window, open the ISP Ac c o unt screen. (See Section 39.12.1 on page 819.) Then, click on an Add icon or Edit icon to open the ISP Ac c o unt Edit screen below.
ZyWALL USG FLEX Series User's Guide
820
Chapter 39 Object Fig ure 541 Configuration > Object > ISP Account > Edit
The following table describes the labels in this screen.
Table 354 Configuration > Object > ISP Account > Edit
LA BEL Profile Name
Protocol
DESC RIPTIO N
This field is read-only if you are editing an existing account. Type in the profile name of the ISP account. The profile name is used to refer to the ISP account. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number. This
value is case-sensitive.
This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Your ISP will provide you with a related username, password and IP (server) information. Options are:
pppo e - This ISP account uses the PPPoE protocol.
pptp - This ISP account uses the PPTP protocol.
Authentication Type
l2tp - This ISP account uses the L2TP protocol. Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:
C HAP/ PAP - Your Zyxel Device accepts either CHAP or PAP when requested by this remote node.
C ha p - Your Zyxel Device accepts CHAP only.
PAP - Your Zyxel Device accepts PAP only.
MSC HAP - Your Zyxel Device accepts MSCHAP only.
Encryption Method
MSC HAP- V2 - Your Zyxel Device accepts MSCHAP-V2 only.
This field is available if this ISP account uses the PPTP protocol. Use the drop-down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:
no m ppe - This ISP account does not use MPPE.
m ppe - 40 - This ISP account uses 40-bit MPPE.
User Name
m ppe - 128 - This ISP account uses 128-bit MMPE. Type the user name given to you by your ISP.
ZyWALL USG FLEX Series User's Guide
821
Chapter 39 Object
Table 354 Configuration > Object > ISP Account > Edit (continued)
LA BEL Password
Retype to Confirm IP Address/FQDN Connection ID
Service Name
DESC RIPTIO N Type the password associated with the user name above. The password can only consist of alphanumeric characters (A-Z, a-z, 0-9). This field can be blank. Type your password again to make sure that you have entered is correctly.
Enter the IP address or Fully-Qualified Domain Name (FQDN) of the PPTP or L2TP server. This field is available if this ISP account uses the PPTP protocol. Type your identification name for the PPTP server. This field can be blank. If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank.
Compression Idle Timeout OK Cancel
If this ISP account uses the PPTP protocol, this field is not displayed.
Select O n button to turn on stac compression, and select O ff to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four.
This value specifies the number of seconds that must elapse without outbound traffic before the Zyxel Device automatically disconnects from the PPPoE/PPTP server. This value must be an integer between 0 and 360. If this value is zero, this timeout is disabled.
Click O K to save your changes back to the Zyxel Device. If there are no errors, the program returns to the ISP Ac c o unt screen. If there are errors, a message box explains the error, and the program stays in the ISP Ac c o unt Edit screen.
Click C a nc e l to return to the ISP Ac c o unt screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists).
39.13 DHC Pv6 O ve rvie w
This section describes how to configure DHCPv6 request type and lease type objects.
· The Re que st screen (see Section 39.13.1 on page 822) allows you to configure DHCPv6 request type objects.
· The Le a se screen (see Section 39.2.5 on page 722) allows you to configure DHCPv6 lease type objects.
39.13.1 The DHC Pv6 Re q ue st Sc re e n
The Re que st screen allows you to add, edit, and remove DHCPv6 request type objects. To access this screen, login to the Web Configurator, and click C o nfig ura tio n > O b je c t > DHC Pv6 > Re q ue st.
Fig ure 542 Configuration > Object > DHCPv6 > Request
ZyWALL USG FLEX Series User's Guide
822
Chapter 39 Object
The following table describes the labels in this screen.
Table 355 Configuration > Object > DHCPv6 > Request
LA BEL
DESC RIPTIO N
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific object.
Name
This field displays the name of each request object.
Type
This field displays the request type of each request object.
Interface
This field displays the interface used for each request object.
Value
This field displays the value for each request object.
39.13.1.1 DHC Pv6 Re q ue st Add/ Edit Sc re e n
The Re que st Add/ Edit screen allows you to create a new request object or edit an existing one.
To access this screen, go to the Re que st screen (see Section 39.13.1 on page 822), and click either the Add icon or an Edit icon.
Fig ure 543 Configuration > DHCPv6 > Request > Add
The following table describes the labels in this screen.
Table 356 Configuration > DHCPv6 > Request > Add
LA BEL
DESC RIPTIO N
Name
Type the name for this request object. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
Request Type
Select the request type for this request object. You can choose from Pre fix De le g a tio n, DNS Se rve r, NTP Se rve r, or SIP Se rve r.
Interface
Select the interface for this request object.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
823
Chapter 39 Object
39.13.2 The DHC Pv6 Le a se Sc re e n
The Le a se screen allows you to add, edit, and remove DHCPv6 lease type objects. To access this screen, login to the Web Configurator, and click C o nfig ura tio n > O b je c t > DHC Pv6 > Le a se . Fig ure 544 Configuration > Object > DHCPv6 > Lease
The following table describes the labels in this screen.
Table 357 Configuration > Object > DHCPv6 > Lease
LA BEL
DESC RIPTIO N
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so.
References
Select an entry and click Re fe re nc e s to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific object.
Name
This field displays the name of each lease object.
Type
This field displays the request type of each lease object.
Interface
This field displays the interface used for each lease object.
Value
This field displays the value for each lease object.
39.13.2.1 DHC Pv6 Le a se Add/ Edit Sc re e n
The Le a se Add/ Edit screen allows you to create a new lease object or edit an existing one.
To access this screen, go to the Le a se screen (see Section 39.13.2 on page 824), and click either the Add icon or an Edit icon.
Fig ure 545 Configuration > DHCPv6 > Lease > Add
ZyWALL USG FLEX Series User's Guide
824
Chapter 39 Object
The following table describes the labels in this screen.
Table 358 Configuration > DHCPv6 > Lease > Add/Edit
LA BEL
DESC RIPTIO N
Name
Type the name for this lease object. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
Lease Type
Select the lease type for this lease object. You can choose from Pre fix De le g a tio n, DNS Se rve r, Addre ss, Addre ss Po o l, NTP Se rve r, or SIP Se rve r.
Interface
Select the interface for this lease object.
DUID
If you select Pre fix De le g a tio n or Addre ss in the Le a se Type fie ld, enter the DUID of the interface.
Address
If you select Addre ss in the Le a se Type field, enter the IP address of the DHCPv6 server.
Prefix
If you select Pre fix De le g a tio n or Addre ss in the Le a se Type fie ld, enter the IPv6 prefix of the interface.
DNS Server
If you select DNS Se rve r in the Le a se Type fie ld, select a request object or Use r De fine d in the DNS Se rve r field and enter the IP address of the DNS server in the Use r De fine d Addre ss field below.
Starting IP Address
If you select Addre ss Po o l in the Le a se Type fie ld, enter the first of the contiguous addresses in the IP address pool.
End IP Address
If you select Addre ss Po o l in the Le a se Type fie ld, enter the last of the contiguous addresses in the IP address pool.
NTP Server
If you select NTP Se rve r in the Le a se Type fie ld, select a request object or Use r De fine d in the NTP Se rve r field and enter the IP address of the NTP server in the Use r De fine d Addre ss field below.
SIP Server
If you select SIP Se rve r in the Le a se Type fie ld, select a request object or Use r De fine d in the SIP field and enter the IP address of the SIP server in the Use r De fine d Addre ss field below.
User Defined Address
If you select DNS Se rve r, NTP Se rve r, or SIP Se rve r as your lease type, you must enter the IP address of the server your selected.
OK
Click O K to save your changes back to the Zyxel Device.
Cancel
Click C a nc e l to exit this screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
825
C HA PTER 4 0 De vic e HA
40.1 De vic e HA O ve rvie w
Device HA lets a backup (or passive) Zyxel Device (B) automatically take over if the master (or active) Zyxel Device (A) fails. Fig ure 546 Device HA Backup Taking Over for the Master
40.1.1 Wha t Yo u C a n Do in The se Sc re e ns
· Use the De vic e HA Sta tus screen (Section 40.2 on page 826) to see the license status for Device HA Pro, and see the status of the active and passive devices.
· Use the De vic e HA Pro screen (Section 40.3 on page 828) to configure Device HA Pro global settings, monitored interfaces and synchronization settings.
· Use the Vie w Lo g screen (Section 40.4 on page 831) to see logs of the active and passive devices.
40.2 De vic e HA Sta tus
Use this screen to view Device HA Pro license status and details on the active and passive Zyxel Devices. Go to C o nfig ura tio n > De vic e HA > De vic e HA Sta tus to view the following screen.
ZyWALL USG FLEX Series User's Guide
826
Chapter 40 Device HA Fig ure 547 Configuration > Device HA > Device HA Status
The following table describes the labels in this screen.
Table 359 Configuration > Device HA > Device HA Status
LA BEL
DESC RIPTIO N
Active Device Status
This section displays information on the active Zyxel Device with an activated Device HA Pro license.
Health Status
This displays O ff or O n depending on whether Device HA Pro is disabled or enabled on the active Zyxel Device.
S/N
This displays the serial number of the active Zyxel Device.
Virtual MAC
This displays the hardware MAC address of the active Zyxel Device with an activated Device HA Pro license.
Synch Status
This displays the synchronization progress, No Pro g re ss / Fa il / Ab o rt / Suc c e ss / In Pro g re ss, between the active Zyxel Device with an activated Device HA Pro license and the passive Zyxel Device.
Passive Device Status
This section displays information on the passive Zyxel Device with an activated Device HA Pro license.
Health Status
This displays O ff or O n depending on whether Device HA Pro is disabled or enabled on the passive Zyxel Device.
S/N
This displays the serial number of the passive Zyxel Device.
Virtual MAC
This displays the hardware MAC address of the passive Zyxel Device.
Synch Status
This displays the synchronization progress, No Pro g re ss / Fa il / Ab o rt / Suc c e ss / In Pro g re ss, between the passive Zyxel Device with an activated Device HA Pro license and the active Zyxel Device.
Device HA Pro License
These are the steps to activate a Device HA Pro license on your active and passive Zyxel Devices.
1. See your Device HA Pro iCard. The card contains two keys.
2. Register your active and passive Zyxel Devices at myZyxel.
3. Activate the license by entering one key on the active Zyxel Device and the other key on the passive Zyxel Device. It doesn't matter which Zyxel Device is actually active or passive as this is dynamic in Device HA Pro.
ZyWALL USG FLEX Series User's Guide
827
Chapter 40 Device HA
Table 359 Configuration > Device HA > Device HA Status (continued)
LA BEL Service Status
DESC RIPTIO N
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Sta nda rd license has expired, click Re ne w to extend the license.
Apply Reset
Then, click Ac tiva te to connect with the myZyxel server to activate the new license. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
40.3 De vic e HA Pro
You need a license to use Device HA Pro. Device HA Pro is easier to deploy than Device HA, is more reliable (no risk of overloading), and faster (Device HA causes a connection break of 10~30 seconds while Device HA Pro just has 1~2 seconds). In addition to configuration file backup in Device HA, device time, TCP sessions (IPv4/IPv6), IPSec VPN sessions, login/logout information, DHCP table, IP/MAC binding table and license status can also be backed up using Device HA Pro.
Ac tive a nd Pa ssive De vic e s
Device HA Pro uses a dedicated heartbeat link between an active device (`master') and a passive device (`backup') for status syncing and backup to the passive device. On the passive device, all ports are disabled except for the port with the heartbeat link.
In the following example, Zyxel Device A is the active device that is connected to passive device Zyxel Device B via a dedicated link that is used for heartbeat control, configuration synchronization and troubleshooting. All links on Zyxel Device B are down except for the dedicated heartbeat link.
Note: The dedicated heartbeat link port must be the highest-numbered copper Ethernet port on each Zyxel Device for Device HA Pro to work.
Fig ure 548 Device HA Pro
Failover from the active Zyxel Device to the passive Zyxel Device is activated when: · A monitored interface is down. · A monitored service (daemon) is down. · The heartbeat link exceeds the failure tolerance.
ZyWALL USG FLEX Series User's Guide
828
Chapter 40 Device HA After failover, the initial active Zyxel Device becomes the passive Zyxel Device after it recovers.
40.3.1 De plo ying De vic e HA Pro
1 Register either the active or passive Zyxel Device with a Device HA Pro license at myZyxel. Check that it's properly licensed in Lic e nsing > Re g istra tio n > Se rvic e in the active Zyxel Device.
2 Make sure the passive Zyxel Device is offline, then enable Device HA in De vic e HA > G e ne ra l in the passive Zyxel Device.
3 Must make sure the FTP port in Syste m > FTP (default 21) is the same on both Zyxel Devices. FTP is used for transferring files in the event of failover from active to passive Zyxel Device.
4 Connect the passive Zyxel Device to the active Zyxel Device using the highest-numbered copper Ethernet ports on both Zyxel Devices. This is the heartbeat interface. Make sure that this interface is not already configured for other features such as LAG, VLAN, Bridge.
5 If both Zyxel Devices are turned on at the same time with Device HA enabled, then they may send the heartbeat at the same time. In this case, the Zyxel Device with the bigger MAC address becomes the passive Zyxel Device.
6 When using Device HA Pro to synchronize firmware, the location of the running firmware must be the same in both active and passive Zyxel Devices. For example, if the running firmware is in partition 1 in the active Zyxel Device (standby firmware in partition 2), then the running firmware must also be in partition 1 in the passive Zyxel Device (standby firmware in partition 2).
40.3.2 C o nfig uring De vic e HA Pro
Go to C o nfig ura tio n > De vic e HA > De vic e HA Pro and configure the following screen.
ZyWALL USG FLEX Series User's Guide
829
Chapter 40 Device HA Fig ure 549 Configuration > Device HA > Device HA Pro
The following table describes the labels in this screen.
Table 360 Configuration > Device HA > Device HA Pro
LA BEL
DESC RIPTIO N
Enable Device HA
Select this to turn the Zyxel Device's Device HA Pro feature on.
Enable Configuration Provisioning From Active Device.
Select this to have a passive Zyxel Device copy the active Zyxel Device's configuration, signatures (anti-malware, IDP/application patrol, URL Threat filter, and IP reputation), and certificates.
Serial Number of Licensed Device for License Synchronization
Active Device Management IP
Passive Device Management IP
Note: Only Zyxel Devices of the same model and firmware version can synchronize.
Type the serial number of the Zyxel Device (active or passive) with the Device HA Pro subscribed license.
Type the IPv4 address of the highest-numbered copper Ethernet port on the active Zyxel Device (the heartbeat dedicated link port).
Type the IPv4 address of the highest-numbered copper Ethernet port on the passive Zyxel Device (the heartbeat dedicated link port).
Subnet Mask
Note: The active and passive Zyxel Device Management IP addresses must be in the same subnet.
Type the subnet mask for the management IP addresses.
ZyWALL USG FLEX Series User's Guide
830
Chapter 40 Device HA
Table 360 Configuration > Device HA > Device HA Pro (continued)
LA BEL
DESC RIPTIO N
Password
Type a synchronization password of between 1 and 32 single-byte printable characters. You will be prompted for the password before synchronization takes place.
Retype to Confirm
Type the exact same synchronization password as typed above.
Heartbeat Interval
Type the number of seconds (1-10) allowed for absence of a heartbeat signal before a failure of the active Zyxel Device is recorded.
Heartbeat Lost Tolerance
Type the number of heartbeat failures allowed before failover is activated on the passive Zyxel Device.
Monitor Interface Failover Detection
Select an interface in Ava ila b le Inte rfa c e s and click the right-arrow button to move it to Mo nito r Inte rfa c e to become a Device HA pro monitored interface. To remove a Device HA pro monitored interface, select it in Mo nito r Inte rfa c e and click the leftarrow button to move it to Ava ila b le Inte rfa c e s.
Enable Failover When Interface Failure (Option)
Select this to have the passive Zyxel Device take over when a monitored interface fails.
Enable Failover When Device Service Fails (Option)
Select this to have the passive Zyxel Device take over when a monitored service daemon on the active Zyxel Device fails.
Apply
Click Apply to save your Device HA Pro configurations back to the Zyxel Device but keep the Zyxel Device using Device HA (general).
Reset
Click Re se t to return the screen to its last-saved settings.
40.4 Vie w Lo g
Use this screen to see Device HA Pro logs on the active and passive Zyxel Devices. Go to C o nfig ura tio n > De vic e HA > Vie w Lo g to display the following screen.
ZyWALL USG FLEX Series User's Guide
831
Chapter 40 Device HA Fig ure 550 Configuration > Device HA > View Log
The following table describes the labels in this screen.
Table 361 Configuration > Device HA > View Log
LA BEL
DESC RIPTIO N
Logs
Active Device
This displays Device HA Pro logs on the active Zyxel Device.
Passive Device
This displays Device HA Pro logs on the passive Zyxel Device.
Refresh
Click Re fre sh to update information in this screen.
ZyWALL USG FLEX Series User's Guide
832
C HA PTER 4 1 C lo ud C NM
41.1 C lo ud C NM O ve rvie w
You need licenses to use Cloud CNM SecuManager and Cloud CNM SecuReporter. You need the SecuManager license to get a C NM ID with which you can access the SecuManager server. It is independent from the Zyxel Devices. The SecuReporter license must be activated on each Zyxel Device.
41.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the C lo ud C NM > Se c uMa na g e r screen (Section 41.2 on page 833) to enable and configure management of the Zyxel Device by a Central Network Management system.
· Use the C lo ud C NM > Se c uRe po rte r screen (Section 41.3 on page 836) to enable SecuReporter logging on your Zyxel Device, see license status, type, expiration date and access a link to the SecuReporter web portal. The SecuReporter web portal collects and analyzes logs from your Zyxel Device in order to identify anomalies, alert on potential internal / external threats, and report on network usage.
41.2 C lo ud C NM Se c uMa na g e r
Cloud CNM SecuManager is a Virtual Machine-based (VM) management system that uses the TR-069 protocol to encapsulate commands to ZyWALL/USG devices for management and monitoring; these devices must have firmware that supports the TR-069 protocol. In the following figure, SP is the management service provider, while A and B are sites with devices being managed by SP.
ZyWALL USG FLEX Series User's Guide
833
Chapter 41 Cloud CNM Fig ure 551 Cloud CNM SecuManager Example Network Topology
Cloud CNM SecuManager features include: · Batch import of managed devices at one time using one CSV file · See an overview of all managed devices and system information in one place · Monitor and manage devices · Install firmware to multiple devices of the same model at one time · Backup and restore device configuration · View the location of managed devices on a map · Receive notification for events and alarms, such as when a device goes down · Graphically monitor individual devices and see related statistics · Directly access a device for remote configuration · Create four types of administrators with different privileges · Perform Site-to-Site, Hub & Spoke, Fully-meshed and Remote Access VPN provisioning. To allow Cloud CNM SecuManager management of your Zyxel Device: · You must have a Cloud CNM SecuManager license with CNM ID number or a Cloud CNM
SecuManager server URL. · The Zyxel Device must be able to communicate with the Cloud CNM SecuManager server. You must configure C o nfig ura tio n > C lo ud C NM > Se c uMa na g e r to allow the Zyxel Device to find the Cloud CNM SecuManager server.
ZyWALL USG FLEX Series User's Guide
834
Chapter 41 Cloud CNM Fig ure 552 Configuration > Cloud CNM > SecuManager
The following table describes the labels in this screen.
Table 362 Configuration > Cloud CNM > SecuManager
LA BEL
DESC RIPTIO N
Show Advanced Settings / Hide Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Enable
Select this to allow management of the Zyxel Device by Cloud CNM SecuManager.
Auto
Select this if your Cloud CNM SecuManager server can access myZyxel to automatically get the VM server URL from myZyxel. You also need C NM ID from the Cloud CNM SecuManager license.
CNM URL Custom
myZyxel associates the C NM ID with the C NM URLwhich identifies the server on which Cloud CNM SecuManager is installed. Therefore you don't need to enter the CNM URL when you select Auto .
Select this if your Cloud CNM SecuManager server cannot access myZyxel.
CNM URL
Transfer Protocol Periodic Inform
Select this if your VM server or Zyxel Device are in a private network, or if the VM server is behind a NAT router. You then need to manually enter the VM server URL into the Zyxel Device. Enter the IPv4 IP address of the Cloud CNM SecuManager server followed by the port number (default 7547 for HTTPS or 7549 for HTPP) followed by the C NM ID from the license in C NM URL. For example, if you installed Cloud CNM SecuManager on a server with IP address 1.1.1.1 and C NM ID V6ABQNTPYGD, then type 1.1.1.1:7547/ V6ABQNTPYG or 1.1.1.1:7549/V6ABQNTPYG as the C NM URL.
Choose the CNM URL protocol: HTTP or HTTPS. If you enter 1.1.1.1:7547 as the C NM URL, you must choose HTTPS as the Tra nsfe r Pro to c o l, and then the whole CNM URL is https:// 1.1.1.1:7547. If you enter 1.1.1.1:7549 as the C NM URL, you must choose HTTP as the Tra nsfe r Pro to c o l, and then the whole CNM URL is http://1.1.1.1:7549.
Enable this to have the Zyxel Device inform the Cloud CNM SecuManager server of its presence at regular intervals.
ZyWALL USG FLEX Series User's Guide
835
Chapter 41 Cloud CNM
Table 362 Configuration > Cloud CNM > SecuManager (continued)
LA BEL
DESC RIPTIO N
Interval
Type how often the Zyxel Device should inform Cloud CNM SecuManager server of its presence.
HTTPS Authentication Select the check box if you have a HTTPs server certificate.
Server Certificate
Select a certificate the HTTPS server (the Zyxel Device) uses to authenticate itself to the HTTPS client.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
Note: See the Cloud CNM SecuManager User's Guide for more information on Cloud CNM SecuManager.
41.3 C lo ud C NM Se c uRe po rte r
Cloud CNM SecuReporter is a security analytics portal that collects and analyzes logs from SecuReporter-licensed Zyxel Devices in order to identify anomalies, alert on potential internal / external threats, and report on network usage. You need to buy a license for SecuReporter for your Zyxel Device and register it at myZyxel. You must be a registered user at myZyxel.
You can access the portal from a web browser and also get notifications sent to an app on your mobile phone.
ZyWALL USG FLEX Series User's Guide
836
Chapter 41 Cloud CNM Fig ure 553 Cloud CNM SecuReporter Application Scenario
Ho w to a c tiva te a nd e na b le Se c uRe po rte r
1 Does Se rvic e Sta tus displays Ac tiva te d in the C o nfig ura tio n > C lo ud C NM > Se c uRe po rte r screen? If not, you have to log in to myZyxel.com and activate the SecuReporter license for this Zyxel Device. The Zyxel Device must be able to communicate with the myZyxel server. Your SecuReporter license displays in C o nfig ura tio n > Lic e nsing > Re g istra tio n > Se rvic e after you activate the SecuReporter license at myZyxel.
ZyWALL USG FLEX Series User's Guide
837
Chapter 41 Cloud CNM Fig ure 554 Configuration > Licensing > Registration > Service
2 After the SecuReporter license is activated, go back to the C o nfig ura tio n > C lo ud C NM > Se c uRe po rte r screen, and select the categories of logs that you want this Zyxel Device to send to the SecuReporter portal.
3 Select Ena b le Se c uRe po rte r. Do not go to the SecuReporter portal until after you have enabled SecuReporter on this Zyxel Device and applied the settings. You can also see license status, type, expiration date.
4 Click Apply and wait.
Ho w to a dd this Zyxe l De vic e to Se c uRe po rte r
1 Log in to the SecuReporter portal. 2 Go to Se tting s > O rg a niza tio n & De vic e s > Add to create an organization. 3 Add this Zyxel Device to an O rg a niza tio n using the hyper link under Unc la im e d De vic e .
Se c uRe po rte r Ba nne r
The SecuReporter banner appears when: 1 SecuReporter hasn't been enabled before. 2 The Zyxel Device is not added to an organization yet.
ZyWALL USG FLEX Series User's Guide
838
Chapter 41 Cloud CNM
Fig ure 555 SecuReporter Banner
Click the C o ntinue button in the SecuReporter banner to configure the SecuReporter settings. · Se rve r Sta tus: This is the connection status between the Zyxel Device and the SecuReporter server. This
field shows C o nne c te d when the Zyxel Device can synchronize with the SecuReporter server. This field shows Tim e o ut when the Zyxel Device can't synchronize with the SecuReporter server. This field shows Fa il when the connection between the Zyxel Device and the SecuReporter server is down. · De vic e Na m e : Enter the name of the Zyxel Device. This Zyxel Device will be added to a new or existing organization. · O rg a niza tio n: This field appears if you haven't created an organization in the SecuReporter server. Type a name of up to 255 characters and description to create a new organization. · Se le c t fro m e xisting o rg a niza tio n: Select an existing organization from the drop-down list box to add the Zyxel Device to the selected organization. · C re a te ne w o rg a niza tio n: Type a name of up to 255 characters and description to create a new organization. · Pa rtia lly Ano nym o us: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be replaced with artificial identifiers in downloaded logs. · Fully Ano nym o us: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be replaced with anonymized information in downloaded logs. · No n- Ano nym o us: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be identifiable in downloaded logs. Fig ure 556 SecuReporter Banner Settings
Click C o nfig ura tio n > C lo ud C NM > Se c uRe po rte r to open the following screen.
Fig ure 557
ZyWALL USG FLEX Series User's Guide
839
Chapter 41 Cloud CNM Fig ure 558 Configuration > Cloud CNM > SecuReporter
The following table describes the labels in this screen.
Table 363 Configuration > Cloud CNM > SecuReporter
LA BEL Enable SecuReporter
DESC RIPTIO N
Security-related logs are sent to the SecuReporter portal. Click the General Data Protection Regulation (GDPR) privacy link below to see the Zyxel privacy policy.
This must be selected to have SecuReporter collect and analyze logs from this Zyxel Device.
· It's selected by default if you have activated a SecuReporter Sta nda rd license, · You need to select this if you have a SecuReporter Tria l license. · This field is not available if you do not have a SecuReporter license.
Categories
Select the categories of logs that you want this Zyxel Device to send to SecuReporter for analysis and trend spotting.
SecuReporter Service License Status
Service Status
This field displays whether a service license is enabled at myZyxel (Ac tiva te d) or not (No t Ac tiva te d) or expired (Expire d). It displays the remaining Grace Period if your license has Expire d. It displays No t Lic e nse d if there isn't a license to be activated for this service.
Service Type
This field displays whether you applied for a trial application (Tria l) or registered this service with your iCard's PIN number (Sta nda rd). This field is blank when the service is not activated.
Expiration Date
This field displays the date your service expires.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
840
C HA PTER 4 2
Syste m
42.1 O ve rvie w
Use the system screens to configure general Zyxel Device settings.
42.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Syste m > Ho st Na m e screen (see Section 42.2 on page 842) to configure a unique name for the Zyxel Device in your network.
· Use the Syste m > USB Sto ra g e screen (see Section 42.3 on page 842) to configure the settings for the connected USB devices.
· Use the Syste m > Da te / Tim e screen (see Section 42.4 on page 843) to configure the date and time for the Zyxel Device.
· Use the Syste m > C o nso le Spe e d screen (see Section 42.5 on page 847) to configure the console port speed when you connect to the Zyxel Device via the console port using a terminal emulation program.
· Use the Syste m > DNS screen (see Section 42.6 on page 848) to configure the DNS (Domain Name System) server used for mapping a domain name to its corresponding IP address and vice versa.
· Use the Syste m > WWW screens (see Section 42.7 on page 858) to configure settings for HTTP or HTTPS access to the Zyxel Device and how the login and access user screens look.
· Use the Syste m > SSH screen (see Section 42.8 on page 875) to configure SSH (Secure SHell) used to securely access the Zyxel Device's command line interface. You can specify which zones allow SSH access and from which IP address the access can come.
· Use the Syste m > TELNETscreen (see Section 42.9 on page 879) to configure Telnet to access the Zyxel Device's command line interface. Specify which zones allow Telnet access and from which IP address the access can come.
· Use the Syste m > FTP screen (see Section 42.10 on page 881) to specify from which zones FTP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come. You can upload and download the Zyxel Device's firmware and configuration files using FTP.
· Your Zyxel Device can act as an SNMP agent, which allows a manager station to manage and monitor the Zyxel Device through the network. Use the Syste m > SNMP screen (see Section 42.11 on page 883) to configure SNMP settings, including from which zones SNMP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come.
· Use the Auth. Se rve r screen (Section 42.12 on page 889) to configure the Zyxel Device to operate as a RADIUS server.
· Use the No tific a tio n > Ma il Se rve r screen (Section 42.13 on page 891) to configure the Zyxel Device to operate as a RADIUS server.
· Use the No tific a tio n > SMS screen (Section 42.14 on page 892) to turn on the SMS service on the Zyxel Device in order to send dynamic guest account information in text messages and authorization for VPN tunnel access to a secured network.
· Use the No tific a tio n > Re spo nse Me ssa g e screen (Section 42.15 on page 894) to create a web page when access to a website is restricted due to a security service.
ZyWALL USG FLEX Series User's Guide
841
Chapter 42 System
· Use the Syste m > La ng ua g e screen (see Section 42.16 on page 895) to set a language for the Zyxel Device's Web Configurator screens.
· Use the Syste m > IPv6 screen (see Section 42.17 on page 896) to enable or disable IPv6 support on the Zyxel Device.
· Use the Syste m > ZO N screen (see Section 42.18 on page 896) to enable or disable the Zyxel One Network (ZON) utility that uses Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDPaware Zyxel devices in the same network as the computer on which ZON is installed.
Note: See each section for related background information and term definitions.
42.2 Ho st Na m e
A host name is the unique name by which a device is known on a network. Click C o nfig ura tio n > Syste m > Ho st Na m e to open the Ho st Na m e screen.
Fig ure 559 Configuration > System > Host Name
The following table describes the labels in this screen.
Table 364 Configuration > System > Host Name
LA BEL
DESC RIPTIO N
System Name
Enter a descriptive name to identify your Zyxel Device device. This name can be up to 64 alphanumeric characters long. Spaces are not allowed, but dashes (-) underscores (_) and periods (.) are accepted.
Domain Name
Enter the domain name (if you know it) here. This name is propagated to DHCP clients connected to interfaces with the DHCP server enabled. This name can be up to 254 alphanumeric characters long. Spaces are not allowed, but dashes "-" are accepted.
Apply Reset
Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
42.3 USB Sto ra g e
The Zyxel Device can use a connected USB device to store the system log and other diagnostic information. Use this screen to turn on this feature and set a disk full warning limit.
ZyWALL USG FLEX Series User's Guide
842
Chapter 42 System
Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system.
Click C o nfig ura tio n > Syste m > USB Sto ra g e to open the screen as shown next. Fig ure 560 Configuration > System > USB Storage
The following table describes the labels in this screen.
Table 365 Configuration > System > USB Storage
LA BEL
DESC RIPTIO N
Activate USB storage service
Select this if you want to use the connected USB device(s).
Disk full warning Set a number and select a unit (MB or % ) to have the Zyxel Device send a warning message when remaining when the remaining USB storage space is less than the value you set here. space is less than
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
42.4 Da te a nd Tim e
For effective scheduling and logging, the Zyxel Device system time must be accurate. The Zyxel Device's Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server.
To change your Zyxel Device's time based on your local time zone and date, click C o nfig ura tio n > Syste m > Da te / Tim e . The screen displays as shown. You can manually set the Zyxel Device's time and date or have the Zyxel Device get the date and time from a time server.
ZyWALL USG FLEX Series User's Guide
843
Chapter 42 System Fig ure 561 Configuration > System > Date and Time
The following table describes the labels in this screen.
Table 366 Configuration > System > Date and Time
LA BEL
DESC RIPTIO N
Current Time and Date
Current Time
This field displays the present time of your Zyxel Device.
Current Date
This field displays the present date of your Zyxel Device.
Time and Date Setup
Manual
Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered. When you enter the time settings manually, the Zyxel Device uses the new setting once you click Apply.
New Time (hh-mmss)
This field displays the last updated time from the time server or the last time configured manually. When you set Tim e a nd Da te Se tup to Ma nua l, enter the new time in this field and then click A p p ly .
ZyWALL USG FLEX Series User's Guide
844
Chapter 42 System
Table 366 Configuration > System > Date and Time (continued)
LA BEL
DESC RIPTIO N
New Date mm-dd)
(yyyy-
This field displays the last updated date from the time server or the last date configured manually. When you set Tim e a nd Da te Se tup to Ma nua l, enter the new date in this field and then click A p p ly .
Get from Time Server
Select this radio button to have the Zyxel Device get the time and date from the time server you specify below. The Zyxel Device requests time and date settings from the time server under the following circumstances.
Time Server Address
Sync. Now
Time Zone Setup Time Zone
Automatically Sync Time Zone Daylight Saving Enable Daylight Savings
· When the Zyxel Device starts up. · When you click Apply or Sync hro nize No w in this screen. · 24-hour intervals after starting up. Enter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information. Click this button to have the Zyxel Device get the time and date from a time server (see the Tim e Se rve r Addre ss field). This also saves your changes (except the daylight saving settings).
Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Select this for the Zyxel Device to automatically get its time zone.
Daylight savings is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.
Automatically adjust clock for Daylight Saving Time
Start Date
Select this option if you use Daylight Saving Time. Select this for the Zyxel Device to automatically adjust the time if daylight savings is implemented in its time zone.
Configure the day and time when Daylight Saving Time starts if you selected Ena b le Da ylig ht Sa ving . The a t field uses the 24 hour format. Here are a couple of examples:
Daylight Saving Time starts in most parts of the United States on the second Sunday of March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Se c o nd, Sunda y, Ma rc h and type 2 in the a t field.
End Date
Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select La st, Sunda y, Ma rc h. The time you type in the a t field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
Configure the day and time when Daylight Saving Time ends if you selected Ena b le Da ylig ht Sa ving . The a t field uses the 24 hour format. Here are a couple of examples:
Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunda y, No ve m b e r and type 2 in the a t field.
Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select La st, Sunda y, O c to b e r. The time you type in the a t field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
ZyWALL USG FLEX Series User's Guide
845
Chapter 42 System
Table 366 Configuration > System > Date and Time (continued)
LA BEL Offset
DESC RIPTIO N Specify how much the clock changes when daylight saving begins and ends.
Enter a number from 1 to 5.5 (by 0.5 increments).
Apply Reset
For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
42.4.1 Pre - de fine d NTP Tim e Se rve rs List
When you turn on the Zyxel Device for the first time, the date and time start at 2003-01-01 00:00:00. The Zyxel Device then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.
The Zyxel Device continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. Table 367 Default Time Servers
0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org
When the Zyxel Device uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Zyxel Device goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.
42.4.2 Tim e Se rve r Sync hro niza tio n
Click the Sync hro nize No w button to get the time and date from the time server you specified in the Tim e Se rve r Addre ss field.
When the Lo a ding screen appears, you may have to wait up to one minute.
Fig ure 562 Synchronization in Process
The C urre nt Tim e and C urre nt Da te fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the Vie w Lo g screen. Try re-configuring the Da te / Tim e screen. To manually set the Zyxel Device date and time.
1 Click Syste m > Da te / Tim e . 2 Select Ma nua l under Tim e a nd Da te Se tup.
ZyWALL USG FLEX Series User's Guide
846
Chapter 42 System 3 Enter the Zyxel Device's time in the Ne w Tim e field. 4 Enter the Zyxel Device's date in the Ne w Da te field. 5 Under Tim e Zo ne Se tup, select your Tim e Zo ne from the list. 6 As an option you can select the Ena b le Da ylig ht Sa ving check box to adjust the Zyxel Device clock for
daylight savings. 7 Click Apply.
To get the Zyxel Device date and time from a time server 1 Click Syste m > Da te / Tim e . 2 Select G e t fro m Tim e Se rve r under Tim e a nd Da te Se tup. 3 Under Tim e Zo ne Se tup, select your Tim e Zo ne from the list. 4 As an option you can select the Ena b le Da ylig ht Sa ving check box to adjust the Zyxel Device clock for
daylight savings. 5 Under Tim e a nd Da te Se tup, enter a Tim e Se rve r Addre ss (Table 367 on page 846). 6 Click Apply.
42.5 C o nso le Po rt Spe e d
This section shows you how to set the console port speed when you connect to the Zyxel Device via the console port using a terminal emulation program. Click C o nfig ura tio n > Syste m > C o nso le Spe e d to open the C o nso le Spe e d screen. Fig ure 563 Configuration > System > Console Speed
ZyWALL USG FLEX Series User's Guide
847
Chapter 42 System
The following table describes the labels in this screen.
Table 368 Configuration > System > Console Speed
LA BEL Console Port Speed
DESC RIPTIO N
Use the drop-down list box to change the speed of the console port. Your Zyxel Device supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port.
Apply Reset
The C o nso le Po rt Spe e d applies to a console port connection using terminal emulation software and NOT the C o nso le in the Zyxel Device Web Configurator Sta tus screen.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
42.6 DNS O ve rvie w
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
42.6.1 DNS Se rve r Addre ss Assig nm e nt
The Zyxel Device can get the DNS server addresses in the following ways.
· The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
· If your ISP dynamically assigns the DNS server IP addresses (along with the Zyxel Device's WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
· You can manually enter the IP addresses of other DNS servers.
42.6.2 C o nfig uring the DNS Sc re e n
Click C o nfig ura tio n > Syste m > DNS to change your Zyxel Device's DNS settings. Use the DNS screen to configure the Zyxel Device to use a DNS server to resolve domain names for Zyxel Device system features like VPN, DDNS and the time server. You can also configure the Zyxel Device to accept or discard DNS queries. Use the Ne two rk > Inte rfa c e screens to configure the DNS server information that the Zyxel Device sends to the specified DHCP client devices.
A name query begins at a client computer and is passed to a resolver, a DNS client service, for resolution. The Zyxel Device can be a DNS client service. The Zyxel Device can resolve a DNS query locally using cached Resource Records (RR) obtained from a previous query (and kept for a period of time). If the Zyxel Device does not have the requested information, it can forward the request to DNS servers. This is known as recursion.
The Zyxel Device can ask a DNS server to use recursion to resolve its DNS client requests. If recursion on the Zyxel Device or a DNS server is disabled, they cannot forward DNS requests for resolution.
A Domain Name Server (DNS) amplification attack is a kind of Distributed Denial of Service (DDoS) attack that uses publicly accessible open DNS servers to flood a victim with DNS response traffic. An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone on the Internet.
ZyWALL USG FLEX Series User's Guide
848
Chapter 42 System In a DNS amplification attack, an attacker sends a DNS name lookup request to an open DNS server with the source address spoofed as the victim's address. When the DNS server sends the DNS record response, it is sent to the victim. Attackers can request as much information as possible to maximize the amplification effect. Configure the Se c urity O ptio n C o ntro l section in the C o nfig ura tio n > Syste m > DNS screen (click Sho w Adva nc e d Se tting s to display it) if you suspect the Zyxel Device is being used (either by hackers or by a corrupted open DNS server) in a DNS amplification attack. Fig ure 564 Configuration > System > DNS
ZyWALL USG FLEX Series User's Guide
849
Chapter 42 System
The following table describes the labels in this screen.
Table 369 Configuration > System > DNS
LA BEL Address/PTR Record
Add Edit Remove
# FQDN IP Address CNAME Record
Add Edit Remove
#
DESC RIPTIO N
This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where "www" is the host, "zyxel" is the third-level domain, "com" is the second-level domain, and "tw" is the top level domain.
Click this to create a new entry.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
This is the index number of the address/PTR record.
This is a host's fully qualified domain name.
This is the IP address of a host.
This record specifies an alias for a FQDN. Use this record to bind all subdomains with the same IP address as the FQDN without having to update each one individually, which increases chance for errors. See CNAME Record (Section 42.6.6 on page 853) for more details.
Click this to create a new entry.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
This is the index number of the domain zone forwarder record. The ordering of your rules is important as rules are applied in sequence.
Alias Name
FQDN Domain Zone Forwarder
A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records.
Enter an Alias name. Use "*." as prefix for a wildcard domain name. For example, *.example.com.
Enter the Fully Qualified Domain Name (FQDN).
This specifies a DNS server's IP address. The Zyxel Device can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server.
Add Edit Remove
Move
#
When the Zyxel Device needs to resolve a domain zone, it checks it against the domain zone forwarder entries in the order that they appear in this list.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
This is the index number of the domain zone forwarder record. The ordering of your rules is important as rules are applied in sequence.
A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records.
ZyWALL USG FLEX Series User's Guide
850
Chapter 42 System
Table 369 Configuration > System > DNS (continued)
LA BEL Domain Zone
DESC RIPTIO N
A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Type
DNS Server
Query Via
MX Record (for My FQDN)
Add Edit Remove
# Domain Name IP/FQDN
Security Option Control
Edit
Priority
Name Address
Additional Info from Cache Query Recursion Service Control Add
Edit Remove
Move
A "*" means all domain zones.
This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (Use r- De fine d).
This is the IP address of a DNS server. This field displays N/ A if you have the Zyxel Device get a DNS server IP address from the ISP dynamically but the specified interface is not active.
This is the interface through which the Zyxel Device sends DNS queries to the entry's DNS server. If the Zyxel Device connects through a VPN tunnel, tunne l displays.
A MX (Mail eXchange) record identifies a mail server that handles the mail for a particular domain.
Click this to create a new entry.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
This is the index number of the MX record.
This is the domain name where the mail is destined for.
This is the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above.
Click Sho w Adva nc e d Se tting s to display this part of the screen. There are two control policies: De fa ult and C usto m ize .
Click either control policy and then click this button to change a llo w or de ny actions for Q ue ry Re c ursio n and Additio na l Info fro m C a c he .
The C usto m ize control policy is checked first and if an address object match is not found, the De fa ult control policy is checked.
You may change the name of the C usto m ize control policy.
These are the object addresses used in the control policy. RFC1918 refers to private IP address ranges. It can be modified in O b je c t > Addre ss.
This displays if the Zyxel Device is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries.
This displays if the Zyxel Device is allowed or denied to forward DNS client requests to DNS servers for resolution.
This specifies from which computers and zones you can send DNS queries to the Zyxel Device.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
ZyWALL USG FLEX Series User's Guide
851
Chapter 42 System
Table 369 Configuration > System > DNS (continued)
LA BEL #
DESC RIPTIO N
This the index number of the service control rule. The ordering of your rules is important as rules are applied in sequence.
Zone Address
Action
The entry with a hyphen (-) instead of a number is the Zyxel Device's (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy.
This is the zone on the Zyxel Device the user is allowed or denied to access.
This is the object name of the IP address(es) with which the computer is allowed or denied to send DNS queries.
This displays whether the Zyxel Device accepts DNS queries from the computer with the IP address specified above through the specified zone (Ac c e pt) or discards them (De ny).
42.6.3 (IPv6) Addre ss Re c o rd
An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address.
The Zyxel Device allows you to configure address records about the Zyxel Device itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the Zyxel Device receives a DNS query for an FQDN for which the Zyxel Device has an address record, the Zyxel Device can send the IP address in a DNS response without having to query a DNS name server.
42.6.4 PTR Re c o rd
A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name.
42.6.5 Adding a n (IPv6) Addre ss/ PTR Re c o rd
Click the Add icon in the Addre ss/ PTR Re c o rd or IPv6 Addre ss/ PTR Re c o rd table to add an IPv4 or IPv6 address/PTR record.
Fig ure 565 Configuration > System > DNS > Address/PTR Record Edit
ZyWALL USG FLEX Series User's Guide
852
Chapter 42 System
The following table describes the labels in this screen.
Table 370 Configuration > System > DNS > (IPv6) Address/PTR Record Edit
LA BEL FQDN
DESC RIPTIO N
Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where "www" is the host, "zyxel" is the third-level domain, "com" is the second-level domain, and "tw" is the top level domain. Underscores are not allowed.
IP Address OK Cancel
Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). Enter the IP address of the host in dotted decimal notation. Click O K to save your customized settings and exit this screen. Click C a nc e l to exit this screen without saving.
42.6.6 C NAME Re c o rd
A Canonical Name Record or CNAME record is a type of resource record in the Domain Name System (DNS) that specifies that the domain name is an alias of another, canonical domain name. This allows users to set up a record for a domain name which translates to an IP address, in other words, the domain name is an alias of another. This record also binds all the subdomains to the same IP address without having to create a record for each, so when the IP address is changed, all subdomain's IP address is updated as well, with one edit to the record.
For example, the domain name zyxel.com is hooked up to a record named A which translates it to 11.22.33.44. You also have several subdomains, like mail.zyxel.com, ftp.zyxel.com and you want this subdomain to point to your main domain zyxel.com. Edit the IP Address in record A and all subdomains will follow automatically. This eliminates chances for errors and increases efficiency in DNS management.
42.6.7 Adding a C NAME Re c o rd
Click the Add icon in the CNAME Record table to add a record. Use "*." as a prefix for a wildcard domain name. For example *.zyxel.com.
Fig ure 566 Configuration > System > DNS > CNAME Record > Add
ZyWALL USG FLEX Series User's Guide
853
Chapter 42 System
The following table describes the labels in this screen.
Table 371 Configuration > System > DNS > CNAME Record > Add
LA BEL
DESC RIPTIO N
Alias name FQDN
Enter an Alias Name. Use "*." as a prefix in the Alias name for a wildcard domain name (for example, *.example.com).
Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where "www" is the host, "zyxel" is the third-level domain, "com" is the second-level domain, and "tw" is the top level domain. Underscores are not allowed.
OK Cancel
Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com).
Click O K to save your customized settings and exit this screen.
Click C a nc e l to exit this screen without saving.
42.6.8 Do m a in Zo ne Fo rwa rde r
A domain zone forwarder contains a DNS server's IP address. The Zyxel Device can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
42.6.9 Adding a Do m a in Zo ne Fo rwa rde r
Click the Add icon in the Do m a in Zo ne Fo rwa rde r table to add a domain zone forwarder record.
Fig ure 567 Configuration > System > DNS > Domain Zone Forwarder Add
ZyWALL USG FLEX Series User's Guide
854
Chapter 42 System
The following table describes the labels in this screen.
Table 372 Configuration > System > DNS > Domain Zone Forwarder Add
LA BEL Domain Zone
DESC RIPTIO N
A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the Zyxel Device receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
DNS Server
Enter * if all domain zones are served by the specified DNS server(s).
Select DNS Se rve r(s) fro m ISP if your ISP dynamically assigns DNS server information. You also need to select an interface through which the ISP provides the DNS server IP address(es). The interface should be activated and set to be a DHCP client. The fields below display the (readonly) DNS server IP address(es) that the ISP assigns. N/ A displays for any DNS server IP address fields for which the ISP does not assign an IP address.
Select Pub lic DNS Se rve r if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. The Zyxel Device must be able to connect to the DNS server without using a VPN tunnel. The DNS server could be on the Internet or one of the Zyxel Device's local networks. You cannot use 0.0.0.0. Use the Q ue ry via field to select the interface through which the Zyxel Device sends DNS queries to a DNS server.
OK Cancel
Select Priva te DNS Se rve r if you have the IP address of a DNS server to which the Zyxel Device connects through a VPN tunnel. Enter the DNS server's IP address in the field to the right. You cannot use 0.0.0.0.
Click O K to save your customized settings and exit this screen.
Click C a nc e l to exit this screen without saving.
42.6.10 MX Re c o rd
A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external email from other mail servers will not be able to be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host.
42.6.11 Adding a MX Re c o rd
Click the Add icon in the MX Re c o rd table to add a MX record.
Fig ure 568 Configuration > System > DNS > MX Record Add
ZyWALL USG FLEX Series User's Guide
855
Chapter 42 System
The following table describes the labels in this screen.
Table 373 Configuration > System > DNS > MX Record Add
LA BEL
DESC RIPTIO N
Domain Name
Enter the domain name where the mail is destined for.
IP Address/FQDN
Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above.
OK
Click O K to save your customized settings and exit this screen.
Cancel
Click C a nc e l to exit this screen without saving.
42.6.12 Se c urity O ptio n C o ntro l
Configure the Se c urity O ptio n C o ntro l section in the C o nfig ura tio n > Syste m > DNS screen (click Sho w Adva nc e d Se tting s to display it) if you suspect the Zyxel Device is being used by hackers in a DNS amplification attack.
One possible strategy would be to deny Q ue ry Re c ursio n and Additio na l Info fro m C a c he in the default policy and allow Q ue ry Re c ursio n and Additio na l Info fro m C a c he only from trusted DNS servers identified by address objects and added as members in the customized policy.
42.6.13 Editing a Se c urity O ptio n C o ntro l
Click a control policy and then click Edit to change a llo w or de ny actions for Q ue ry Re c ursio n and Additio na l Info fro m C a c he .
Fig ure 569 Configuration > System > DNS > Security Option Control Edit (Customize)
ZyWALL USG FLEX Series User's Guide
856
Chapter 42 System
The following table describes the labels in this screen.
Table 374 Configuration > System > DNS > Security Option Control Edit (Customize)
LA BEL
DESC RIPTIO N
Name
You may change the name for the customized security option control policy. The customized security option control policy is checked first and if an address object match is not found, the De fa ult control policy is checked.
Query Recursion
Choose if the ZyWALL/USG is allowed or denied to forward DNS client requests to DNS servers for resolution. This can apply to specific open DNS servers using the address objects in a customized rule.
Additional Info from Cache
Choose if the ZyWALL/USG is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries.
Address List
Specifying address objects is not available in the default policy as all addresses are included.
Available
This box displays address objects created in O b je c t > Addre ss. Select one (or more), and click the > arrow to have it (them) join the Me m b e r list of address objects that will apply to this rule. For example, you could specify an open DNS server suspect of sending compromised resource records by adding an address object for that server to the member list.
Member
This box displays address objects that will apply to this rule.
OK
Click O K to save your customized settings and exit this screen.
Cancel
Click C a nc e l to exit this screen without saving.
42.6.14 Adding a DNS Se rvic e C o ntro l Rule
Click the Add icon in the Se rvic e C o ntro l table to add a service control rule. Fig ure 570 Configuration > System > DNS > Service Control Rule Add
The following table describes the labels in this screen.
Table 375 Configuration > System > DNS > Service Control Rule Add
LA BEL
Create new Object
Address Object
DESC RIPTIO N Use this to configure any new settings objects that you need to use in this screen.
Select ALLto allow or deny any computer to send DNS queries to the Zyxel Device.
Zone
Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the Zyxel Device.
Select ALLto allow or prevent DNS queries through any zones.
Select a predefined zone on which a DNS query to the Zyxel Device is allowed or denied.
ZyWALL USG FLEX Series User's Guide
857
Chapter 42 System
Table 375 Configuration > System > DNS > Service Control Rule Add (continued)
LA BEL Action
DESC RIPTIO N Select Ac c e pt to have the Zyxel Device allow the DNS queries from the specified computer.
OK Cancel
Select De ny to have the Zyxel Device reject the DNS queries from the specified computer. Click O K to save your customized settings and exit this screen. Click C a nc e l to exit this screen without saving.
42.7 WWW O ve rvie w
The following figure shows secure and insecure management of the Zyxel Device coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure.
Note: To allow the Zyxel Device to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-Zyxel Device security policy rule to block that traffic.
To stop a service from accessing the Zyxel Device, clear Ena ble in the corresponding service screen.
42.7.1 Se rvic e Ac c e ss Lim ita tio ns
A service cannot be used to access the Zyxel Device when:
1 You have disabled that service in the corresponding screen. 2 The allowed IP address (address object) in the Se rvic e C o ntro l table does not match the client IP
address (the Zyxel Device disallows the session). 3 The IP address (address object) in the Se rvic e C o ntro l table is not in the allowed zone or the action is set
to De ny. 4 There is a security policy rule that blocks it.
42.7.2 Syste m Tim e o ut
There is a lease timeout for administrators. The Zyxel Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. Each user is also forced to log in the Zyxel Device for authentication again when the reauthentication time expires. You can change the timeout settings in the Use r/ G ro up screens.
42.7.3 HTTPS
You can set the Zyxel Device to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come.
ZyWALL USG FLEX Series User's Guide
858
Chapter 42 System
HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys. HTTPS on the Zyxel Device is used so that you can securely access the Zyxel Device using the Web Configurator. The SSL protocol specifies that the HTTPS server (the Zyxel Device) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the Zyxel Device), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authe ntic a te C lie nt C e rtific a te s in the WWW screen). Authe ntic a te C lie nt C e rtific a te s is optional and if selected means the HTTPS client must send the Zyxel Device a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the Zyxel Device. Please refer to the following figure.
1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the Zyxel Device's web server.
2 HTTP connection requests from a web browser go to port 80 (by default) on the Zyxel Device's web server. Fig ure 571 HTTP/HTTPS Implementation
Note: If you disable HTTP in the WWW screen, then the Zyxel Device blocks all HTTP connection attempts.
42.7.4 C o nfig uring WWW Se rvic e C o ntro l
Click C o nfig ura tio n > Syste m > WWW to open the WWW screen. Use this screen to specify from which zones you can access the Zyxel Device using HTTP or HTTPS. You can also specify which IP addresses the access can come from. Note: Adm in Se rvic e C o ntro l deals with management access (to the Web Configurator).
Use r Se rvic e C o ntro l deals with user access to the Zyxel Device (logging into SSL VPN for example).
ZyWALL USG FLEX Series User's Guide
859
Chapter 42 System Fig ure 572 Configuration > System > WWW > Service Control
The following table describes the labels in this screen.
Table 376 Configuration > System > WWW > Service Control
LA BEL
DESC RIPTIO N
HTTPS
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Se rvic e C o ntro l table to access the Zyxel Device Web Configurator using secure HTTPs connections.
ZyWALL USG FLEX Series User's Guide
860
Chapter 42 System
Table 376 Configuration > System > WWW > Service Control (continued)
LA BEL Server Port
Authenticate Client Certificates
Server Certificate Redirect HTTP to HTTPS Admin/User Service Control
DESC RIPTIO N
The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the Zyxel Device, for example 8443, then you must notify people who need to access the Zyxel Device Web Configurator to use "https://Zyxel Device IP Address:8443" as the URL.
Select Authe ntic a te C lie nt C e rtific a te s (optional) to require the SSL client to authenticate itself to the Zyxel Device by sending the Zyxel Device a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the Zyxel Device (see Section 42.7.7.5 on page 870 on importing certificates for details).
Select a certificate the HTTPS server (the Zyxel Device) uses to authenticate itself to the HTTPS client. You must have certificates already configured in the My C e rtific a te s screen.
To allow only secure Web Configurator access, select this to redirect all HTTP connection requests to the HTTPS server.
Adm in Se rvic e C o ntro l specifies from which zones an administrator can use HTTPS to manage the Zyxel Device (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the Zyxel Device.
Add Edit Remove
Move
#
Use r Se rvic e C o ntro l specifies from which zones a user can use HTTPS to log into the Zyxel Device (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the Zyxel Device.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
This is the index number of the service control rule.
Zone Address
Action
HTTP Enable
Server Port
Admin/User Service Control
The entry with a hyphen (-) instead of a number is the Zyxel Device's (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy.
This is the zone on the Zyxel Device the user is allowed or denied to access.
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zo ne field (Ac c e pt) or not (De ny).
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Se rvic e C o ntro l table to access the Zyxel Device Web Configurator using HTTP connections.
You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the Zyxel Device.
Adm in Se rvic e C o ntro l specifies from which zones an administrator can use HTTP to manage the Zyxel Device (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the Zyxel Device.
Add
Use r Se rvic e C o ntro l specifies from which zones a user can use HTTP to log into the Zyxel Device (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the Zyxel Device.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
ZyWALL USG FLEX Series User's Guide
861
Chapter 42 System
Table 376 Configuration > System > WWW > Service Control (continued)
LA BEL Edit Remove
Move
#
DESC RIPTIO N
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
This is the index number of the service control rule.
Zone Address
Action
Authentication Client Authentication Method
Apply Reset
The entry with a hyphen (-) instead of a number is the Zyxel Device's (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy. This is the zone on the Zyxel Device the user is allowed or denied to access. This is the object name of the IP address(es) with which the computer is allowed or denied to access. This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zo ne field (Ac c e pt) or not (De ny).
Select a method the HTTPS or HTTP server uses to authenticate a client.
You must have configured the authentication methods in the O b je c t > Auth. m e tho d screen. Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
42.7.5 Se rvic e C o ntro l Rule s
Click Add or Edit in the Se rvic e C o ntro l table in a WWW, SSH, Te lne t, FTP or SNMP screen to add a service control rule.
Fig ure 573 Configuration > System > Service Control Rule > Edit
ZyWALL USG FLEX Series User's Guide
862
Chapter 42 System
The following table describes the labels in this screen.
Table 377 Configuration > System > Service Control Rule > Edit
LA BEL
Create new Object
Address Object
DESC RIPTIO N Use this to configure any new settings objects that you need to use in this screen.
Select ALLto allow or deny any computer to communicate with the Zyxel Device using this service.
Zone
Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using this service.
Select ALLto allow or prevent any Zyxel Device zones from being accessed using this service.
Action
Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Ac c e pt to allow the user to access the Zyxel Device from the specified computers.
OK Cancel
Select De ny to block the user's access to the Zyxel Device from the specified computers. Click O K to save your customized settings and exit this screen. Click C a nc e l to exit this screen without saving.
42.7.6 C usto m izing the WWW Lo g in Pa g e
Click C o nfig ura tio n > Syste m > WWW > Lo g in Pa g e to open the Lo g in Pa g e screen. Use this screen to customize the Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet.
ZyWALL USG FLEX Series User's Guide
863
Chapter 42 System Fig ure 574 Configuration > System > WWW > Login Page (Desktop View)
ZyWALL USG FLEX Series User's Guide
864
Chapter 42 System Fig ure 575 Configuration > System > WWW > Login Page (Mobile View)
The following figures identify the parts you can customize in the login and access pages. ZyWALL USG FLEX Series User's Guide
865
Chapter 42 System
Fig ure 576 Login Page Customization
Logo
Title
Message (color of all text)
Background
Fig ure 577 Access Page Customization
Logo
Note Message (last line of text)
Title
Message (color of all text) Note Message
(last line of text) Window Background
You can specify colors in one of the following ways: · Click C o lo r to display a screen of web-safe colors from which to choose. · Enter the name of the desired color.
ZyWALL USG FLEX Series User's Guide
866
Chapter 42 System
· Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use "#000000" for black.
· Enter "rgb" followed by red, green, and blue values in parenthesis and separate by commas. For example, use "rgb(0,0,0)" for black.
Your desired color should display in the preview screen on the right after you click in another field, click Apply, or press [ENTER]. If your desired color does not display, your browser may not support it. Try selecting another color.
The following table describes the labels on the screen.
Table 378 Configuration > System > WWW > Login Page
LA BEL Select Type
Logo File
DESC RIPTIO N
Select whether the Web Configurator uses the default login screen or one that you customize in the rest of this screen.
You can upload a graphic logo to be displayed on the upper left corner of the Web Configurator login screen and access page.
Specify the location and file name of the logo graphic or click Bro wse to locate it.
Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.
Customized Login Page Title
Title Color Message Color Note Message
Background
Click Uplo a d to transfer the specified graphic file from your computer to the Zyxel Device. Use this section to set how the Web Configurator login screen looks.
Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Specify the color of the screen's title text. Specify the color of the screen's text. Enter a note to display at the bottom of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Set how the screen background looks. To use a graphic, select Pic ture and upload a graphic. Specify the location and file name of the logo graphic or click Bro wse to locate it. The picture's size cannot be over 438 x 337 pixels.
Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.
Customized Access Page Title
Message Color Note Message
Background
To use a color, select C o lo r and specify the color. Use this section to customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Specify the color of the screen's text. Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. Set how the window's background looks.
To use a graphic, select Pic ture and upload a graphic. Specify the location and file name of the logo graphic or click Bro wse to locate it. The picture's size cannot be over 438 x 337 pixels.
Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.
To use a color, select C o lo r and specify the color.
ZyWALL USG FLEX Series User's Guide
867
Chapter 42 System
Table 378 Configuration > System > WWW > Login Page (continued)
LA BEL
DESC RIPTIO N
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
42.7.7 HTTPS Exa m ple
If you haven't changed the default HTTPS port on the Zyxel Device, then in your browser enter "https:// Zyxel Device IP Address/" as the web site address where "Zyxel Device IP Address" is the IP address or domain name of the Zyxel Device you wish to access.
42.7.7.1 Inte rne t Explo re r Wa rning Me ssa g e s
When you attempt to access the Zyxel Device HTTPS server, you will see the error message shown in the following screen.
Fig ure 578 Security Alert Dialog Box (Internet Explorer)
Select C o ntinue to this we b site to proceed to the Web Configurator login screen. Otherwise, select C lic k he re to c lo se this we b pa g e to block the access.
42.7.7.2 Mo zilla Fire fo x Wa rning Me ssa g e s
When you attempt to access the Zyxel Device HTTPS server, a The C o nne c tio n is Untruste d screen appears as shown in the following screen. Click Te c hnic a l De ta ils if you want to verify more information about the certificate from the Zyxel Device. Select I Unde rsta nd the Risks and then click Add Exc e ptio n to add the Zyxel Device to the security exception list. Click C o nfirm Se c urity Exc e ptio n.
ZyWALL USG FLEX Series User's Guide
868
Chapter 42 System Fig ure 579 Security Certificate 1 (Firefox)
Fig ure 580 Security Certificate 2 (Firefox)
42.7.7.3 Avo iding Bro wse r Wa rning Me ssa g e s
Here are the main reasons your browser displays warnings about the Zyxel Device's HTTPS server certificate and what you can do to avoid seeing the warnings: · The issuing certificate authority of the Zyxel Device's HTTPS server certificate is not one of the browser's
trusted certificate authorities. The issuing certificate authority of the Zyxel Device's factory default certificate is the Zyxel Device itself since the certificate is a self-signed certificate. · For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate. · To have the browser trust the certificates issued by a certificate authority, import the certificate authority's certificate into your operating system as a trusted certificate.
42.7.7.4 Lo g in Sc re e n
After you accept the certificate, the Zyxel Device login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection.
ZyWALL USG FLEX Series User's Guide
869
Chapter 42 System Fig ure 581 Login Screen (Internet Explorer)
42.7.7.5 Enro lling a nd Im po rting SSL C lie nt C e rtific a te s
The SSL client needs a certificate if Authe ntic a te C lie nt C e rtific a te s is selected on the Zyxel Device. You must have imported at least one trusted CA to the Zyxel Device in order for the Authe ntic a te C lie nt C e rtific a te s to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the Zyxel Device (see the Zyxel Device's Truste d C A Web Configurator screen). Fig ure 582 Zyxel Device Trusted CA Screen
The CA sends you a package containing the CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).
42.7.7.5.1 Insta lling the CA' s Ce rtific a te
1 Double click the CA's trusted certificate to produce a screen similar to the one shown next.
ZyWALL USG FLEX Series User's Guide
870
Chapter 42 System Fig ure 583 CA Certificate Example
2 Click Insta ll C e rtific a te and follow the wizard as shown earlier in this appendix.
42.7.7.5.2 Insta lling Yo ur Pe rso na l Ce rtific a te (s)
You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Ne xt to begin the wizard.
ZyWALL USG FLEX Series User's Guide
871
Chapter 42 System Fig ure 584 Personal Certificate Import Wizard 1
2 The file name and path of the certificate you double-clicked should automatically appear in the File na m e text box. Click Bro wse if you wish to import a different certificate. Fig ure 585 Personal Certificate Import Wizard 2
3 Enter the password given to you by the CA.
ZyWALL USG FLEX Series User's Guide
872
Chapter 42 System Fig ure 586 Personal Certificate Import Wizard 3
4 Have the wizard determine where the certificate should be saved on your computer or select Pla c e a ll c e rtific a te s in the fo llo wing sto re and choose a different location. Fig ure 587 Personal Certificate Import Wizard 4
5 Click Finish to complete the wizard and begin the import process.
ZyWALL USG FLEX Series User's Guide
873
Chapter 42 System Fig ure 588 Personal Certificate Import Wizard 5
6 You should see the following screen when the certificate is correctly installed on your computer. Fig ure 589 Personal Certificate Import Wizard 6
42.7.7.6 Using a C e rtific a te Whe n Ac c e ssing the Zyxe l De vic e Exa m ple
Use the following procedure to access the Zyxel Device via HTTPS. 1 Enter `https://Zyxel Device IP Address/ in your browser's web address field.
Fig ure 590 Access the Zyxel Device Via HTTPS
2 When Authe ntic a te C lie nt C e rtific a te s is selected on the Zyxel Device, the following screen asks you to select a personal certificate to send to the Zyxel Device. This screen displays even if you only have a single certificate as in the example.
ZyWALL USG FLEX Series User's Guide
874
Chapter 42 System Fig ure 591 SSL Client Authentication
3 You next see the Web Configurator login screen. Fig ure 592 Secure Web Configurator Login Screen
42.8 SSH
You can use SSH (Secure SHell) to securely access the Zyxel Device's command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the Zyxel Device for a management session.
ZyWALL USG FLEX Series User's Guide
875
Chapter 42 System Note: To allow an SSH connection to the Zyxel Device, add SSH in the O b je c t > Se rvic e >
Se rvic e G ro up > De fa ult_Allo w_WAN_To _ZyWALLservice group which defines the default services allowed in the WAN_to _De vic e security policy. Fig ure 593 SSH Communication Over the WAN Example
42.8.1 SSH Im ple m e nta tio n o n the Zyxe l De vic e
Your Zyxel Device supports SSH version 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the Zyxel Device for management using port 22 (by default).
42.8.2 Re q uire m e nts fo r Using SSH
You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the Zyxel Device over SSH.
42.8.3 C o nfig uring SSH
Click C o nfig ura tio n > Syste m > SSH to change your Zyxel Device's Secure Shell settings. Use this screen to specify from which zones SSH can be used to manage the Zyxel Device. You can also specify from which IP addresses the access can come. Fig ure 594 Configuration > System > SSH
ZyWALL USG FLEX Series User's Guide
876
Chapter 42 System
The following table describes the labels in this screen.
Table 379 Configuration > System > SSH
LA BEL
DESC RIPTIO N
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Se rvic e C o ntro l table to access the Zyxel Device CLI using this service.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server Certificate
Select the certificate whose corresponding private key is to be used to identify the Zyxel Device for SSH connections. You must have certificates already configured in the My C e rtific a te s screen.
Service Control This specifies from which computers you can access which Zyxel Device zones.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 377 on page 863 for details on the screen that opens.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Move
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
#
This the index number of the service control rule.
Zone
This is the zone on the Zyxel Device the user is allowed or denied to access.
Address
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Action
This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zo ne field (Ac c e pt) or not (De ny).
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
42.8.4 Se rvic e C o ntro l Rule s
Click the Add or Edit icon in the Se rvic e C o ntro l table to add a service control rule. Fig ure 595 Configuration > System > SSH > Service Control Rule Add/Edit
ZyWALL USG FLEX Series User's Guide
877
Chapter 42 System
The following table describes the labels in this screen.
Table 380 Configuration > System > SSH > Service Control Rule Add/Edit
LA BEL
Create new Object
Address Object
DESC RIPTIO N Use this to configure any new settings objects that you need to use in this screen.
Select ALLto allow or deny any computer to communicate with the Zyxel Device using SSH.
Zone
Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using SSH.
Select ALLto allow or prevent any Zyxel Device zones from being accessed using SSH.
Action
Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Ac c e pt to allow the user to access the Zyxel Device from the specified computers.
OK Cancel
Select De ny to block the user's access to the Zyxel Device from the specified computers. Click O K to save your customized settings and exit this screen. Click C a nc e l to exit this screen without saving.
42.8.5 SSH Exa m ple
This section shows using a PuTTY SSH client to remotely access the Zyxel Device. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user's guide.
1 Launch the SSH client and configure the SSH client to use SSH version 2.
2 Specify the connection information (IP address, port number) for the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
878
Chapter 42 System
3 A command window displays. Enter the password to log in to the Zyxel Device. login as: admin Using keyboard-interactive authentication. Password: % session is not found Bad terminal type: "xterm". Will assume vt100. Router> enable Router#
42.9 Te lne t
You can use Telnet to access the Zyxel Device's command line interface. Specify which zones allow Telnet access and from which IP address the access can come.
42.9.1 C o nfig uring Te lne t
Click C o nfig ura tio n > Syste m > TELNETto configure your Zyxel Device for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the Zyxel Device. You can also specify from which IP addresses the access can come. Note: To allow a Telnet connection to the Zyxel Device, add Te lne t in the O b je c t > Se rvic e >
Se rvic e G ro up > De fa ult_Allo w_WAN_To _ZyWALLservice group which defines the default services allowed in the WAN_to _De vic e security policy.
ZyWALL USG FLEX Series User's Guide
879
Chapter 42 System Fig ure 596 Configuration > System > TELNET
The following table describes the labels in this screen.
Table 381 Configuration > System > TELNET
LA BEL Enable Server Port Service Control Add Edit Remove Move
#
DESC RIPTIO N
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Se rvic e C o ntro l table to access the Zyxel Device CLI using this service.
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
This specifies from which computers you can access which Zyxel Device zones.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 377 on page 863 for details on the screen that opens.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
This the index number of the service control rule.
Zone Address
Action
Apply Reset
The entry with a hyphen (-) instead of a number is the Zyxel Device's (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy.
This is the zone on the Zyxel Device the user is allowed or denied to access.
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zo ne field (Ac c e pt) or not (De ny).
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
880
Chapter 42 System
42.9.2 Se rvic e C o ntro l Rule s
Click the Add or Edit icon in the Se rvic e C o ntro l table to add a service control rule. Fig ure 597 Configuration > System > TELNET > Service Control Rule Add/Edit
The following table describes the labels in this screen.
Table 382 Configuration > System > TELNET > Service Control Rule Add/Edit
LA BEL
DESC RIPTIO N
Create new Object
Address Object
Use this to configure any new settings objects that you need to use in this screen. Select ALLto allow or deny any computer to communicate with the Zyxel Device using Telnet.
Zone
Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using Telnet.
Select ALLto allow or prevent any Zyxel Device zones from being accessed using Telnet.
Action
Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Ac c e pt to allow the user to access the Zyxel Device from the specified computers.
OK Cancel
Select De ny to block the user's access to the Zyxel Device from the specified computers. Click O K to save your customized settings and exit this screen. Click C a nc e l to exit this screen without saving.
42.10 FTP
You can upload and download the Zyxel Device's firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
42.10.1 C o nfig uring FTP
To change your Zyxel Device's FTP settings, click C o nfig ura tio n > Syste m > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come.
ZyWALL USG FLEX Series User's Guide
881
Chapter 42 System Fig ure 598 Configuration > System > FTP
The following table describes the labels in this screen.
Table 383 Configuration > System > FTP
LA BEL Enable
TLS required
DESC RIPTIO N
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Se rvic e C o ntro l table to access the Zyxel Device using this service.
Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication.
This implements TLS as a security mechanism to secure FTP clients and/or servers.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server Certificate Select the certificate whose corresponding private key is to be used to identify the Zyxel Device for FTP connections. You must have certificates already configured in the My C e rtific a te s screen.
Service Control This specifies from which computers you can access which Zyxel Device zones.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 377 on page 863 for details on the screen that opens.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Move
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
#
This the index number of the service control rule.
Zone Address
Action
The entry with a hyphen (-) instead of a number is the Zyxel Device's (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy.
This is the zone on the Zyxel Device the user is allowed or denied to access.
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zo ne field (Ac c e pt) or not (De ny).
ZyWALL USG FLEX Series User's Guide
882
Chapter 42 System
Table 383 Configuration > System > FTP (continued)
LA BEL
DESC RIPTIO N
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
42.10.2 Se rvic e C o ntro l Rule s
Click the Add or Edit icon in the Se rvic e C o ntro l table to add a service control rule. Fig ure 599 Configuration > System > FTP > Service Control Rule Add/Edit
The following table describes the labels in this screen.
Table 384 Configuration > System > FTP > Service Control Rule Add/Edit
LA BEL
Create new Object
Address Object
DESC RIPTIO N Use this to configure any new settings objects that you need to use in this screen.
Select ALLto allow or deny any computer to communicate with the Zyxel Device using FTP.
Zone
Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using FTP.
Select ALLto allow or prevent any Zyxel Device zones from being accessed using FTP.
Action
Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Ac c e pt to allow the user to access the Zyxel Device from the specified computers.
OK Cancel
Select De ny to block the user's access to the Zyxel Device from the specified computers. Click O K to save your customized settings and exit this screen. Click C a nc e l to exit this screen without saving.
42.11 SNMP
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your Zyxel Device supports SNMP agent functionality, which allows a manager station to manage and monitor the Zyxel Device through the network. The Zyxel Device supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3). The next figure illustrates an SNMP management operation.
ZyWALL USG FLEX Series User's Guide
883
Chapter 42 System
Fig ure 600 SNMP Management Model
An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Zyxel Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: · Get - Allows the manager to retrieve an object variable from the agent. · GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent.
In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. · Set - Allows the manager to set values for object variables within an agent. · Trap - Used by the agent to inform the manager of some events.
42.11.1 SNMPv3 a nd Se c urity
SNMPv3 enhances security for SNMP management using authentication and encryption. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions.
ZyWALL USG FLEX Series User's Guide
884
Chapter 42 System
Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them.
42.11.2 Suppo rte d MIBs
The Zyxel Device supports MIB II that is defined in RFC-1213 and RFC-1215. The Zyxel Device also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the Zyxel Device's MIBs from www.zyxel.com.
42.11.3 SNMP Tra ps
The Zyxel Device will send traps to the SNMP manager when any one of the following events occurs.
Table 385 SNMP Traps
O BJEC TLABEL
O BJEC TID
Cold Start
1.3.6.1.6.3.1.1.5.1
linkDown linkUp authenticationFailure
1.3.6.1.6.3.1.1.5.3 1.3.6.1.6.3.1.1.5.4 1.3.6.1.6.3.1.1.5.5
vpnTunnelDisconnected 1.3.6.1.4.1.890.1.6.22.2.3
vpnTunnelName
1.3.6.1.4.1.890.1.6.22.2.2.1.1
vpnIKEName
1.3.6.1.4.1.890.1.6.22.2.2.1.2
vpnTunnelSPI
1.3.6.1.4.1.890.1.6.22.2.2.1.3
DESC RIPTIO N
This trap is sent when the Zyxel Device is turned on or an agent restarts.
This trap is sent when the Ethernet link is down.
This trap is sent when the Ethernet link is up.
This trap is sent when an SNMP request comes from non-authenticated hosts.
This trap is sent when an IPSec VPN tunnel is disconnected.
This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel's IPSec SA name.
This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel's IKE SA name.
This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the security parameter index (SPI) of the disconnected VPN tunnel.
42.11.4 C o nfig uring SNMP
To change your Zyxel Device's SNMP settings, click C o nfig ura tio n > Syste m > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come.
ZyWALL USG FLEX Series User's Guide
885
Chapter 42 System Fig ure 601 Configuration > System > SNMP
The following table describes the labels in this screen.
Table 386 Configuration > System > SNMP
LA BEL
DESC RIPTIO N
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Se rvic e C o ntro l table to access the Zyxel Device using this service.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Trap
Community
Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.
Destination Type the IP address of the station to send your SNMP traps to.
Trap CAPWAP Event
Select this option to have the Zyxel Device send a trap to the SNMP manager when a managed AP is connected to or disconnected from the Zyxel Device.
SNMPv2c
Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager.
Get Community
Enter the G e t C o m m unity, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Set Community
Enter the Se t c o m m unity, which is the password for incoming Set requests from the management station. The default is private and allows all requests.
SNMPv3
Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager. SNMPv3 (RFCs 3413 to 3415) provides secure access by authenticating and encrypting data packets over the network. The Zyxel Device uses your login password as the SNMPv3 authentication and encryption passphrase.
Note: Your login password must consist of at least 8 printable characters for SNMPv3. An error message will display if your login password has fewer characters.
ZyWALL USG FLEX Series User's Guide
886
Chapter 42 System
Table 386 Configuration > System > SNMP (continued)
LA BEL Add
Edit Remove
# User
Authenticati on
Privacy
DESC RIPTIO N
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
This is the index number of the entry.
This displays the name of the user object to be sent to the SNMP manager along with the SNMP v3 trap.
This displays the authentication algorithm used for this entry. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower.
This displays the encryption method for SNMP communication from this user. Methods available are:
Privilege
· DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.
· AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
This displays the access rights to MIBs.
Service Control Add Edit Remove Move
#
· Re a d- Write - The associated user can create and edit the MIBs on the Zyxel Device, except the user account.
· Re a d- O nly - The associated user can only collect information from the Zyxel Device MIBs.
This specifies from which computers you can access which Zyxel Device zones.
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 377 on page 863 for details on the screen that opens.
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
To change an entry's position in the numbered list, select the method and click Mo ve to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
This the index number of the service control rule.
Zone Address
Action
Apply Reset
The entry with a hyphen (-) instead of a number is the Zyxel Device's (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy.
This is the zone on the Zyxel Device the user is allowed or denied to access.
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zo ne field (Ac c e pt) or not (De ny).
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
42.11.5 Add SNMPv3 Use r
Click Add under SNMPv3 in C o nfig ura tio n > Syste m > SNMP to create an SNMPv3 user for authentication with managers using SNMP v3. Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager.
ZyWALL USG FLEX Series User's Guide
887
Chapter 42 System Fig ure 602 Configuration > System > SNMP(v3) > Add
The following table describes the labels in this screen.
Table 387 Configuration > System > SNMP(v3) > Add
LA BEL User Authentication
Privacy
DESC RIPTIO N
Specify the username of a login account on the Zyxel Device. The associated password is used in authentication algorithms and encryption methods.
Select an authentication algorithm. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower.
Specify the encryption method for SNMP communication from this user. You can choose one of the following:
Privilege
· DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.
· AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
Select the access rights to MIBs.
OK Cancel
· Re a d- Write - The associated user can create and edit the MIBs on the Zyxel Device, except the user account.
· Re a d- O nly - The associated user can only collect information from the Zyxel Device MIBs. Click O K to save the changes. Click C a nc e l to begin configuring this screen afresh.
42.11.6 Se rvic e C o ntro l Rule s
Click the Add or Edit icon in the Se rvic e C o ntro l table to add a service control rule. Fig ure 603 Configuration > System > SNMP > Service Control Rule Add/Edit
ZyWALL USG FLEX Series User's Guide
888
Chapter 42 System
The following table describes the labels in this screen.
Table 388 Configuration > System > SNMP > Service Control Rule Add/Edit
LA BEL
Create new Object
Address Object
DESC RIPTIO N Use this to configure any new settings objects that you need to use in this screen.
Select ALLto allow or deny any computer to communicate with the Zyxel Device using SNMP.
Zone
Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using SNMP.
Select ALLto allow or prevent any Zyxel Device zones from being accessed using SNMP.
Action
Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Ac c e pt to allow the user to access the Zyxel Device from the specified computers.
OK Cancel
Select De ny to block the user's access to the Zyxel Device from the specified computers. Click O K to save your customized settings and exit this screen. Click C a nc e l to exit this screen without saving.
42.12 Authe ntic a tio n Se rve r
You can set the Zyxel Device to work as a RADIUS server to exchange messages with a RADIUS client, such as an AP for user authentication and authorization. Click C o nfig ura tio n > Syste m > Auth. Se rve r tab. The screen appears as shown. Use this screen to enable the authentication server feature of the Zyxel Device and specify the RADIUS client's IP address.
Fig ure 604 Configuration > System > Auth. Server
ZyWALL USG FLEX Series User's Guide
889
Chapter 42 System
The following table describes the labels in this screen.
Table 389 Configuration > System > Auth. Server
LA BEL
DESC RIPTIO N
Enable Authentication Server
Select the check box to have the Zyxel Device act as a RADIUS server.
Authentication Select the certificate whose corresponding private key is to be used to identify the Zyxel Device Server Certificate to the RADIUS client. You must have certificates already configured in the My C e rtific a te s
screen.
Authentication Method
Select an authentication method if you have created any in the C o nfig ura tio n > O b je c t > Auth. Me tho d screen.
Trusted Client
Use this section to configure trusted clients in the Zyxel Device RADIUS server database.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
Remove
To remove an entry, select it and click Re m o ve . The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Activate
To turn on an entry, select it and click Ac tiva te .
Inactivate
To turn off an entry, select it and click Ina c tiva te .
#
This is the index number of the entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Profile Name
This field indicates the name assigned to the profile.
IP Address
This is the IP address of the RADIUS client that is allowed to exchange messages with the Zyxel Device.
Mask
This is the subnet mask of the RADIUS client.
Description
This is the description of the RADIUS client.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
42.12.1 Add/ Edit Truste d RADIUS C lie nt
Click C o nfig ura tio n > Syste m > Auth. Se rve r to display the Auth. Se rve r screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new entry or edit an existing one.
Fig ure 605 Configuration > System > Auth. Server > Add/Edit
ZyWALL USG FLEX Series User's Guide
890
Chapter 42 System
The following table describes the labels in this screen.
Table 390 Configuration > System > Auth. Server > Add/Edit
LA BEL Activate Profile Name IP Address
Netmask Secret
DESC RIPTIO N
Select this check box to make this profile active.
Enter a descriptive name (up to 31 alphanumerical characters) for identification purposes.
Enter the IP address of the RADIUS client that is allowed to exchange messages with the Zyxel Device.
Enter the subnet mask of the RADIUS client.
Enter a password (up to 64 alphanumeric characters) as the key to be shared between the Zyxel Device and the RADIUS client.
Description OK Cancel
The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device. Enter the description of each server, if any. You can use up to 60 printable ASCII characters. Click O K to save the changes. Click C a nc e l to discard the changes.
42.13 No tific a tio n > Ma il Se rve r
Use this screen to configure a mail server so you can receive reports and notification emails such as when your password is about to expire. After you configure the screen, you can test the settings in Ma inte na nc e > Dia g no stic s > Ne two rk To o l and then select Te st Em a il Se rve r. See C o nfig ura tio n > Lo g & Re po rt > Em a il Da ily Re po rt to configure what reports to send and to whom.
Click C o nfig ura tio n > Syste m > No tific a tio n to display the Ma il Se rve r screen.
Fig ure 606 Configuration > System > Notification
ZyWALL USG FLEX Series User's Guide
891
Chapter 42 System
The following table describes the labels in this screen.
Table 391 Configuration > System > Notification
LA BEL
DESC RIPTIO N
Mail Server
Type the name or IP address of the outgoing SMTP server.
Mail Subject
Go to C o nfig ura tio n > Lo g & Re po rt > Em a il Da ily Re po rt to type a subject line for outgoing email from the Zyxel Device.
Append
Select Appe nd syste m na m e to add the Zyxel Device's system name to the subject.
system name
Append date Select Appe nd da te tim e to add the Zyxel Device's system date and time to the subject. time
Mail Server Port
Enter the same port number here as is on the mail server for mail traffic.
TLS Security
Select this option if the mail server uses Transport Layer Security (TLS) for encrypted communications between the mail server and the Zyxel Device.
STARTTLS
Select this option if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device.
Authenticate Select this if the Zyxel Device authenticates the mail server in the TLS handshake. Server
Mail From
Type the email address from which the outgoing email is delivered. This address is used in replies.
SMTP Authentication
Select this check box if it is necessary to provide a user name and password to the SMTP server.
User Name
This box is effective when you select the SMTP Authe ntic a tio n check box. Type the user name to provide to the SMTP server when the log is emailed.
Password
This box is effective when you select the SMTP Authe ntic a tio n check box. Type a password of up to 63 characters to provide to the SMTP server when the log is emailed.
Retype to Confirm
Type the password again to make sure that you have entered is correctly.
Time for sending report
Select the time of day (hours and minutes) when the log is emailed. Use 24-hour notation.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
42.14 No tific a tio n > SMS
The Zyxel Device supports Short Message Service (SMS) to send short text messages to mobile phone devices.
Click C o nfig ura tio n > Syste m > No tific a tio n > SMS to open the following screen.
ZyWALL USG FLEX Series User's Guide
892
Chapter 42 System Fig ure 607 Configuration > System > Notification > SMS
The following table describes the labels in this screen.
Table 392 Configuration > System > Notification > SMS
LA BEL
DESC RIPTIO N
General Settings
Enable SMS
Select the check box to turn on the SMS service.
Default country code for phone number
Enter the default country code for the mobile phone number to which you want to send SMS messages.
SMS Provider
The Zyxel Device uses Em a il- to - SMS Pro vide r to forward SMS messages.
Provider Domain
Mail Subject Mail From
Mail To
Apply Reset
Note: Go to the C o nfig ura tio n > Syste m > No tific a tio n > Ma il Se rve r screen to configure a mail server to allow the Zyxel Device to send SMS messages to the SMS service provider using emails.
Enter the domain name of your SMS service provider. The domain name can be of up to 252 characters.
Select a uto a ppe nd to "Ma il to " to add the domain name of your SMS service provider after the mobile phone number in the Ma il To field.
Type the subject line of up to 128 characters for outgoing e-mail from the Zyxel Device.
Enter the sender's email address of up to 64 characters. This email address needs to be in your SMS provider's allowed sender address list.
If you leave this field blank, the Zyxel Device will use the IP address or domain name of the Ma il Se rve r field in the C o nfig ura tio n > Syste m > No tific a tio n > Ma il Se rve r screen.
Enter the mobile phone number of up to 80 characters. You can only have one receiver.
Use this variable in brackets [$mobile_number$], and the Zyxel Device will use the mobile phone number of the user logging in. Go to the C o nfig ura tio n > O b je c t > Use r/ G ro up > Use r screen to add a valid mobile telephone number for a user.
Click this button to save your changes to the Zyxel Device.
Click this button to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
893
Chapter 42 System
42.15 No tific a tio n > Re spo nse Me ssa g e
Use this screen to create a web page when access to a website is restricted due to a security service. Click C o nfig ura tio n > Syste m > No tific a tio n > Re spo nse Me ssa g e to open the following screen. Fig ure 608 Configuration > System > Notification > Response Message
The following table describes the labels in this screen.
Table 393 Configuration > System > Notification > Response Message
LA BEL
DESC RIPTIO N
Message
Use this part of the screen to create a message to display when access to a website is blocked due to a security service.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry's settings.
#
This is the index number of the entry.
Service
This is the security service that may restrict access to a website.
Denied Access Message
Type a message to display when access to a website is blocked due to this security service. You may type up to 127 characters.
Page Layout
Use this part of the screen to create a web page to display when access to a website is blocked due to a security service.
Use Customized
Select this if you want to specify a logo and colors in the access blocked web page. You cannot change the banner message.
Preview Web Page
Use this to see how the colors look in your customized access blocked web page. The below example also shows the location of the access blocked message, the logo and banner.
File Path
Type the path to the access blocked web page file or use Bro wse to find it on your computer. After, click Upload to send the file to the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
894
Chapter 42 System
Table 393 Configuration > System > Notification > Response Message (continued)
LA BEL
DESC RIPTIO N
Message Color
Specify the font color of the message. You can use the C o lo r palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is # 0000FF.
Background Color
Specify the color of the access blocked web page background. You can use the C o lo r palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is # 0000FF.
Banner Color
Specify the color of the access blocked web page banner. You can use the C o lo r palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is # 0000FF.
Banner Message Color
Specify the color of the access blocked web page banner text. You can use the C o lo r palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is # 0000FF.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
42.16 La ng ua g e Sc re e n
Click C o nfig ura tio n > Syste m > La ng ua g e to open the following screen. Use this screen to select a display language for the Zyxel Device's Web Configurator screens.
Fig ure 609 Configuration > System > Language
The following table describes the labels in this screen.
Table 394 Configuration > System > Language
LA BEL
DESC RIPTIO N
Language Setting
Select a display language for the Zyxel Device's Web Configurator screens. You also need to open a new browser session to display the screens in the new language.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
895
Chapter 42 System
42.17 IPv6 Sc re e n
Click C o nfig ura tio n > Syste m > IPv6 to open the following screen. Use this screen to enable IPv6 support for the Zyxel Device's Web Configurator screens. Fig ure 610 Configuration > System > IPv6
The following table describes the labels in this screen.
Table 395 Configuration > System > IPv6
LA BEL
DESC RIPTIO N
Enable IPv6
Select this to have the Zyxel Device support IPv6 and make IPv6 settings be available on the screens that the functions support, such as the C o nfig ura tio n > Ne two rk > Inte rfa c e > Ethe rne t, VLAN, and Bridg e screens. The Zyxel Device discards all IPv6 packets if you clear this check box.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
42.18 Zyxe l O ne Ne two rk (ZO N) Utility
The Zyxel One Network (ZON) utility uses the Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices in the same broadcast domain as the computer on which ZON is installed.
The ZON Utility issues requests via ZDP and in response to the query, the Zyxel device responds with basic information including IP address, firmware version, location, system and model name. The information is then displayed in the ZON Utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it. You can download the ZON Utility at www.zyxel.com and install it on a computer.
42.18.1 Re q uire m e nts
Before installing the ZON Utility on your computer, please make sure it meets the requirements listed below.
ZyWALL USG FLEX Series User's Guide
896
Chapter 42 System
O pe ra ting Syste m
At the time of writing, the ZON Utility is compatible with: · Windows 7 (both 32-bit / 64-bit versions) · Windows 8 (both 32-bit / 64-bit versions) · Windows 8.1 (both 32-bit / 64-bit versions) · Window 10 (both 32-bit / 64-bit versions) Note: To check for your Windows operating system version, right-click on My C o m pute r >
Pro pe rtie s. You should see this information in the G e ne ra l tab. Ha rdwa re Here are the minimum hardware requirements to use the ZON Utility on your computer. · Core i3 processor · 2GB RAM · 100MB free hard disk · WXGA (Wide XGA 1280x800)
42.18.2 Run the ZO N Utility
1 Double-click the ZON Utility to run it. 2 The first time you run the ZON Utility you will see if your Zyxel Device and firmware version support the ZON
Utility. Click the O K button to close this screen.
ZyWALL USG FLEX Series User's Guide
897
Chapter 42 System Fig ure 611 Supported Devices and Versions
If you want to check the supported models and firmware versions later, you can click the Sho w info rm a tio n a bo ut ZO N icon in the upper right hand corner of the screen. Then select the Suppo rte d m o de l a nd firm wa re ve rsio n link. If your device is not listed here, see the device release notes for ZON utility support. The release notes are in the firmware zip file on the Zyxel web site. Fig ure 612 ZON Utility Screen
3 Select a network adapter to which your supported devices are connected.
ZyWALL USG FLEX Series User's Guide
898
Fig ure 613 Network Adapter
Chapter 42 System
4 Click the G o button for the ZON Utility to discover all supported devices in your network. Fig ure 614 Discovery
5 The ZON Utility screen shows the devices discovered. Fig ure 615 ZON Utility Screen
1
2
3
4
5
6
7
8
9 10 11 12 13
6 Select a device and then use the icons to perform actions. Some functions may not be available for your devices.
The following table describes the icons numbered from left to right in the ZON Utility screen.
Table 396 ZON Utility Icons
IC O N
DESC RIPTIO N
1 IP configuration
Change the selected device's IP address.
2 Renew IP Address
Update a DHCP-assigned dynamic IP address.
ZyWALL USG FLEX Series User's Guide
899
Chapter 42 System
Table 396 ZON Utility Icons
IC O N 3 Reboot Device
4 Reset Configuration to Default
5 Locator LED 6 Web GUI
7 Firmware Upgrade
DESC RIPTIO N
Use this icon to restart the selected device(s). This may be useful when troubleshooting or upgrading new firmware.
If you forget your password or cannot access the Web Configurator, you can use this icon to reload the factory-default configuration file. This means that you will lose all configurations that you had previously.
Use this icon to locate the selected device by causing its Locator LED to blink.
Use this to access the selected device web configurator from your browser. You will need a username and password to log in.
Use this icon to upgrade new firmware to selected device(s) of the same model. Make sure you have downloaded the firmware from the Zyxel website to your computer and unzipped it in advance.
8 Change Password 9 Configure NCC Discovery
10 ZAC 11 Clear and Rescan 12 Save Configuration 13 Settings
If your Zyxel Device supports dual firmware images, the standby image will be upgraded. After the new firmware is uploaded, you Zyxel Device will reboot, and the new firmware will be the running firmware.
Use this icon to change the admin password of the selected device. You must know the current admin password before changing to a new one.
You must have Internet access to use this feature. Use this icon to enable or disable the Nebula Control Center (NCC) discovery feature on the selected device. If it's enabled, the selected device will try to connect to the NCC. Once the selected device is connected to and has registered in the NCC, it'll go into the cloud management mode.
Use this icon to run the Zyxel AP Configurator of the selected AP.
Use this icon to clear the list and discover all devices on the connected network again.
Use this icon to save configuration changes to permanent memory on a selected device.
Use this icon to select a network adaptor for the computer on which the ZON utility is installed, and the utility language.
The following table describes the fields in the ZON Utility main screen.
Table 397 ZON Utility Fields
LA BEL
DESC RIPTIO N
Type
This field displays an icon of the kind of device discovered.
Model
This field displays the model name of the discovered device.
Firmware Version
This field displays the firmware version of the discovered device.
MAC Address
This field displays the MAC address of the discovered device.
IP Address
This field displays the IP address of an internal interface on the discovered device that first received an ZDP discovery request from the ZON utility.
System Name
This field displays the system name of the discovered device.
Location
This field displays where the discovered device is.
Status
This field displays whether changes to the discovered device have been done successfully. As the Zyxel Device does not support IP C o nfig ura tio n, Re ne w IP a ddre ss and Fla sh Lo c a to r LED, this field displays "Update failed", "Not support Renew IP address" and "Not support Flash Locator LED" respectively.
NCC Discovery
This field displays if the discovered device supports the Nebula Control Center (NCC) discovery feature. If it's enabled, the selected device will try to connect to the NCC. Once the selected device is connected to and has registered in the NCC, it'll go into the cloud management mode.
ZyWALL USG FLEX Series User's Guide
900
Chapter 42 System
Table 397 ZON Utility Fields
LA BEL
DESC RIPTIO N
Serial Number
Enter the admin password of the discovered device to display its serial number.
Hardware Version
This field displays the hardware version of the discovered device.
42.18.3 Zyxe l O ne Ne two rk (ZO N) Syste m Sc re e n
Enable ZDP (ZON) and Sm a rt C o nne c t (Ethernet Neighbor) in the Syste m > ZO N screen.
See Mo nito r > Syste m Sta tus > Ethe rne t Ne ig hb o r for information on using Sm a rt C o nne c t (Link Layer Discovery Protocol (LLDP)) for discovering and configuring LLDP-aware devices in the same broadcast domain as the Zyxel Device that you're logged into using the web configurator.
The following figure shows the Syste m > ZO N screen.
Fig ure 616 Configuration > System > ZON
The following table describes the labels in this screen.
Table 398 Configuration > System > ZON
LA BEL
DESC RIPTIO N
ZDP
Zyxel Discovery Protocol (ZDP) is the protocol that the Zyxel One Network (ZON) utility uses
for discovering and configuring ZDP-aware Zyxel devices in the same broadcast domain
as the computer on which ZON is installed.
Enable
Select to activate ZDP discovery on the Zyxel Device.
Smart Connect
Sm a rt C o nne c t uses Link Layer Discovery Protocol (LLDP) for discovering and configuring LLDP-aware devices in the same broadcast domain as the Zyxel Device that you're logged into using the web configurator.
Enable
Select to activate LLDP discovery on the Zyxel Device. See also Mo nito r > Syste m Sta tus >
Ethe rne t Disc o ve ry.
Apply
Click Apply to save your changes back to the Zyxel Device.
Reset
Click Re se t to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
901
C HA PTER 4 3 Lo g a nd Re po rt
43.1 O ve rvie w
Use these screens to configure daily reporting and log settings.
43.1.1 Wha t Yo u C a n Do In this C ha pte r
· Use the Em a il Da ily Re po rt screen (Section 43.2 on page 902) to configure where and how to send daily reports and what reports to send.
· Use the Lo g Se tting screens (Section 43.3 on page 904) to specify settings for recording log messages and alerts, e-mailing them, storing them on a connected USB storage device, and sending them to remote syslog servers.
43.2 Em a il Da ily Re po rt
Use the Em a il Da ily Re po rt screen to start or stop data collection and view various statistics about traffic passing through your Zyxel Device. See C o nfig ura tio n > Syste m > No tific a tio n to set up the mail server. Note: Data collection may decrease the Zyxel Device's traffic throughput rate. Click C o nfig ura tio n > Lo g & Re po rt > Em a il Da ily Re po rt to display the following screen. Configure this screen to have the Zyxel Device email you system statistics every day.
ZyWALL USG FLEX Series User's Guide
902
Chapter 43 Log and Report Fig ure 617 Configuration > Log & Report > Email Daily Report
The following table describes the labels in this screen.
Table 399 Configuration > Log & Report > Email Daily Report
LA BEL
DESC RIPTIO N
Enable Email Daily Select this to send reports by email every day. Report
Mail Subject
Type the subject line for outgoing email from the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
903
Chapter 43 Log and Report
Table 399 Configuration > Log & Report > Email Daily Report (continued)
LA BEL
DESC RIPTIO N
Mail To
Type the email address (or addresses) to which the outgoing email is delivered.
Send Report Now Click this button to have the Zyxel Device send the daily email report immediately.
Report Items
Select the information to include in the report. Types of information include Syste m Re so urc e Usa g e , Wire le ss Re po rt, Se c urity Se rvic e , Inte rfa c e Tra ffic Sta tistic s and DHC P Ta b le .
Reset All Counters
Select Re se t c o unte rs a fte r se nding re po rt suc c e ssfully if you only want to see statistics for a 24 hour period.
Click this to discard all report data and start all of the counters over at zero.
Apply Reset
Click Apply to save your changes back to the Zyxel Device. Click Re se t to return the screen to its last-saved settings.
43.3 Lo g Se tting Sc re e ns
The Lo g Se tting screens control log messages and alerts. A log message stores the information for viewing or regular emailing later, and an alert is emailed immediately. Usually, alerts are used for events that require more serious attention, such as system errors and attacks.
The Zyxel Device provides a system log and supports email profiles and remote syslog servers. View the system log in the MO NITO R > Lo g screen. Use the email profiles to mail log messages to the specific destinations. You can also have the Zyxel Device store system logs on a connected USB storage device. The other four logs are stored on specified syslog servers.
The Lo g Se tting screens control what information the Zyxel Device saves in each log. You can also specify which log messages to email for the system log, and where and how often to email them. These screens also set for which events to generate alerts and where to email the alerts.
The first Lo g Se tting screen provides a settings summary. Use the Edit screens to configure settings such as log categories, email addresses, and server names for any log. Use the Lo g C a te g o ry Se tting s screen to edit what information is included in the system log, USB storage, email profiles, and remote servers.
43.3.1 Lo g Se tting Sum m a ry
To access this screen, click C o nfig ura tio n > Lo g & Re po rt > Lo g Se tting .
ZyWALL USG FLEX Series User's Guide
904
Chapter 43 Log and Report Fig ure 618 Configuration > Log & Report > Log Setting
The following table describes the labels in this screen.
Table 400 Configuration > Log & Report > Log Setting
LA BEL Edit Activate Inactivate # Status Name
Log Format
DESC RIPTIO N Double-click an entry or select it and click Edit to open a screen where you can modify it. To turn on an entry, select it and click Ac tiva te . To turn off an entry, select it and click Ina c tiva te . This field is a sequential value, and it is not associated with a specific log. The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This field displays the type of log setting entry (system log, logs stored on a USB storage device connected to the Zyxel Device, or one of the remote servers). This field displays the format of the log.
Inte rna l - system log; you can view the log on the Vie w Lo g tab.
VRPT/ Syslo g - Zyxel's Vantage Report, syslog-compatible format.
C EF/ Syslo g - Common Event Format, syslog-compatible format.
Summary
This field is a summary of the settings for each log. Please see Section 43.3.2 on page 905 for more information.
Log Category Click this button to open the Lo g C a te g o ry Se tting s Edit screen. Settings
Apply
Click this button to save your changes (activate and deactivate logs) and make them take effect.
43.3.2 Edit Syste m Lo g Se tting s
The Lo g Se tting s Edit screen controls the detailed settings for each log in the system log (which includes the email profiles). Go to the Lo g Se tting s Sum m a ry screen (see Section 43.3.1 on page 904), and click the system log Edit icon.
ZyWALL USG FLEX Series User's Guide
905
Chapter 43 Log and Report Fig ure 619 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers)
Fig ure 620 Configuration > Log & Report > Log Setting > Edit (System Log )
ZyWALL USG FLEX Series User's Guide
906
Chapter 43 Log and Report Fig ure 621 Configuration > Log & Report > Log Setting > Edit (System Log - AP)
The following table describes the labels in this screen.
Table 401 Configuration > Log & Report > Log Setting > Edit (System Log)
LA BEL
DESC RIPTIO N
E-Mail Server 1/2 Active
Mail Server Mail Server Port Mail Subject Send From
Send Log To Send Alerts To Sending Log
Day for Sending Log Time for Sending Log SMTP Authentication User Name
Password
Retype to Confirm Active Log and Alert
System Log
Select this to send log messages and alerts according to the information in this section. You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Ac tive Lo g a nd Ale rt section. Type the name or IP address of the outgoing SMTP server. Enter the same port number here as is on the mail server for mail traffic. Type the subject line for the outgoing email. Type the email address from which the outgoing email is delivered. This address is used in replies. Type the email address to which the outgoing email is delivered. Type the email address to which alerts are delivered. Select how often log information is emailed. Choices are: Whe n Full, Ho urly a nd Whe n Full, Da ily a nd Whe n Full, and We e kly a nd Whe n Full. This field is available if the log is emailed weekly. Select the day of the week the log is emailed. This field is available if the log is emailed weekly or daily. Select the time of day (hours and minutes) when the log is emailed. Use 24-hour notation. Select this check box if it is necessary to provide a user name and password to the SMTP server. This box is effective when you select the SMTP Authe ntic a tio n check box. Type the user name to provide to the SMTP server when the log is emailed. This box is effective when you select the SMTP Authe ntic a tio n check box. Type the password of up to 63 characters to provide to the SMTP server when the log is emailed. Type the password again to make sure that you have entered is correctly.
Use the Syste m Lo g drop-down list to change the log settings for all of the log categories.
disa b le a ll lo g s (red X) - do not log any information for any category for the system log or email any logs to email server 1 or 2.
e na b le no rm a l lo g s (green check mark) - create log messages and alerts for all categories for the system log. If email server 1 or 2 also has normal logs enabled, the Zyxel Device will email logs to them.
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - create log messages, alerts, and debugging information for all categories. The Zyxel Device does not email debugging information, even if this setting is selected.
ZyWALL USG FLEX Series User's Guide
907
Chapter 43 Log and Report
Table 401 Configuration > Log & Report > Log Setting > Edit (System Log) (continued)
LA BEL E-mail Server 1
DESC RIPTIO N
Use the E- Ma il Se rve r 1 drop-down list to change the settings for emailing logs to email server 1 for all log categories.
Using the Syste m Lo g drop-down list to disable all logs overrides your email server 1 settings.
e na b le no rm a l lo g s (green check mark) - email log messages for all categories to email server 1.
E-mail Server 2
e na b le a le rt lo g s (red exclamation point) - email alerts for all categories to email server 1.
Use the E- Ma il Se rve r 2 drop-down list to change the settings for emailing logs to email server 2 for all log categories.
Using the Syste m Lo g drop-down list to disable all logs overrides your email server 2 settings.
e na b le no rm a l lo g s (green check mark) - email log messages for all categories to email server 2.
Log Category System log
e na b le a le rt lo g s (red exclamation point) - email alerts for all categories to email server 2.
This field displays each category of messages. It is the same value used in the Displa y and C a te g o ry fields in the Vie w Lo g tab. The De fa ult category includes debugging messages generated by open source software.
Select which events you want to log by Lo g C a te g o ry. There are three choices:
disa b le a ll lo g s (red X) - do not log any information from this category
e na b le no rm a l lo g s (green check mark) - create log messages and alerts from this category
E-mail Server 1
E-mail Server 2
Log Consolidation Active
Log Consolidation Interval OK Cancel
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - create log messages, alerts, and debugging information from this category; the Zyxel Device does not email debugging information, however, even if this setting is selected.
Select whether each category of events should be included in the log messages when it is emailed (green check mark) and/or in alerts (red exclamation point) for the email settings specified in E- Ma il Se rve r 1. The Zyxel Device does not email debugging information, even if it is recorded in the Syste m lo g .
Select whether each category of events should be included in log messages when it is emailed (green check mark) and/or in alerts (red exclamation point) for the email settings specified in E- Ma il Se rve r 2. The Zyxel Device does not email debugging information, even if it is recorded in the Syste m lo g .
Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Lo g C o nso lida tio n Inte rva l. In the Vie w Lo g tab, the text "[count=x]", where x is the number of original log messages, is appended at the end of the Me ssa g e field, when multiple log messages were aggregated.
Type how often, in seconds, to consolidate log information. If the same log message appears multiple times, it is aggregated into one log message with the text "[count=x]", where x is the number of original log messages, appended at the end of the Me ssa g e field.
Click this to save your changes and return to the previous screen.
Click this to return to the previous screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
908
Chapter 43 Log and Report
43.3.3 Edit Lo g o n USB Sto ra g e Se tting
The Edit Lo g o n USB Sto ra g e Se tting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Lo g Se tting Sum m a ry screen (see Section 43.3.1 on page 904), and click the USB storage Edit icon. Fig ure 622 Configuration > Log & Report > Log Setting > Edit (USB Storage)
The following table describes the labels in this screen.
Table 402 Configuration > Log & Report > Log Setting > Edit (USB Storage)
LA BEL
Duplicate logs to USB storage (if ready)
Enable log keep duration
Keep Duration
Active Log
Selection
DESC RIPTIO N Select this to have the Zyxel Device save a copy of its system logs to a connected USB storage device. Use the Ac tive Lo g section to specify what kinds of messages to include.
Select this checkbox to enter a value in the Ke e p Dura tio n field.
Enter a number of days that the Zyxel Device keeps this log.
Use the Se le c tio n drop-down list to change the log settings for all of the log categories.
disa b le a ll lo g s (red X) - do not send the remote server logs for any log category.
e na b le no rm a l lo g s (green check mark) - send the remote server log messages and alerts for all log categories.
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories.
ZyWALL USG FLEX Series User's Guide
909
Chapter 43 Log and Report
Table 402 Configuration > Log & Report > Log Setting > Edit (USB Storage) (continued)
LA BEL Log Category
Selection
DESC RIPTIO N
This field displays each category of messages. The De fa ult category includes debugging messages generated by open source software.
Select what information you want to log from each Lo g C a te g o ry (except All Lo g s; see below). Choices are:
disa b le a ll lo g s (red X) - do not log any information from this category
e na b le no rm a l lo g s (green check mark) - log regular information and alerts from this category
OK Cancel
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - log regular information, alerts, and debugging information from this category
Click this to save your changes and return to the previous screen.
Click this to return to the previous screen without saving your changes.
43.3.4 Edit Re m o te Se rve r Lo g Se tting s
The Lo g Se tting s Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Lo g Se tting s Sum m a ry screen (see Section 43.3.1 on page 904), and click a remote server Edit icon.
Fig ure 623 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC)
ZyWALL USG FLEX Series User's Guide
910
Chapter 43 Log and Report Configuration > Log & Report > Log Setting > Edit (Remote Server - AP)
The following table describes the labels in this screen.
Table 403 Configuration > Log & Report > Log Setting > Edit (Remote Server)
LA BEL Log Settings for Remote Server
Active
Log Format
DESC RIPTIO N
Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Ac tive Lo g section. This field displays the format of the log information. It is read-only.
VRPT/ Syslo g - Zyxel's Vantage Report, syslog-compatible format.
Server Address Server Port Log Facility
Active Log Selection
C EF/ Syslo g - Common Event Format, syslog-compatible format. Type the server name or the IP address of the syslog server to which to send log information.
Type the service port number used by the remote server. Select a log facility. The log facility allows you to log the messages to different files in the syslog server. Please see the documentation for your syslog program for more information.
Use the Se le c tio n drop-down list to change the log settings for all of the log categories.
disa b le a ll lo g s (red X) - do not send the remote server logs for any log category.
e na b le no rm a l lo g s (green check mark) - send the remote server log messages and alerts for all log categories.
Log Category Selection
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories.
This field displays each category of messages. It is the same value used in the Displa y and C a te g o ry fields in the Vie w Lo g tab. The De fa ult category includes debugging messages generated by open source software.
Select what information you want to log from each Lo g C a te g o ry (except All Lo g s; see below). Choices are:
disa b le a ll lo g s (red X) - do not log any information from this category
e na b le no rm a l lo g s (green check mark) - log regular information and alerts from this category
OK Cancel
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - log regular information, alerts, and debugging information from this category
Click this to save your changes and return to the previous screen.
Click this to return to the previous screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
911
Chapter 43 Log and Report
43.3.5 Lo g C a te g o ry Se tting s Sc re e n
The Lo g C a te g o ry Se tting s screen allows you to view and to edit what information is included in the system log, USB storage, email profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is emailed or remote server names). To access this screen, go to the Lo g Se tting s Sum m a ry screen (see Section 43.3.1 on page 904), and click the Lo g C a te g o ry Se tting s button. Fig ure 624 Log Category Settings AC
Fig ure 625 Log Category Settings AP
This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 43.3.2 on page 905, where this process is discussed. (The De fa ult category includes debugging messages generated by open source software.)
ZyWALL USG FLEX Series User's Guide
912
Chapter 43 Log and Report
The following table describes the fields in this screen.
Table 404 Configuration > Log & Report > Log Setting > Log Category Settings
LA BEL System Log
DESC RIPTIO N Use the Syste m Lo g drop-down list to change the log settings for all of the log categories.
disa b le a ll lo g s (red X) - do not log any information for any category for the system log or email any logs to email server 1 or 2.
e na b le no rm a l lo g s (green check mark) - create log messages and alerts for all categories for the system log. If email server 1 or 2 also has normal logs enabled, the Zyxel Device will email logs to them.
USB Storage
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - create log messages, alerts, and debugging information for all categories. The Zyxel Device does not email debugging information, even if this setting is selected.
Use the USB Sto ra g e drop-down list to change the log settings for saving logs to a connected USB storage device.
disa b le a ll lo g s (red X) - do not log any information for any category to a connected USB storage device.
e na b le no rm a l lo g s (green check mark) - create log messages and alerts for all categories and save them to a connected USB storage device.
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - create log messages, alerts, and debugging information for all categories and save them to a connected USB storage device.
E-mail Server 1 E- Use the E- Ma il Se rve r 1 drop-down list to change the settings for emailing logs to email server 1
mail
for all log categories.
Using the Syste m Lo g drop-down list to disable all logs overrides your email server 1 settings.
e na b le no rm a l lo g s (green check mark) - email log messages for all categories to email server 1.
e na b le a le rt lo g s (red exclamation point) - email alerts for all categories to email server 1.
E-mail Server 2 E- Use the E- Ma il Se rve r 2 drop-down list to change the settings for emailing logs to email server 2
mail
for all log categories.
Using the Syste m Lo g drop-down list to disable all logs overrides your email server 2 settings.
e na b le no rm a l lo g s (green check mark) - email log messages for all categories to email server 2.
Remote Server 1~4 Syslog
e na b le a le rt lo g s (red exclamation point) - email alerts for all categories to email server 2.
For each remote server, use the Se le c tio n drop-down list to change the log settings for all of the log categories.
disa b le a ll lo g s (red X) - do not send the remote server logs for any log category.
e na b le no rm a l lo g s (green check mark) - send the remote server log messages and alerts for all log categories.
Log Category System Log
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories.
This field displays each category of messages. It is the same value used in the Displa y and C a te g o ry fields in the Vie w Lo g tab. The De fa ult category includes debugging messages generated by open source software.
Select which events you want to log by Lo g C a te g o ry. There are three choices:
disa b le a ll lo g s (red X) - do not log any information from this category
e na b le no rm a l lo g s (green check mark) - create log messages and alerts from this category
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - create log messages, alerts, and debugging information from this category; the Zyxel Device does not email debugging information, however, even if this setting is selected.
ZyWALL USG FLEX Series User's Guide
913
Chapter 43 Log and Report
Table 404 Configuration > Log & Report > Log Setting > Log Category Settings (continued)
LA BEL USB Storage
DESC RIPTIO N
Select which event log categories to save to a connected USB storage device. There are three choices:
disa b le a ll lo g s (red X) - do not log any information from this category
e na b le no rm a l lo g s (green check mark) - save log messages and alerts from this category
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - save log messages, alerts, and debugging information from this category.
E-mail Server 1 Email
Select whether each category of events should be included in the log messages when it is emailed (green check mark) and/or in alerts (red exclamation point) for the email settings specified in E- Ma il Se rve r 1. The Zyxel Device does not email debugging information, even if it is recorded in the Syste m lo g .
E-mail Server 2 Email
Select whether each category of events should be included in log messages when it is emailed (green check mark) and/or in alerts (red exclamation point) for the email settings specified in EMa il Se rve r 2. The Zyxel Device does not email debugging information, even if it is recorded in the Syste m lo g .
Remote Server 1~4 Syslog
For each remote server, select what information you want to log from each Lo g C a te g o ry (except All Lo g s; see below). Choices are:
disa b le a ll lo g s (red X) - do not log any information from this category
e na b le no rm a l lo g s (green check mark) - log regular information and alerts from this category
OK Cancel
e na b le no rm a l lo g s a nd de b ug lo g s (yellow check mark) - log regular information, alerts, and debugging information from this category
Click this to save your changes and return to the previous screen.
Click this to return to the previous screen without saving your changes.
ZyWALL USG FLEX Series User's Guide
914
C HA PTER 4 4 File Ma na g e r
44.1 O ve rvie w
Configuration files define the Zyxel Device's settings. Shell scripts are files of commands that you can store on the Zyxel Device and run when you need them. You can apply a configuration file or run a shell script without the Zyxel Device restarting. You can store multiple configuration files and shell script files on the Zyxel Device. You can edit configuration files or shell scripts in a text editor and upload them to the Zyxel Device. Configuration files use a .conf extension and shell scripts use a .zysh extension.
44.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the C o nfig ura tio n File screen (see Section 44.2 on page 917) to store and name configuration files. You can also download configuration files from the Zyxel Device to your computer and upload configuration files from your computer to the Zyxel Device.
· Use the Firm wa re Pa c ka g e screen (see Section 44.3 on page 922) to check your current firmware version and upload firmware to the Zyxel Device.
· Use the She ll Sc ript screen (see Section 44.4 on page 928) to store, name, download, upload and run shell script files.
44.1.2 Wha t yo u Ne e d to Kno w
C o nfig ura tio n File s a nd She ll Sc ripts
When you apply a configuration file, the Zyxel Device uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the Zyxel Device only applies the commands that it contains. Other settings do not change.
ZyWALL USG FLEX Series User's Guide
915
Chapter 44 File Manager
These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below.
Fig ure 626 Configuration File / Shell Script: Example
# enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3 interface ge3 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.254 metric 1 exit # create address objects for remote management / to-ZyWALL firewall rules # use the address group in case we want to open up remote management later address-object TW_SUBNET 172.23.37.0/24 object-group address TW_TEAM address-object TW_SUBNET exit # enable Telnet access (not enabled by default, unlike other services) ip telnet server # open WAN-to-ZyWALL firewall for TW_TEAM for remote management firewall WAN ZyWALL insert 4 sourceip TW_TEAM service TELNET action allow exit write
While configuration files and shell scripts have the same syntax, the Zyxel Device applies configuration files differently than it runs shell scripts. This is explained below.
Table 405 Configuration Files and Shell Scripts in the Zyxel Device
Configuration Files (.conf)
Shell Scripts (.zysh)
· Resets to default configuration. · Goes into CLI C o nfig ura tio n mode. · Runs the commands in the configuration file.
· Goes into CLI Privile g e mode. · Runs the commands in the shell script.
You have to run the example in Figure 626 on page 916 as a shell script because the first command is run in Privile g e mode. If you remove the first command, you have to run the example as a configuration file because the rest of the commands are executed in C o nfig ura tio n mode.
C o m m e nts in C o nfig ura tio n File s o r She ll Sc ripts
In a configuration file or shell script, use "#" or "!" as the first character of a command line to have the Zyxel Device treat the line as a comment.
Your configuration files or shell scripts can use "exit" or a command line consisting of a single "!" to have the Zyxel Device exit sub command mode.
Note: "exit" or "!" must follow sub commands if it is to make the Zyxel Device exit sub command mode.
ZyWALL USG FLEX Series User's Guide
916
Chapter 44 File Manager
Line 3 in the following example exits sub command mode.
interface ge1 ip address dhcp !
Lines 1 and 3 in the following example are comments and line 4 exits sub command mode.
! interface ge1 # this interface is a DHCP client !
Lines 1 and 2 are comments. Line 5 exits sub command mode.
! this is from Joe # on 2008/04/05 interface ge1 ip address dhcp !
Erro rs in C o nfig ura tio n File s o r She ll Sc ripts
When you apply a configuration file or run a shell script, the Zyxel Device processes the file line-by-line. The Zyxel Device checks the first line and applies the line if no errors are detected. Then it continues with the next line. If the Zyxel Device finds an error, it stops applying the configuration file or shell script and generates a log.
You can change the way a configuration file or shell script is applied. Include setenv stop-on-error off in the configuration file or shell script. The Zyxel Device ignores any errors in the configuration file or shell script and applies all of the valid commands. The Zyxel Device still generates a log for any errors.
44.2 The C o nfig ura tio n Sc re e n
Click Ma inte na nc e > File Ma na g e r > C o nfig ura tio n File > C o nfig ura tio n to open the C o nfig ura tio n screen. Use the C o nfig ura tio n screen to store, run, and name configuration files. You can also download configuration files from the Zyxel Device to your computer and upload configuration files from your computer to the Zyxel Device.
Once your Zyxel Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.
Filenames beginning with autoback are automatic configuration files created when new firmware is uploaded. backup-yyyy-mm-dd-hh-mm-ss.conf is the name of the automatic backup when a secure policy is added or changed. Select a configuration file, then click Apply to apply the file to the Zyxel Device .
ZyWALL USG FLEX Series User's Guide
917
Chapter 44 File Manager
C o nfig ura tio n File Flo w a t Re sta rt
· If there is not a sta rtup- c o nfig .c o nf when you restart the Zyxel Device (whether through a management interface or by physically turning the power off and back on), the Zyxel Device uses the syste m - de fa ult.c o nf configuration file with the Zyxel Device's default settings.
· If there is a sta rtup- c o nfig .c o nf, the Zyxel Device checks it for errors and applies it. If there are no errors, the Zyxel Device uses it and copies it to the la stg o o d.c o nf configuration file as a back up file. If there is an error, the Zyxel Device generates a log and copies the sta rtup- c o nfig .c o nf configuration file to the sta rtup- c o nfig - b a d.c o nf configuration file and tries the existing la stg o o d.c o nf configuration file. If there isn't a la stg o o d.c o nf configuration file or it also has an error, the Zyxel Device applies the syste m - de fa ult.c o nf configuration file.
· You can change the way the sta rtup- c o nfig .c o nf file is applied. Include the setenv-startup stopon-error off command. The Zyxel Device ignores any errors in the sta rtup- c o nfig .c o nf file and applies all of the valid commands. The Zyxel Device still generates a log for any errors.
Fig ure 627 Maintenance > File Manager > Configuration File
Do no t turn o ff the Zyxe l De vic e while c o nfig ura tio n file uplo a d is in pro g re ss.
ZyWALL USG FLEX Series User's Guide
918
Chapter 44 File Manager
The following table describes the labels in this screen.
Table 406 Maintenance > File Manager > Configuration File
LA BEL Rename
DESC RIPTIO N
Use this button to change the label of a configuration file on the Zyxel Device. You can only rename manually saved configuration files. You cannot rename the la stg o o d.c o nf, syste m de fa ult.c o nf and sta rtup- c o nfig .c o nf files.
You cannot rename a configuration file to the name of another configuration file in the Zyxel Device.
Click a configuration file's row to select it and click Re na m e to open the Re na m e File screen.
Fig ure 628 Maintenance > File Manager > Configuration File > Rename
Remove
Download Copy
Specify the new name for the configuration file. Use up to 63 characters (including a-zA-Z09;`~!@#$%^&()_+[]{}',.=-).
Click O K to save the duplicate or click C a nc e l to close the screen without saving a duplicate of the configuration file.
Click a configuration file's row to select it and click Re m o ve to delete it from the Zyxel Device. You can only delete manually saved configuration files. You cannot delete the syste m de fa ult.c o nf, sta rtup- c o nfig .c o nf and la stg o o d.c o nf files.
A pop-up window asks you to confirm that you want to delete the configuration file. Click O K to delete the configuration file or click C a nc e l to close the screen without deleting the configuration file.
Click a configuration file's row to select it and click Do wnlo a d to save the configuration to your computer.
Use this button to save a duplicate of a configuration file on the Zyxel Device.
Click a configuration file's row to select it and click C o py to open the C o py File screen.
Fig ure 629 Maintenance > File Manager > Configuration File > Copy
Specify a name for the duplicate configuration file. Use up to 63 characters (including a-zA-Z09;`~!@#$%^&()_+[]{}',.=-).
Click O K to save the duplicate or click C a nc e l to close the screen without saving a duplicate of the configuration file.
ZyWALL USG FLEX Series User's Guide
919
Chapter 44 File Manager
Table 406 Maintenance > File Manager > Configuration File (continued)
LA BEL Apply
DESC RIPTIO N Use this button to have the Zyxel Device use a specific configuration file.
Click a configuration file's row to select it and click Apply to have the Zyxel Device use that configuration file. The Zyxel Device does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.
The following screen gives you options for what the Zyxel Device is to do if it encounters an error in the configuration file.
Fig ure 630 Maintenance > File Manager > Configuration File > Apply
# File Name
Im m e dia te ly sto p a pplying the c o nfig ura tio n file - this is not recommended because it would leave the rest of the configuration blank. If the interfaces were not configured before the first error, the console port may be the only way to access the device.
Im m e dia te ly sto p a pplying the c o nfig ura tio n file a nd ro ll b a c k to the pre vio us c o nfig ura tio n this gets the Zyxel Device started with a fully valid configuration file as quickly as possible.
Ig no re e rro rs a nd finish a pplying the c o nfig ura tio n file - this applies the valid parts of the configuration file and generates error logs for all of the configuration file's errors. This lets the Zyxel Device apply most of your configuration and you can refer to the logs for what to fix.
Ig no re e rro rs a nd finish a pplying the c o nfig ura tio n file a nd the n ro ll b a c k to the pre vio us
c o nfig ura tio n - this applies the valid parts of the configuration file, generates error logs for all of the configuration file's errors, and starts the Zyxel Device with a fully valid configuration file.
Click O K to have the Zyxel Device start applying the configuration file or click C a nc e l to close the screen
This column displays the number for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.
This column displays the label that identifies a configuration file.
You cannot delete the following configuration files or change their file names.
The syste m - de fa ult.c o nf file contains the Zyxel Device's default settings. Select this file and click Apply to reset all of the Zyxel Device settings to the factory defaults. This configuration file is included when you upload a firmware package.
The sta rtup- c o nfig .c o nf file is the configuration file that the Zyxel Device is currently using. If you make and save changes during your management session, the changes are applied to this configuration file. The Zyxel Device applies configuration changes made in the Web Configurator to the configuration file when you click Apply or O K. It applies configuration changes made via commands when you use the write command.
The la stg o o d.c o nf is the most recently used (valid) configuration file that was saved when the device last restarted. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
ZyWALL USG FLEX Series User's Guide
920
Chapter 44 File Manager
Table 406 Maintenance > File Manager > Configuration File (continued)
LA BEL
DESC RIPTIO N
Size
This column displays the size (in KB) of a configuration file.
Last Modified
This column displays the date and time that the individual configuration files were last changed or saved.
Upload
The bottom part of the screen allows you to upload a new or previously saved configuration
Configuration File file from your computer to your Zyxel Device
You cannot upload a configuration file named syste m - de fa ult.c o nf or la stg o o d.c o nf.
File Path Browse...
Upload
If you upload sta rtup- c o nfig .c o nf, it will replace the current configuration and immediately apply the new settings.
Type in the location of the file you want to upload in this field or click Bro wse ... to find it.
Click Bro wse ... to find the .conf file you want to upload. The configuration file must use a ".conf" filename extension. You will receive an error message if you try to upload a fie of a different format. Remember that you must decompress compressed (.zip) files before you can upload them.
Click Uplo a d to begin the upload process. This process may take up to two minutes.
44.2.1 The C o nfig ura tio n Sc he dule Ba c kup Sc re e n
Use the Sc he dule Ba c kup screen to automatically back up the current Zyxel Device configuration file according to a schedule, and then send it to the configured email addresses.
Fig ure 631 Maintenance > File Manager > Configuration File> Schedule Backup
ZyWALL USG FLEX Series User's Guide
921
Chapter 44 File Manager
The following table describes the labels in this screen.
Table 407 Maintenance > File Manager > Configuration File> Schedule Backup
LA BEL
DESC RIPTIO N
Configure Backup Schedule
Mail Subject
Enter a email subject text with 1-60 characters. It may consist of letters, numbers, and the following special characters: `()+,./:=?;!*#@$%-
Mail To
Enter the receiving email address. You and send the configuration file to a maximum of five email addresses.
E-mail Content Enter the backup email body text consists of 1-250 ASCII characters.
Enable Auto Backup
Select the check box to back up the configuration file at a user defined schedule.
Note: After the first backup, the back up only occurs if the configuration file is different from the previous backed up configuration file.
Daily
Set the Zyxel Device to back up its configuration file once a day at the specified hour and minute.
Weekly
Set the Zyxel Device to back up its configuration file once a week on the specified day, at the specified hour and minute.
Monthly
Set the Zyxel Device to back up its configuration file once a month on the specified day, at the a specified hour and minute.
Send Email
Encryption password Apply Reset
Note: If the date you select is greater than the number of days in a month, the Zyxel Device automatically backs up its configuration file on the last day of the month. For example, if you select 31 and the month is February, the Zyxel Device backs up its configuration file on day 28 or 29.
Select the check box to have the Zyxel Device sends the current configuration file to the configured email addresses.
Enter a password consists of 1-31 ASCII characters to add an encryption password to the configuration file in the email.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
44.3 Firm wa re Ma na g e m e nt
Use the Firm wa re Ma na g e m e nt screen to check your current firmware version and upload firmware to the Zyxel Device. You can upload firmware to be the Running firmware or Sta ndb y firmware.
Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.
Find the firmware file in a folder that (usually) uses the system model name with the model code and a bin extension. For example, a firmware for ZyWALL VPN100 is "430ABFV0b2s1.bin".
The Zyxel Device's firmware package cannot go through the Zyxel Device when you enable the antimalware De stro y c o m pre sse d file s tha t c o uld no t b e de c o m pre sse d option. The Zyxel Device classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the Zyxel Device with the option enabled, so you only need to clear the De stro y c o m pre sse d file s tha t c o uld no t b e de c o m pre sse d option while you download the firmware package.
ZyWALL USG FLEX Series User's Guide
922
Chapter 44 File Manager See Section 33.2 on page 625 for more on the anti-malware De stro y c o m pre sse d file s tha t c o uld no t b e de c o m pre sse d option.
The firm wa re upda te c a n ta ke up to five m inute s. Do no t turn o ff o r re se t the Zyxe l De vic e while the firm wa re upda te is in pro g re ss!
If your Zyxel Device has two firmware images installed, and one fails to boot (kernel crash, kernel panic, out-of-memory etc.), then the Zyxel Device will automatically use the (good) backup image to boot.
44.3.1 C lo ud He lpe r
Cloud Helper lets you know if there is a later firmware available on the Cloud Helper server and lets you download it if there is. Note: Go to myZyxel, create an account and register your Zyxel Device first. Then you will be
able to see links to and get notifications on new firmware available. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications is free when you register your Zyxel Device. The license does not expire if you have firmware version 4.32 patch 1 and later.
ZyWALL USG FLEX Series User's Guide
923
Chapter 44 File Manager
The following table explains the Upg ra de icons in the web configurator.
Table 408 Cloud Helper Firmware Icons
Cloud Helper New
A later firmware is available on the Cloud Helper Server. Click this icon to display a Wha t's Ne w pop-up screen. You need a Firmware Upgrade license to upgrade the firmware. If you do not have a license, Upg ra de No w is grayed out. If you have a license, click Upg ra de No w to directly upgrade firmware to the standby partition and have the Zyxel Device reboot automatically so that the new standby firmware becomes the running firmware. The previous running firmware becomes the standby firmware.
If you haven't registered the Zyxel Device, a message will appear and remind you to register it. Also, Upg ra de No w is grayed out.
ZyWALL USG FLEX Series User's Guide
924
Chapter 44 File Manager
Table 408 Cloud Helper Firmware Icons
Cloud Helper Downloading
Cloud firmware is being downloaded from the Cloud Helper Server. If you select another partition or the local firmware upgrade icon, you will see the following warning message.
When firmware is downloading, you can pause, resume, stop or retry the firmware download.
Local Firmware
Use this if you have already downloaded the latest firmware from the Zyxel website to your computer and unzipped it.
Click the icon and then browse to the location of the unzipped files.
If you upload the latest firmware to the running partition, the Zyxel Device will reboot automatically when it finishes uploading.
If you upload the latest firmware to the standby partition, a message will appear to ask if you want to reboot the Zyxel Device.
44.3.2 The Firm wa re Ma na g e m e nt Sc re e n
Click Ma inte na nc e > File Ma na g e r > Firm wa re Ma na g e m e nt to open the Firm wa re Ma na g e m e nt screen.
ZyWALL USG FLEX Series User's Guide
925
Chapter 44 File Manager Fig ure 632 Maintenance > File Manager > Firmware Management
The following table describes the labels in this screen.
Table 409 Maintenance > File Manager > Firmware Management
LA BEL
DESC RIPTIO N
Firmware Status
Reboot
Click the Re bo o t icon to restart the Zyxel Device. If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot. Otherwise, the changes are lost when you reboot.
If you want the Sta ndb y firmware to be the Running firmware, then select the Sta ndb y firmware row and click Re bo o t. Wait a few minutes until the login screen appears. If the login screen does not appear, clear your browser cache and refresh the screen or type the IP address of the Zyxel Device in your Web browser again.
#
Status
Model Version Released Date
You can also use the CLI command reboot to restart the Zyxel Device.
This displays the system space (partition) index number where the firmware is located. The firmware can be either Sta ndb y or Running ; only one firmware can be running at any one time.
This indicates whether the firmware is Running , or not running but already uploaded to the Zyxel Device and is on Sta ndb y. It displays N/ A if there is no firmware uploaded to that system space.
This is the model name of the device which the firmware is running on.
This is the firmware version and the date created.
This is the date that the version of the firmware was created.
ZyWALL USG FLEX Series User's Guide
926
Chapter 44 File Manager
Table 409 Maintenance > File Manager > Firmware Management (continued)
LA BEL Upgrade
DESC RIPTIO N
A cloud helper icon displays if there is a later firmware on the Cloud Server than the firmware in the partition. Click the cloud helper icon to download a later firmware from the Cloud Helper Server.
Cloud Firmware Information Latest Version
Release Date Release Note
Auto Update
Use the local firmware icon if you have already downloaded the latest firmware from the Zyxel website to your computer and unzipped it. You must register your Zyxel Device at myZyxel first to use cloud firmware.
This displays the latest firmware version at the Cloud Helper Server. Click C he c k No w to see if there is a later firmware at the Cloud Server. This displays the date the latest firmware version was made available. The release note contains details of latest firmware version such as new features and bug fixes. Select this check box to have the Zyxel Device automatically check for and download new firmware to the standby partition at the time and day specified.
You should select a time when your network is not busy for minimal interruption.
Note: You cannot enable Auto Upda te in File Ma na g e r > Firm wa re Ma na g e m e nt and Sc he dule Re b o o t in Ma inte na nc e > Shutdo wn- Re b o o t at the same time.
Daily
Select this option to have the Zyxel Device check for new firmware every day at the specified time. The time format is the 24 hour clock, so `0' means midnight for example.
Weekly
Select this option to have the Zyxel Device check for new firmware once a week on the day and at the time specified.
Auto Reboot
Select this to have the newly downloaded firmware in the standby partition become the running firmware after the Zyxel Device automatically restarts.
Firmware Upgrade Service Status
Service Status
This field displays whether the firmware license service is activated at myZyxel (Ac tiva te d) or not (No t Ac tiva te d).
After you see the Firm wa re Uplo a d in Pro c e ss screen, wait a few minutes before logging into the Zyxel Device again.
Fig ure 633 Firmware Upload In Process
Note: The Zyxel Device automatically reboots after a successful upload.
The Zyxel Device automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Fig ure 634 Network
After five minutes, log in again and check your new firmware version in the Da shbo a rd screen.
ZyWALL USG FLEX Series User's Guide
927
If the upload was not successful, the following message appears in the status bar at the bottom of the screen.
Fig ure 635 Firmware Upload Error
44.3.3 Firm wa re Upg ra de via USB Stic k
In addition to uploading firmware via the web configurator or console port (see the CLI Reference Guide), you can also upload firmware directly from a USB stick connected to the Zyxel Device.
1 Create a folder on the USB stick called `/[ProductName_dir]/firmware'. For example, if your Zyxel Device is USG110, then create a `/usg110_dir/firmware/' folder on the stick.
2 Put one firmware `bin' file into the firmware folder. Make sure the firmware ID and version number are correct for your model (the firmware ID is in brackets after the firmware version number - for USG100 it is AAPH).
Note: Do not put more than one firmware `bin' file into the firmware folder.
The firmware version in the USB stick must be different to the currently running firmware. If the firmware on the USB stick is older, then the Zyxel Device will `upgrade' to the older version. It is recommended that the firmware on the USB stick be the latest firmware version.
3 Insert the USB stick into the Zyxel Device. The firmware uploads to the standby system space.
4 The SYS LED blinks when the Zyxel Device automatically reboots making the upgraded firmware in standby become the running firmware.
Note: If the sta rtup- c o nfig .c o nf configuration file has problems and you are upgrading to 4.25 or later firmware, then the Zyxel Device will revert (failover) to the previously running firmware.
If the sta rtup- c o nfig .c o nf configuration file has problems and you are upgrading to earlier than 4.25 firmware, then the Zyxel Device uses the new earlier firmware, but generates a log and tries the existing la stg o o d.c o nf configuration file. If there isn't a la stg o o d.c o nf configuration file or it also has an error, the Zyxel Device applies the syste m - de fa ult.c o nf configuration file.
44.4 The She ll Sc ript Sc re e n
Use shell script files to have the Zyxel Device execute commands that you specify. Use a text editor to create the shell script files. They must use a ".zysh" filename extension.
Click Ma inte na nc e > File Ma na g e r > She ll Sc ript to open the She ll Sc ript screen. Use the She ll Sc ript screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the Zyxel Device at the same time.
ZyWALL USG FLEX Series User's Guide
928
Chapter 44 File Manager
Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the Zyxel Device restarts. You could use multiple write commands in a long script. See Section 45.2.1 on page 931 for more information on scripts.
Fig ure 636 Maintenance > File Manager > Shell Script
Each field is described in the following table.
Table 410 Maintenance > File Manager > Shell Script
LA BEL Rename
DESC RIPTIO N Use this button to change the label of a shell script file on the Zyxel Device.
You cannot rename a shell script to the name of another shell script in the Zyxel Device.
Click a shell script's row to select it and click Re na m e to open the Re na m e File screen.
Fig ure 637 Maintenance > File Manager > Shell Script > Rename
Remove Download
Specify the new name for the shell script file. Use up to 63 characters (including a-zA-Z09;`~!@#$%^&()_+[]{}',.=-).
Click O K to save the duplicate or click C a nc e l to close the screen without saving a duplicate of the configuration file.
Click a shell script file's row to select it and click Re m o ve to delete the shell script file from the Zyxel Device.
A pop-up window asks you to confirm that you want to delete the shell script file. Click O K to delete the shell script file or click C a nc e l to close the screen without deleting the shell script file.
Click a shell script file's row to select it and click Do wnlo a d to save the configuration to your computer.
ZyWALL USG FLEX Series User's Guide
929
Chapter 44 File Manager
Table 410 Maintenance > File Manager > Shell Script (continued)
LA BEL Copy
DESC RIPTIO N Use this button to save a duplicate of a shell script file on the Zyxel Device.
Click a shell script file's row to select it and click C o py to open the C o py File screen.
Fig ure 638 Maintenance > File Manager > Shell Script > Copy
Apply
File Name Size Last Modified
Upload Shell Script File Path Browse... Upload
Specify a name for the duplicate file. Use up to 63 characters (including a-zA-Z09;`~!@#$%^&()_+[]{}',.=-).
Click O K to save the duplicate or click C a nc e l to close the screen without saving a duplicate of the configuration file.
Use this button to have the Zyxel Device use a specific shell script file.
Click a shell script file's row to select it and click Apply to have the Zyxel Device use that shell script file. You may need to wait awhile for the Zyxel Device to finish applying the commands.
This column displays the label that identifies a shell script file.
This column displays the size (in KB) of a shell script file.
This column displays the date and time that the individual shell script files were last changed or saved.
The bottom part of the screen allows you to upload a new or previously saved shell script file from your computer to your Zyxel Device.
Type in the location of the file you want to upload in this field or click Bro wse ... to find it.
Click Bro wse ... to find the .zysh file you want to upload.
Click Uplo a d to begin the upload process. This process may take up to several minutes.
ZyWALL USG FLEX Series User's Guide
930
Chapter 45 Diagnostics
C HA PTER 4 5 Dia g no stic s
45.1 O ve rvie w
Use the diagnostics screens for troubleshooting.
45.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Dia g no stic s screens (see Section 45.2 on page 931) to generate a file containing the Zyxel Device's configuration and diagnostic information if you need to provide it to customer support during troubleshooting.
· Use the Pa c ke t C a pture screens (see Section 45.3 on page 937) to capture packets going through the Zyxel Device.
· Use the C PU / Me m o ry Sta tus screens (see Section 45.4 on page 944) to view the CPU and memory performance of various applications on the Zyxel Device.
· Use the Syste m Lo g s screen (see Section 45.5 on page 946) to see system logs stored on a connected USB storage device on the Zyxel Device.
· Use the Ne two rk To o l screen (see Section 45.6 on page 946) to ping an IP address or trace the route packets take to a host.
· Use the Ro uting Tra c e s screens (see Section 45.7 on page 949) to configure traceroute to identify where packets are dropped for troubleshooting.
· Use the Wire le ss Fra m e C a pture screens (see Section 45.8 on page 950) to capture network traffic going through the AP interfaces connected to your Zyxel Device.
45.2 The Dia g no stic s Sc re e ns
The Dia g no stic s screens provide an easy way for you to generate a file containing the Zyxel Device's configuration and diagnostic information. You may need to send this file to customer support for troubleshooting.
45.2.1 Sc ripts
Use scripts to gather information on the Zyxel Device or on external APs connected to the Zyxel Device. Use a notepad editor that supports Unicode, such as Notepad to create a script. Each command in a script must be on its own line and the file must end with an empty line. The script must be saved in Unicode format (UTF-8).
ZyWALL USG FLEX Series User's Guide
931
Chapter 45 Diagnostics
This is an example of a script to display information about the Zyxel Device.
show service-register status all show myzyxel-service get-cloud-timezone show cloud-helper firmware show cloud-helper remind
This is an example of a default script with interface diagnostic commands.
debug interface ifconfig debug interface show event_sink debug interface show interface_obj debug switch table debug switch port_groupping show ping-check status debug system netstat interface show interface all show port status
Sc ript Na m e
The script name must use a ".zysh" filename extension with a file name of up to 25 characters (including a-z, A-Z, 0-9 and ;`~!@#$%^&()_+[]{}',.=-). Spaces are allowed
Sc ript Uplo a ds to the Zyxe l De vic e
You can upload scripts in File Ma na g e r > She ll Sc ript to run commands on the Zyxel Device. You can also copy, and download scripts here. Upload a script in Dia g no stic s > C o ntro lle r to generate information about the Zyxel Device own configuration and diagnostics. Upload a script in Dia g no stic s > AP to generate information about the selected managed AP in
Dia g no stic s > AP.
Sc ript O utput
The results of generating a script are shown in Dia g no stic s > File s in bz2 format. You need to decompress the bz2 file to tar, and then unwrap the tar file to display a debug folder that contains other folders containing debug dbg text files. Customer support may request the bz2 file for troubleshooting.
45.2.2 The Dia g no stic s C o ntro lle r Sc re e n
Click Ma inte na nc e > Dia g no stic s > C o ntro lle r to open the following screen. When you click C o lle c t No w, a series of commands are run to display information about the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
932
Chapter 45 Diagnostics Fig ure 639 Maintenance > Diagnostics > Controller
The following table describes the labels in this screen.
Table 411 Maintenance > Diagnostics > Controller
LA BEL Diagnostics Collect Status Status
DESC RIPTIO N
This field displays the following states the Zyxel Device is in when collecting diagnostic data.
General Setting Filename Last modified
Size Copy the diagnostic file to USB storage (if ready) Diagnostic Collect by Script files Script File
Upload Shell Script
· Sta ndb y: The Zyxel Device is ready to generate a diagnostic file or has just finished generating a diagnostic file.
· Busy o n Ap: The Zyxel Device is generating a diagnostic file for the selected managed AP in Dia g no stic s > AP.
· Busy o n ZyWa ll: The Zyxel Device is generating a diagnostic file containing its own configuration and diagnostic information.
This is the name of the most recently created diagnostic file. This is the date and time that the last diagnostic file was created. The format is yyyymm-dd hh:mm:ss. This is the size of the most recently created diagnostic file. Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device.
Select a script here to generate information about configuration and diagnostics of managed APs. See Section 45.2.1 on page 931 for more information on scripts.
ZyWALL USG FLEX Series User's Guide
933
Chapter 45 Diagnostics
Table 411 Maintenance > Diagnostics > Controller (continued)
LA BEL File
Collect Now
DESC RIPTIO N
Upload a script here to generate information about the Zyxel Device's own configuration and diagnostics. Click Bro wse to find the location of the file you want to upload in this field. Click Uplo a d to begin the upload process. This process may take a few minutes.
Click this to have the Zyxel Device run the uploaded script and create a new diagnostic file.
Wait while information is collected.
45.2.3 The Dia g no stic s AP Sc re e n
This screen provides an easy way for you to generate a file containing the selected managed AP's configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click Ma inte na nc e > Dia g no stic s > C o lle c t o n AP to open the C o lle c t o n AP screen.
ZyWALL USG FLEX Series User's Guide
934
Chapter 45 Diagnostics Fig ure 640 Maintenance > Diagnostics > AP
The following table describes the labels in this screen.
Table 412 Maintenance > Diagnostics > AP
LA BEL Diagnostics Collect Status Status
DESC RIPTIO N
This field displays the following states the Zyxel Device is in when collecting diagnostic data.
Progress Latest AP Result AP General Setting Available APs
Collected APs
Copy the diagnostic file to USB storage (if ready)
· Sta ndb y: The Zyxel Device is ready to generate a diagnostic file or has just finished generating a diagnostic file.
· Busy o n Ap: The Zyxel Device is generating a diagnostic file for the selected managed AP in Dia g no stic s > AP.
· Busy o n ZyWa ll: The Zyxel Device is generating a diagnostic file containing its own configuration and diagnostic information.
This field displays the number of APs processed compared to the number of APs selected for processing.
This field displays the latest AP description and status
This text box lists the managed APs that are connected and available. Select the managed APs that you want the Zyxel Device to generate a diagnostic file containing their configuration, and click the right arrow button to add them.
This text box lists the managed APs that you allow the Zyxel Device to generate a diagnostic file containing their configuration. Select any managed APs that you want to prevent the Zyxel Device from generating a diagnostic file for them, and click the left arrow button to remove them.
Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device.
ZyWALL USG FLEX Series User's Guide
935
Chapter 45 Diagnostics
Table 412 Maintenance > Diagnostics > AP
LA BEL
DESC RIPTIO N
Diagnostic Collect by Script files
Script File
Select a script here to generate information about configuration and diagnostics of managed APs. See Section 45.2.1 on page 931 for more information on scripts.
Upload Shell Script
File
Upload a script hereto generate information about configuration and diagnostics
of managed APs. Click Bro wse to find the location of the script you want to upload
in this field. Click Uplo a d to begin the upload process. This process may take a few
minutes.
Collect Now
Click this to have the Zyxel Device create a new diagnostic file.
45.2.4 The Dia g no stic s File s Sc re e n
Click Ma inte na nc e > Dia g no stic s > File s to open the diagnostic files screen. This screen lists the files of diagnostic information the Zyxel Device has collected and stored on the Zyxel Device or in a connected USB storage device. You may need to send these files to customer support for troubleshooting.
Fig ure 641 Maintenance > Diagnostics > Files
ZyWALL USG FLEX Series User's Guide
936
Chapter 45 Diagnostics
The following table describes the labels in this screen.
Table 413 Maintenance > Diagnostics > Files
LA BEL
DESC RIPTIO N
Diagnostic files
This lists the files of generated diagnostic information stored on the Zyxel Device.
Diagnostic files in USB storage
This lists the files of generated diagnostic information stored in a connected USB storage device.
Remove
Select files and click Re m o ve to delete them from the Zyxel Device or the USB storage device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
Download
Click a file to select it and click Do wnlo a d to save it to your computer.
#
This column displays the number for each file entry. The total number of files that you can save
depends on the file sizes and the available storage space.
File Name
This column displays the label that identifies the file.
Size
This column displays the size (in bytes) of a file.
Last Modified This column displays the date and time that the individual files were saved.
45.3 The Pa c ke t C a pture Sc re e n
Use this screen to capture network traffic going through the Zyxel Device's interfaces. Studying these packet captures may help you identify network problems. Click Ma inte na nc e > Dia g no stic s > Pa c ke t C a pture to open the packet capture screen.
Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this.
ZyWALL USG FLEX Series User's Guide
937
Fig ure 642 Maintenance > Diagnostics > Packet Capture
The following table describes the labels in this screen.
Table 414 Maintenance > Diagnostics > Packet Capture
LA BEL
DESC RIPTIO N
Interfaces
Enabled interfaces (except for virtual interfaces) appear under Ava ila b le Inte rfa c e s. Select interfaces for which to capture packets and click the right arrow button to move them to the C a pture Inte rfa c e s list. Use the [Shift] and/or [Ctrl] key to select multiple objects.
IP Version
Select the version of IP for which to capture packets. Select a ny to capture packets for all IP versions.
Protocol Type
Select the protocol of traffic for which to capture packets. Select a ny to capture packets for all types of traffic.
Host IP
Select a host IP address object for which to capture packets. Select a ny to capture packets for all hosts. Select Use r De fine d to be able to enter an IP address.
ZyWALL USG FLEX Series User's Guide
938
Chapter 45 Diagnostics
Table 414 Maintenance > Diagnostics > Packet Capture (continued)
LA BEL Host Port
Continuously capture and overwrite old ones Captured Packet Files
DESC RIPTIO N
This field is configurable when you set the IP Type to a ny, tc p, or udp. Specify the port number of traffic to capture.
Select this to have the Zyxel Device keep capturing traffic and overwriting old packet capture entries when the available storage space runs out.
When saving packet captures only to the Zyxel Device's on board storage, specify a maximum limit in megabytes for the total combined size of all the capture files on the Zyxel Device.
When saving packet captures to a connected USB storage device, specify a maximum limit in megabytes for each capture file.
Note: If you have existing capture files and have not selected the C o ntinuo usly c a pture a nd o ve rwrite o ld o ne s option, you may need to set this size larger or delete existing capture files.
Split threshold Duration
File Suffix
Number Of Bytes To Capture (Per Packet)
Save data to onboard storage only
The valid range depends on the available on board/USB storage size. The Zyxel Device stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Dura tio n field expires.
Specify a maximum size limit in megabytes for individual packet capture files. After a packet capture file reaches this size, the Zyxel Device starts another packet capture file.
Set a time limit in seconds for the capture. The Zyxel Device stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified in the File Size field. 0 means there is no time limit.
Specify text to add to the end of the file name (before the dot and filename extension) to help you identify the packet capture files. Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name.
The file name format is "interface name-file suffix.cap", for example "vlan2-packetcapture.cap".
Specify the maximum number of bytes to capture per packet. The Zyxel Device automatically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets.
Select this to have the Zyxel Device only store packet capture entries on the Zyxel Device. The available storage size is displayed as well.
Save data to USB storage
Note: The Zyxel Device reserves some on board storage space as a buffer.
Select this to have the Zyxel Device store packet capture entries only on a USB storage device connected to the Zyxel Device if the Zyxel Device allows this.
Status:
Unuse d - the connected USB storage device was manually unmounted by using the Re m o ve No w button or for some reason the Zyxel Device cannot mount it.
no ne - no USB storage device is connected.
se rvic e de a c tiva te d - USB storage feature is disabled (in C o nfig ura tio n > Syste m > USB Sto ra g e), so the Zyxel Device cannot use a connected USB device to store system logs and other diagnostic information.
a va ila b le - you can have the Zyxel Device use the USB storage device. The available storage capacity also displays.
Save data to ftp server (available: xx MB)
Note: The Zyxel Device reserves some USB storage space as a buffer.
Select this to have the Zyxel Device store packet capture entries on the defined FTP site. The available storage size is displayed as well.
ZyWALL USG FLEX Series User's Guide
939
Chapter 45 Diagnostics
Table 414 Maintenance > Diagnostics > Packet Capture (continued)
LA BEL Server Address Server Port Name Password
Capture
DESC RIPTIO N Type the IP address of the FTP server. Type the port this server uses for FTP traffic. The default FTP port is 21. Type the login username to access the FTP server. Type the associated login password to access the FTP server. Click this button to have the Zyxel Device capture packets according to the settings configured in this screen.
You can configure the Zyxel Device while a packet capture is in progress although you cannot modify the packet capture settings.
The Zyxel Device's throughput or performance may be affected while a packet capture is in progress.
Stop Reset
After the Zyxel Device finishes the capture it saves a separate capture file for each selected interface. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. Once the flash storage space is full, adding more packet captures will fail.
Click this button to stop a currently running packet capture and generate a separate capture file for each selected interface.
Click this button to return the screen to its last-saved settings.
45.3.1 The Pa c ke t C a pture o n AP Sc re e n
Use this screen to capture network traffic going through the connected APs' interfaces. Studying these packet captures may help you identify network problems. Click Ma inte na nc e > Dia g no stic s > Pa c ke t C a pture > C a pture o n AP to open the packet capture screen.
Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this.
ZyWALL USG FLEX Series User's Guide
940
Chapter 45 Diagnostics Fig ure 643 Maintenance > Diagnostics > Packet Capture > Capture on AP
The following table describes the labels in this screen.
Table 415 Maintenance > Diagnostics > Packet Capture > Capture on AP
LA BEL
DESC RIPTIO N
Select on AP
This lists the managed APs that are connected and available. Select the managed AP that you want the Zyxel Device to capture network traffic going through it.
Query
After you select an AP, click this button to update and display the interfaces, filter configuration and storage size available for the selected AP on the screen.
Capture Status
Note: You need to use the Q ue ry button before packet capturing on an AP if the AP has rebooted or the applied AP profile settings have been changed.
This shows Sta ndb y when the Zyxel Device is ready to or have finished capturing network traffic going through the selected AP's interface(s).
This shows Pre pa ring when the Zyxel Device is sending the capture command to the AP's interface(s).
This shows C a pturing when the AP is capturing network traffic going through the selected AP's interface(s).
This shows File Re c e iving when the Zyxel Device starts to receive capture files from the AP's interface(s) after you press the Stop button.
ZyWALL USG FLEX Series User's Guide
941
Chapter 45 Diagnostics
Table 415 Maintenance > Diagnostics > Packet Capture > Capture on AP (continued)
LA BEL Interfaces
IP Version Protocol Type Host IP Host Port Continuously capture and overwrite old ones Captured Packet Files
DESC RIPTIO N
Enabled interfaces (except for virtual interfaces) appear under Ava ila b le Inte rfa c e s. Select interfaces for which to capture packets and click the right arrow button to move them to the C a pture Inte rfa c e s list. Use the [Shift] and/or [Ctrl] key to select multiple objects.
Select the version of IP for which to capture packets. Select a ny to capture packets for all IP versions.
Select the protocol of traffic for which to capture packets. Select a ny to capture packets for all types of traffic.
Select a host IP address object for which to capture packets. Select a ny to capture packets for all hosts. Select Use r De fine d to be able to enter an IP address.
This field is configurable when you set the IP Type to a ny, tc p, or udp. Specify the port number of traffic to capture.
Select this to have the Zyxel Device keep capturing traffic and overwriting old packet capture entries when the available storage space runs out.
When saving packet captures only to the Zyxel Device's on board storage, specify a maximum limit in megabytes for the total combined size of all the capture files on the Zyxel Device.
When saving packet captures to a connected USB storage device, specify a maximum limit in megabytes for each capture file.
Note: If you have existing capture files and have not selected the C o ntinuo usly c a pture a nd o ve rwrite o ld o ne s option, you may need to set this size larger or delete existing capture files.
Split threshold Duration
File Suffix
Number Of Bytes To Capture (Per Packet)
Save data to onboard storage only
The valid range depends on the available on board/USB storage size. The Zyxel Device stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Dura tio n field expires.
Specify a maximum size limit in megabytes for individual packet capture files. After a packet capture file reaches this size, the Zyxel Device starts another packet capture file.
Set a time limit in seconds for the capture. The Zyxel Device stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified in the File Size field. 0 means there is no time limit.
Specify text to add to the end of the file name (before the dot and filename extension) to help you identify the packet capture files. Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name.
The file name format is "interface name-file suffix.cap", for example "vlan2-packetcapture.cap".
Specify the maximum number of bytes to capture per packet. The Zyxel Device automatically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets.
Select this to have the Zyxel Device only store packet capture entries on the Zyxel Device. The available storage size is displayed as well.
Note: The Zyxel Device reserves some on board storage space as a buffer.
ZyWALL USG FLEX Series User's Guide
942
Chapter 45 Diagnostics
Table 415 Maintenance > Diagnostics > Packet Capture > Capture on AP (continued)
LA BEL
Save data to USB storage
DESC RIPTIO N
Select this to have the Zyxel Device store packet capture entries only on a USB storage device connected to the Zyxel Device if the Zyxel Device allows this.
Status:
Unuse d - the connected USB storage device was manually unmounted by using the Re m o ve No w button or for some reason the Zyxel Device cannot mount it.
no ne - no USB storage device is connected.
se rvic e de a c tiva te d - USB storage feature is disabled (in C o nfig ura tio n > Syste m > USB Sto ra g e), so the Zyxel Device cannot use a connected USB device to store system logs and other diagnostic information.
a va ila b le - you can have the Zyxel Device use the USB storage device. The available storage capacity also displays.
Save data to ftp server (available: xx MB)
Server Address Server Port Name Password Capture
Stop Reset
Note: The Zyxel Device reserves some USB storage space as a buffer.
Select this to have the Zyxel Device store packet capture entries on the defined FTP site. The available storage size is displayed as well.
Type the IP address of the FTP server.
Type the port this server uses for FTP traffic. The default FTP port is 21.
Type the login username to access the FTP server.
Type the associated login password to access the FTP server.
Click this button to have the Zyxel Device capture packets according to the settings configured in this screen.
You can configure the Zyxel Device while a packet capture is in progress although you cannot modify the packet capture settings.
The Zyxel Device's throughput or performance may be affected while a packet capture is in progress.
After the Zyxel Device finishes the capture it saves a separate capture file for each selected interface. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. Once the flash storage space is full, adding more packet captures will fail.
Click this button to stop a currently running packet capture and generate a separate capture file for each selected interface.
Click this button to return the screen to its last-saved settings.
45.3.2 The Pa c ke t C a pture File s Sc re e n
Click Ma inte na nc e > Dia g no stic s > Pa c ke t C a pture > File s to open the packet capture files screen. This screen lists the files of packet captures stored on the Zyxel Device or a connected USB storage device. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark.
ZyWALL USG FLEX Series User's Guide
943
Chapter 45 Diagnostics Fig ure 644 Maintenance > Diagnostics > Packet Capture > Files
The following table describes the labels in this screen.
Table 416 Maintenance > Diagnostics > Packet Capture > Files
LA BEL
DESC RIPTIO N
Remove
Select files and click Re m o ve to delete them from the Zyxel Device or the connected USB storage device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
Download
Click a file to select it and click Do wnlo a d to save it to your computer.
#
This column displays the number for each packet capture file entry. The total number of packet
capture files that you can save depends on the file sizes and the available flash storage space.
File Name
This column displays the label that identifies the file. The file name format is interface name-file suffix.cap.
Size
This column displays the size (in bytes) of a configuration file.
Last Modified
This column displays the date and time that the individual files were saved.
45.4 The C PU / Me m o ry Sta tus Sc re e n
Click Ma inte na nc e > Dia g no stic s > C PU / Me m o ry Sta tus to open the C PU/ Me m o ry Sta tus screen. Use this screen to view the CPU and memory performance of various applications on the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
944
Chapter 45 Diagnostics Fig ure 645 Maintenance > Diagnostics > CPU / Memory Status
The following table describes the labels in this screen.
Table 417 Maintenance > Diagnostics > CPU / Memory Status
LA BEL CPU Status
DESC RIPTIO N
This table displays the applications that use the most Zyxel Device CPU processing.
CPUn Usage
CPU usage shows how much processing power the Zyxel Device is using. This field displays the current percentage usage of a CPU (where n is the number of the CPU) as a percentage of total processing power.
Network Traffic
This field displays the current percentage of network traffic through the Zyxel Device.
#
This field is a sequential value, and it is not associated with any entry.
CPU
This field displays the current CPU utilization percentage for each application used on the Zyxel Device.
Application
This field displays the name of the application consuming the related processing power on the Zyxel Device.
Memory
This field displays the current DRAM memory utilization percentage for each application used on the Zyxel Device.
Time
This field displays each application's running time in hours - minutes - seconds.
Memory Status
This table displays the applications that use the most Zyxel Device DRAM memory.
Memory Usage
Memory usage shows how much DRAM memory the Zyxel Device is using. This field displays the current percentage of memory utilization.
#
This field is a sequential value, and it is not associated with any entry.
ZyWALL USG FLEX Series User's Guide
945
Table 417 Maintenance > Diagnostics > CPU / Memory Status
LA BEL
DESC RIPTIO N
Memory
This field displays the current DRAM memory utilization percentage for each application used on the Zyxel Device.
Application
This field displays the name of the application consuming the related memory on the Zyxel Device.
CPU
This field displays the current CPU utilization percentage for each application used on the Zyxel Device.
Time
This field displays each application's running time.
Refresh
Click this to update the information in this screen.
45.5 The Syste m Lo g Sc re e n
Click Ma inte na nc e > Dia g no stic s > Syste m Lo g to open the Syste m Lo g screen. This screen lists the files of Zyxel Device system logs stored on a connected USB storage device. The files are in comma separated value (csv) format. You can download them to your computer and open them in a tool like Microsoft's Excel.
Fig ure 646 Maintenance > Diagnostics > System Log
The following table describes the labels in this screen.
Table 418 Maintenance > Diagnostics > System Log
LA BEL
DESC RIPTIO N
Remove
Select files and click Re m o ve to delete them from the Zyxel Device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
Download
Click a file to select it and click Do wnlo a d to save it to your computer.
#
This column displays the number for each file entry. The total number of files that you can save
depends on the file sizes and the available storage space.
File Name
This column displays the label that identifies the file.
Size
This column displays the size (in bytes) of a file.
Last Modified
This column displays the date and time that the individual files were saved.
45.6 The Ne two rk To o l Sc re e n
Use this screen to perform various network tests. Click Ma inte na nc e > Dia g no stic s > Ne two rk To o l to display this screen.
ZyWALL USG FLEX Series User's Guide
946
Chapter 45 Diagnostics Fig ure 647 Maintenance > Diagnostics > Network Tool
Fig ure 648 Maintenance > Diagnostics > Network Tool - Test Email Server
ZyWALL USG FLEX Series User's Guide
947
Chapter 45 Diagnostics
The following table describes the labels in this screen.
Table 419 Maintenance > Diagnostics > Network Tool
LA BEL Network Tool
DESC RIPTIO N Select a network tool:
Domain Name or IP Address
Advance
· Select NSLO O KUP IPv4 or NSLO O KUP IPv6 to perform name server lookup for querying the Domain Name System (DNS) to get the domain name or IP address mapping.
· Select PING IPv4 or PING IPv6 to ping the IP address that you entered. · Select TRAC ERO UTE IPv4 or TRAC ERO UTE IPv6 to run the traceroute function. This
determines the path a packet takes to the specified computer. · Select Te st Em a il Se rve r to test access to an SMTP email server.
Type the IP address that you want to use to for the selected network tool.
Click this to display the following fields.
Query Server
Enter the IP address of a server to which the Zyxel Device sends queries for NSLOOKUP.
Interface
Select the interface through which the Zyxel Device sends queries for PING or TRACEROUTE.
Extension Option
Enter the extended option if you want to use an extended ping or traceroute command. For example, enter "-c count" (where count is the number of ping requests) to set how many times the Zyxel Device pings the destination IP address, or enter "-w waittime" (where waittime is a time period in seconds) to set how long the Zyxel Device waits for a response to a probe before running another traceroute.
The following fields display when you select Te st Em a il Se rve r in Ne two rk To o l.
Mail Server
Type the name or IP address of the outgoing SMTP server.
Mail Subject
Type the subject line for the outgoing email.
· Select Appe nd syste m na m e to add the Zyxel Device system name to the subject. · Select Appe nd da te tim e to add the Zyxel Device date and time to the subject.
Mail Server Port
Enter the same port number here as is on the mail server for mail traffic.
TLS Security
Select this option if the mail server uses Transport Layer Security (TLS) for encrypted communications between the mail server and the Zyxel Device.
STARTTLS
Select this option if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device.
Authenticate Server Select this if the Zyxel Device authenticates the mail server in the TLS handshake.
Mail From
Type the email address from which the outgoing email is delivered. This address is used in replies.
Mail To
Type the email address to which the outgoing email is delivered.
SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server.
User Name
This box is effective when you select the SMTP Authe ntic a tio n check box. Type the user name to provide to the SMTP server when the log is emailed.
Password
This box is effective when you select the SMTP Authe ntic a tio n check box. Type a password of up to 63 characters to provide to the SMTP server when the log is emailed.
Retype to Confirm Retype your new password for confirmation.
Test
Click this button to start the test.
Stop
Click this button to stop the test.
Reset
Click this button to return the screen to its last-saved settings.
ZyWALL USG FLEX Series User's Guide
948
Chapter 45 Diagnostics
45.7 The Ro uting Tra c e s Sc re e n
Click Ma inte na nc e > Dia g no stic s > Ro uting Tra c e s to display this screen. Use this screen to configure a traceroute to identify where packets are dropped for troubleshooting. Fig ure 649 Maintenance > Diagnostics > Routing Traces
The following table describes the labels in this screen.
Table 420 Maintenance > Diagnostics > Routing Traces
LA BEL IP Address
Source Port Destination Port Host
Port Protocol Interval
Capture
DESC RIPTIO N
You can trace traffic through the Zyxel Device from a specific source-to-destination stream or just from/to a specific host (source or destination).
Enter the source IP address of traffic that you want to trace.
Enter the source port number of traffic that you want to trace.
Enter the destination IP address of traffic that you want to trace.
Enter the destination port number of traffic that you want to trace.
Enter the IP address of a specific source or destination host whose traffic you want to trace.
Enter the port number for particular source traffic on the host that you want to trace.
Select the protocol of traffic that you want to trace. a ny means any protocol.
Enter a time interval in seconds for renewing a route trace. The default time interval is 5 seconds.
Click this button to have the Zyxel Device capture frames according to the settings configured in this screen.
Flush Data Session
ID Protocol from VPN ID to VPN ID Incoming Interface Message
You can configure the Zyxel Device while a frame capture is in progress although you cannot modify the frame capture settings. Click this to clear all data on the screen. This field displays established sessions that passed through the Zyxel Device which matched the capture criteria. This field displays the packet ID for each active session. This field displays the protocol used in each active session. This field displays the tagged VLAN ID in ingress packets coming into the Zyxel Device. This field displays the tagged VLAN ID in egress packets going out from the Zyxel Device. This is the source interface of packets to which this active session applies. This field displays traceroute information.
ZyWALL USG FLEX Series User's Guide
949
Chapter 45 Diagnostics
45.8 The Wire le ss Fra m e C a pture Sc re e n
Use this screen to capture wireless network traffic going through the AP interfaces connected to your Zyxel Device. Studying these frame captures may help you identify network problems. Click Ma inte na nc e > Dia g no stic s > Wire le ss Fra m e C a pture to display this screen. Note: New capture files overwrite existing files of the same name. Change the File Pre fix
field's setting to avoid this. Fig ure 650 Maintenance > Diagnostics > Wireless Frame Capture > Capture
The following table describes the labels in this screen.
Table 421 Maintenance > Diagnostics > Wireless Frame Capture > Capture
LA BEL MON Mode APs
Configure AP to MON Mode Available MON Mode APs
DESC RIPTIO N
Click this to go the C o nfig ura tio n > Wire le ss > AP Ma na g e m e nt screen, where you can set one or more APs to monitor mode. This column displays which APs on your wireless network are currently configured for monitor mode.
Use the arrow buttons to move APs off this list and onto the C a pture d MO N Mo de APs list.
Capture MON Mode This column displays the monitor-mode configured APs selected to for wireless frame
APs
capture.
Misc Setting
File Size
Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the Zyxel Device, including any existing capture files and any new capture files you generate.
Note: If you have existing capture files you may need to set this size larger or delete existing capture files.
The valid range is 1 to 50000. The Zyxel Device stops the capture and generates the capture file when either the file reaches this size.
ZyWALL USG FLEX Series User's Guide
950
Chapter 45 Diagnostics
Table 421 Maintenance > Diagnostics > Wireless Frame Capture > Capture (continued)
LA BEL File Prefix
DESC RIPTIO N
Specify text to add to the front of the file name in order to help you identify frame capture files.
You can modify the prefix to also create new frame capture files each time you perform a frame capture operation. Doing this does no overwrite existing frame capture files.
Capture
The file format is: [file prefix].cap. For example, "monitor.cap".
Click this button to have the Zyxel Device capture frames according to the settings configured in this screen.
You can configure the Zyxel Device while a frame capture is in progress although you cannot modify the frame capture settings.
The Zyxel Device's throughput or performance may be affected while a frame capture is in progress.
Stop Reset
After the Zyxel Device finishes the capture it saves a combined capture file for all APs. The total number of frame capture files that you can save depends on the file sizes and the available flash storage space. Once the flash storage space is full, adding more frame captures will fail.
Click this button to stop a currently running frame capture and generate a combined capture file for all APs.
Click this button to return the screen to its last-saved settings.
45.8.1 The Wire le ss Fra m e C a pture File s Sc re e n
Click Ma inte na nc e > Dia g no stic s > Wire le ss Fra m e C a pture > File s to open this screen. This screen lists the files of wireless frame captures the Zyxel Device has performed. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark.
Fig ure 651 Maintenance > Diagnostics > Wireless Frame Capture > Files
The following table describes the labels in this screen.
Table 422 Maintenance > Diagnostics > Wireless Frame Capture > Files
LA BEL
DESC RIPTIO N
Remove
Select files and click Re m o ve to delete them from the Zyxel Device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
Download
Click a file to select it and click Do wnlo a d to save it to your computer.
#
This column displays the number for each packet capture file entry. The total number of packet
capture files that you can save depends on the file sizes and the available flash storage space.
File Name
This column displays the label that identifies the file. The file name format is interface name-file suffix.cap.
Size
This column displays the size (in bytes) of a configuration file.
Last Modified This column displays the date and time that the individual files were saved.
ZyWALL USG FLEX Series User's Guide
951
Chapter 46 Packet Flow Explore
C HA PTER 4 6 Pa c ke t Flo w Explo re
46.1 O ve rvie w
Use this to get a clear picture on how the Zyxel Device determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems.
46.1.1 Wha t Yo u C a n Do in this C ha pte r
· Use the Ro uting Sta tus screen (see Section 46.2 on page 952) to view the overall routing flow and each routing function's settings.
· Use the SNATSta tus screen (see Section 46.3 on page 956) to view the overall source IP address conversion (SNAT) flow and each SNAT function's settings.
46.2 Ro uting Sta tus
The Ro uting Sta tus screen allows you to view the current routing flow and quickly link to specific routing settings. Click a function box in the Ro uting Flo w section, the related routes (activated) will display in the Ro uting Ta b le section. To access this screen, click Ma inte na nc e > Pa c ke t Flo w Explo re > Ro uting Sta tus. The order of the routing flow may vary depending on whether you: · Select use po lic y ro ute to o ve rride dire c t ro ute in the C O NFIG URATIO N > Ne two rk > Ro uting > Po lic y
Ro ute screen. · Use policy routes to control 1-1 NAT by using the policy control-virtual-server-rules
activate command. · Select use po lic y ro ute s to c o ntro l dyna m ic IPSe c rule s in the C O NFIG URATIO N > VPN > IPSe c VPN >
VPN C o nne c tio n screen. Note: Once a packet matches the criteria of a routing rule, the Zyxel Device takes the
corresponding action and does not perform any further flow checking.
ZyWALL USG FLEX Series User's Guide
952
Chapter 46 Packet Flow Explore Fig ure 652 Maintenance > Packet Flow Explore > Routing Status (Direct Route)
Fig ure 653 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) Fig ure 654 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Fig ure 655 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT)
ZyWALL USG FLEX Series User's Guide
953
Chapter 46 Packet Flow Explore Fig ure 656 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) Fig ure 657 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Fig ure 658 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Fig ure 659 Maintenance > Packet Flow Explore > Routing Status (Main Route)
ZyWALL USG FLEX Series User's Guide
954
Chapter 46 Packet Flow Explore
The following table describes the labels in this screen.
Table 423 Maintenance > Packet Flow Explore > Routing Status
LA BEL
DESC RIPTIO N
Routing Flow
This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the Ro uting Ta ble section.
Routing Table
This section shows the corresponding settings according to the function box you click in the Ro uting Flo w section.
The following fields are available if you click Dire c t Ro ute , Sta tic - Dyna m ic Ro ute , or Ma in Ro ute in the Ro uting Flo w section.
#
This field is a sequential value, and it is not associated with any entry.
Destination
This is the destination IP address of a route.
Gateway
This is the IP address of the next-hop gateway or the interface through which the traffic is routed.
Interface
This is the name of an interface associated with the route.
Metric
This is the route's priority among the displayed routes.
Flags
This indicates additional information for the route. The possible flags are:
· A - this route is currently activated. · S - this is a static route. · C - this is a direct connected route. · O - this is a dynamic route learned through OSPF. · R - this is a dynamic route learned through RIP. · B - this is a dynamic route learned through BGP. · G - the route is to a gateway (router) in the same network. · ! - this is a route which forces a route lookup to fail. · B - this is a route which discards packets. · L- this is a recursive route.
Persist
This is the remaining time of a dynamically learned route. The Zyxel Device removes the route after this time period is counted down to zero.
The following fields are available if you click Po lic y Ro ute in the Ro uting Flo w section.
#
This field is a sequential value, and it is not associated with any entry.
Incoming
This is the interface on which the packets are received.
Source
This is the source IP address(es) from which the packets are sent.
Destination
This is the destination IP address(es) to which the packets are transmitted.
Service
This is the name of the service object. a ny means all services.
Source Port
This is the source port(s) from which the packets are sent.
DSCP Code
This is the DSCP value of incoming packets to which this policy route applies. See Section 10.2 on page 327 for more information.
Next Hop Type This is the type of the next hop to which packets are directed.
Next Hop Info
· This is the main route if the next hop type is Auto . · This is the interface name and gateway IP address if the next hop type is Inte rfa c e / G W. · This is the tunnel name if the next hop type is VPN Tunne l. · This is the trunk name if the next hop type is Trunk.
The following fields are available if you click 1- 1 SNATin the Ro uting Flo w section.
#
This field is a sequential value, and it is not associated with any entry.
NAT Rule
This is the name of an activated 1:1 or Many 1:1 NAT rule in the NAT table.
Source
This is the external source IP address(es).
Protocol
This is the transport layer protocol.
Source Port
This is the source port number.
ZyWALL USG FLEX Series User's Guide
955
Chapter 46 Packet Flow Explore
Table 423 Maintenance > Packet Flow Explore > Routing Status (continued)
LA BEL
DESC RIPTIO N
Destination
This is the external destination IP address(es).
Outgoing
This is the outgoing interface that the SNAT rule uses to transmit packets.
Gateway
This is the IP address of the gateway in the same network of the outgoing interface.
The following fields are available if you click Dyna m ic VPN o r Site To Site VPN in the Ro uting Flo w section.
#
This field is a sequential value, and it is not associated with any entry.
Source
This is the IP address(es) of the local VPN network.
Destination
This is the IP address(es) for the remote VPN network.
VPN Tunnel
This is the name of the VPN tunnel.
The following fields are available if you click De fa ult WAN Trunk in the Ro uting Flo w section.
#
This field is a sequential value, and it is not associated with any entry.
Source
This is the source IP address(es) from which the packets are sent. a ny means any IP address.
Destination
This is the destination IP address(es) to which the packets are transmitted. a ny means any IP address.
Trunk
This is the name of the WAN trunk through which the matched packets are transmitted.
46.3 The SNATSta tus Sc re e n
The SNATSta tus screen allows you to view and quickly link to specific source NAT (SNAT) settings. Click a function box in the SNATFlo w section, the related SNAT rules (activated) will display in the SNATTa b le section. To access this screen, click Ma inte na nc e > Pa c ke t Flo w Explo re > SNATSta tus.
The order of the SNAT flow may vary depending on whether you:
· select use de fa ult SNATin the C O NFIG URATIO N > Ne two rk > Inte rfa c e > Trunk screen. · use policy routes to control 1-1 NAT by using the policy control-virtual-server-rules
activate command.
Note: Once a packet matches the criteria of an SNAT rule, the Zyxel Device takes the corresponding action and does not perform any further flow checking.
Fig ure 660 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT)
ZyWALL USG FLEX Series User's Guide
956
Chapter 46 Packet Flow Explore Fig ure 661 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT)
Fig ure 662 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT)
Fig ure 663 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT)
The following table describes the labels in this screen.
Table 424 Maintenance > Packet Flow Explore > SNAT Status
LA BEL
DESC RIPTIO N
SNAT Flow
This section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device. Click a function box to display the related settings in the SNATTa b le section.
SNAT Table
The table fields in this section vary depending on the function box you select in the SNATFlo w section.
The following fields are available if you click Po lic y Ro ute SNATin the SNATFlo w section.
#
This field is a sequential value, and it is not associated with any entry.
ZyWALL USG FLEX Series User's Guide
957
Chapter 46 Packet Flow Explore
Table 424 Maintenance > Packet Flow Explore > SNAT Status (continued)
LA BEL
DESC RIPTIO N
Outgoing
This is the outgoing interface that the route uses to transmit packets.
SNAT
This is the source IP address(es) that the SNAT rule uses finally.
The following fields are available if you click 1- 1 SNATin the SNATFlo w section.
#
This field is a sequential value, and it is not associated with any entry.
NAT Rule
This is the name of an activated NAT rule which uses SNAT.
Source
This is the external source IP address(es).
Protocol
This is the transport layer protocol.
Source Port
This is the source port number.
Destination
This is the external destination IP address(es).
Outgoing
This is the outgoing interface that the SNAT rule uses to transmit packets.
SNAT
This is the source IP address(es) that the SNAT rule uses finally.
The following fields are available if you click Lo o pb a c k SNATin the SNATFlo w section.
#
This field is a sequential value, and it is not associated with any entry.
NAT Rule
This is the name of an activated NAT rule which uses SNAT and enables NAT loopback.
Source
This is the original source IP address(es). a ny means any IP address.
Destination
This is the original destination IP address(es). a ny means any IP address.
SNAT
This indicates which source IP address the SNAT rule uses finally. For example, O utg o ing Inte rfa c e IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule.
The following fields are available if you click De fa ult SNATin the SNATFlo w section.
#
This field is a sequential value, and it is not associated with any entry.
Incoming
This indicates internal interface(s) on which the packets are received.
Outgoing
This indicates external interface(s) from which the packets are transmitted.
SNAT
This indicates which source IP address the SNAT rule uses finally. For example, O utg o ing Inte rfa c e IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule.
ZyWALL USG FLEX Series User's Guide
958
Chapter 47 Shutdown
C ha pte r 47 Shutdo wn
47.1 O ve rvie w
Use this to shutdown the device in preparation for disconnecting the power.
Alwa ys use the Ma inte na nc e > Shutdo wn > Shutdo wn sc re e n o r the "shutdo wn" c o m m a nd b e fo re yo u turn o ff the Zyxe l De vic e o r re m o ve the po we r. No t do ing so c a n c a use the firm wa re to b e c o m e c o rrupt.
47.1.1 Wha t Yo u Ne e d To Kno w
Shutdown writes all cached data to the local storage and stops the system processes.
47.2 The Shutdo wn / Re b o o t Sc re e n
To access this screen, click Ma inte na nc e > Shutdo wn/ Re b o o t. Fig ure 664 Maintenance > Shutdown/ Reboot
ZyWALL USG FLEX Series User's Guide
959
Chapter 47 Shutdown
The following table describes the labels in this screen.
Table 425 Maintenance > Shutdown / Reboot
LA BEL
DESC RIPTIO N
Shutdown
Click the Shutdo wn button to shut down the Zyxel Device. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power.
Reboot
Click Re bo o t to reboot the Zyxel Device immediately without turning the power off.
Schedule Reboot
Select this check box to schedule a periodic reboot of the Zyxel Device. You should select a time when your network is not busy for minimal interruption.
Daily Weekly Monthly
Apply Reset
Note: You cannot enable Auto Upda te in File Ma na g e r > Firm wa re Ma na g e m e nt and Sc he dule Re b o o t in Ma inte na nc e > Shutdo wn- Re b o o t at the same time.
Set the Zyxel Device to reboot every day at the specified time. The time format is the 24 hour clock, so `0' means midnight for example.
Set the Zyxel Device to reboot once a week on the day and at the time specified.
Set the Zyxel Device to reboot once a month on the specified day, at the a specified hour and minute.
If the date you select is greater than the number of days in a month, the Zyxel Device automatically reboots on the last day of the month. For example, if you select 31 and the month is February, the Zyxel Device reboots on day 28 or 29.
Click Apply to save your changes back to the Zyxel Device.
Click Re se t to return the screen to its last-saved settings.
You can also use the CLI command shutdown to close down the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
960
Chapter 47 Shutdown
ZyWALL USG FLEX Series User's Guide
961
PA RT III
Appe ndic e s a nd Tro ub le sho o ting
962
C HA PTER 4 8 Tro ub le sho o ting
This chapter offers some suggestions to solve problems you might encounter. · You can also refer to the logs (see Section 6.38 on page 190). · For the order in which the Zyxel Device applies its features and checks, see Chapter 46 on page 952.
None of the LEDs turn on.
Make sure that you have the power cord connected to the Zyxel Device and plugged in to an appropriate power source. Make sure you have the Zyxel Device turned on. Check all cable connections. If the LEDs still do not turn on, you may have a hardware problem. In this case, you should contact your local vendor.
Cannot access the Zyxel Device from the LAN.
· Check the cable connection between the Zyxel Device and your computer or switch. · Ping the Zyxel Device from a LAN computer. Make sure your computer's Ethernet card is installed and
functioning properly. Also make sure that its IP address is in the same subnet as the Zyxel Device's. · In the computer, click Sta rt, (All) Pro g ra m s, Ac c e sso rie s and then C o m m a nd Pro m pt. In the
C o m m a nd Pro m pt window, type "ping" followed by the Zyxel Device's LAN IP address (192.168.1.1 is the default) and then press [ENTER]. The Zyxel Device should reply. · If you've forgotten the Zyxel Device's password, use the RESETbutton. Press the button in for about 5 seconds (or until the SYS LED starts to blink), then release it. It returns the Zyxel Device to the factory defaults (password is 1234, LAN IP address 192.168.1.1, etc). · If you've forgotten the Zyxel Device's IP address, you can use the commands through the C O NSO LE port to check it. Connect your computer to the C O NSO LE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.
I cannot access the Internet.
· Check the Zyxel Device's connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly.
· Check the WAN interface's status in the Da shbo a rd. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP.
ZyWALL USG FLEX Series User's Guide
963
Chapter 48 Troubleshooting
I cannot update the anti-malware/IDP/application patrol/URL Threat filter/IP reputation signatures.
· Make sure your Zyxel Device has the anti-malware/IDP/application patrol service registered and that the license is not expired. Purchase a new license if the license is expired.
· Make sure your Zyxel Device is connected to the Internet.
I cannot update the threat intelligence machine learning (TIML) signatures.
· Make sure your Zyxel Device has the anti-malware service registered and that the gold security pack license is not expired. Purchase a new license if the license is expired.
· Make sure your Zyxel Device is connected to the Internet.
I downloaded updated anti-malware/IDP/application patrol/URL Threat filter/IP reputation signatures. Why has the Zyxel Device not re-booted yet?
The Zyxel Device does not have to reboot when you upload new signatures.
The content filter category service is not working.
· Make sure your Zyxel Device has the content filter category service registered and that the license is not expired. Purchase a new license if the license is expired.
· Make sure your Zyxel Device is connected to the Internet. · Make sure you select Ena b le C o nte nt Filte r C a te g o ry Se rvic e when you add a filter profile in the
C o nfig ura tio n > Se c urity Se rvic e > C o nte nt Filte r > Pro file > Add o r Edit screen.
I configured security settings but the Zyxel Device is not applying them for certain interfaces.
Many security settings are usually applied to zones. Make sure you assign the interfaces to the appropriate zones. When you create an interface, there is no security applied on it until you assign it to a zone.
The Zyxel Device is not applying the custom policy route I configured.
The Zyxel Device checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match.
ZyWALL USG FLEX Series User's Guide
964
Chapter 48 Troubleshooting
The Zyxel Device is not applying the custom security policy I configured.
The Zyxel Device checks the security policies in the order that they are listed. So make sure that your custom security policy comes before any other rules that the traffic would also match.
I cannot enter the interface name I want.
The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2,...; and so on. · The names of virtual interfaces are derived from the interfaces on which they are created. For
example, virtual interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.
I cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface on an Ethernet interface.
You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it.
My rules and settings that apply to a particular interface no longer work.
The interface's IP address may have changed. To avoid this, create an IP address object based on the interface. This way the Zyxel Device automatically updates every rule or setting that uses the object whenever the interface's IP address settings change. For example, if you change LAN1's IP address, the Zyxel Device automatically updates the corresponding interface-based, LAN1 subnet address object.
I cannot set up a PPP interface.
You have to set up an ISP account before you create a PPPoE or PPTP interface.
The data rates through my cellular connection are no-where near the rates I expected.
ZyWALL USG FLEX Series User's Guide
965
Chapter 48 Troubleshooting
The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider's base station, and so on.
I created a cellular interface but cannot connect through it.
· Make sure you have a compatible mobile broadband device installed or connected. See www.zyxel.com for details.
· Make sure you have the cellular interface enabled. · Make sure the cellular interface has the correct user name, password, and PIN code configured with
the correct casing. · If the Zyxel Device has multiple WAN interfaces, make sure their IP addresses are on different subnets.
Hackers have accessed my WEP-encrypted wireless LAN.
WEP is extremely insecure. Its encryption can be broken by an attacker, using widely-available software. It is strongly recommended that you use a more effective security mechanism. Use the strongest security mechanism that all the wireless devices in your network support. WPA2 or WPA2-PSK is recommended.
The wireless security is not following the re-authentication timer setting I specified.
If a RADIUS server authenticates wireless stations, the re-authentication timer on the RADIUS server has priority. Change the RADIUS server's configuration if you need to use a different re-authentication timer setting.
I cannot configure a particular VLAN interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface.
Each VLAN interface is created on top of only one Ethernet interface.
The Zyxel Device is not applying an interface's configured ingress bandwidth limit.
At the time of writing, the Zyxel Device does not support ingress bandwidth management.
The Zyxel Device is not applying my application patrol bandwidth management settings.
Bandwidth management in policy routes has priority over application patrol bandwidth management. ZyWALL USG FLEX Series User's Guide
966
Chapter 48 Troubleshooting
The Zyxel Device's performance slowed down after I configured many new application patrol entries.
The Zyxel Device checks the ports and conditions configured in application patrol entries in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the Zyxel Device by putting more commonly used ports at the top of the list.
The Zyxel Device's anti-malware scanner cleaned an infected file but now I cannot use the file.
The scanning engine checks the contents of the packets for malware. If a malware pattern is matched, the Zyxel Device removes a portion of the file, while the rest goes through. Since the Zyxel Device erases a portion of the file before sending it, you may not be able to open the file.
The Zyxel Device sent an alert that a malware-infected file has been found, but the file was still forwarded to the user and could still be executed.
Make sure you enable De stro y Infe c te d File in the C o nfig ura tio n > Se c urity Se rvic e > Anti- Ma lwa re screen to modify infected files before forwarding the files to the user, preventing them from being executed.
I added a file pattern in the anti-malware white list, but the Zyxel Device still checks and modifies files that match this pattern.
Make sure you select the C he c k White List check box above the white list table. If it is already selected, make sure that the white list entry corresponding to this file pattern is activated.
The Zyxel Device is not scanning some zipped files.
The Zyxel Device cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Zyxel Device can concurrently unzip.
The Zyxel Device is deleting some zipped files.
The anti-malware policy may be set to delete zipped files that the Zyxel Device cannot unzip. The Zyxel Device cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Zyxel Device can concurrently unzip.
ZyWALL USG FLEX Series User's Guide
967
Chapter 48 Troubleshooting
The threat intelligence machine learning (TIML) feature is not working.
1 Make sure you purchase the gold security pack. · Make sure you've registered the Zyxel Device and activated the anti-malware service on portal.myZyxel.com. · Go to the screen, and select the Ena b le check box in the C o nfig ura tio n > Se c urity Se rvic e > AntiMa lwa re to activate the TIML feature.
2 Make sure the gold security pack is not expired. If it is, renew the license. The Zyxel Device won't scan the TIML signatures that were downloaded when the gold security pack expired.
The Zyxel Device's performance seems slower after configuring IDP.
Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the Zyxel Device's performance. You may want to focus IDP scanning on certain traffic directions such as incoming traffic.
IDP is dropping traffic that matches a rule that says no action should be taken.
The Zyxel Device checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the Zyxel Device applies the more restrictive action (re je c t- b o th, re je c t- re c e ive r or re je c t- se nde r, dro p, no ne in this order). If a packet matches a rule for re je c t- re c e ive r and it also matches a rule for re je c t- se nde r, then the Zyxel Device will reject-both.
I uploaded a custom signature file and now all of my earlier custom signatures are gone.
The name of the complete custom signature file on the Zyxel Device is `custom.rules'. If you import a file named `custom.rules', then all custom signatures on the Zyxel Device are overwritten with the new file. If this is not your intention, make sure that the files you import are not named `custom.rules'.
I cannot configure some items in IDP that I can configure in Snort.
Not all Snort functionality is supported in the Zyxel Device.
ZyWALL USG FLEX Series User's Guide
968
Chapter 48 Troubleshooting
The Zyxel Device's performance seems slower after configuring ADP.
Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the Zyxel Device's performance.
The Zyxel Device destroyed/dropped a file/email without notifying me.
Make sure you enable logs for your security features, such as in the following screens:
· C o nfig ura tio n > Se c urity Se rvic e > IDP · C o nfig ura tio n > Se c urity Se rvic e > Anti- Ma lwa re
· C o nfig ura tio n > Se c urity Se rvic e > Em a il Se c urity
The Zyxel Device routes and applies SNAT for traffic from some interfaces but not from others.
The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic. You must manually configure a policy route to add routing and SNAT settings for an interface with the Inte rfa c e Type set to G e ne ra l. You can also configure a policy route to override the default routing and SNAT behavior for an interface with the Inte rfa c e Type set to Inte rna l or Exte rna l.
I cannot get Dynamic DNS to work.
· You must have a public WAN IP address to use Dynamic DNS. · Make sure you recorded your DDNS account's user name, password, and domain name and have
entered them properly in the Zyxel Device. · You may need to configure the DDNS entry's IP Address setting to Auto if the interface has a dynamic
IP address or there are one or more NAT routers between the Zyxel Device and the DDNS server. · The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the
Zyxel Device and the DDNS server.
I cannot create a second HTTP redirect rule for an incoming interface.
You can configure up to one HTTP redirect rule for each (incoming) interface.
I cannot get the application patrol to manage SIP traffic.
ZyWALL USG FLEX Series User's Guide
969
Chapter 48 Troubleshooting
Make sure you have the SIP ALG enabled.
I cannot get the application patrol to manage H.323 traffic.
Make sure you have the H.323 ALG enabled.
I cannot get the application patrol to manage FTP traffic.
Make sure you have the FTP ALG enabled.
The Zyxel Device keeps resetting the connection.
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device's LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or "triangle" route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged. You can set the Zyxel Device's security policy to permit the use of asymmetrical route topology on the network (so it does not reset the connection) although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. See Asymmetrical Routes on page 566 and the chapter about interfaces for more information.
I cannot set up an IPSec VPN tunnel to another device.
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both Zyxel IPSec routers and check the settings in each field methodically and slowly. Make sure both the Zyxel Device and remote IPSec router have the same security settings for the VPN tunnel. It may help to display the settings for both routers side-by-side. Here are some general suggestions. See also Chapter 19 on page 418. · The system log can often help to identify a configuration problem. · If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled. · The Zyxel Device and remote IPSec router must use the same authentication method to establish the
IKE SA. · Both routers must use the same negotiation mode. · Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. · When using pre-shared keys, the Zyxel Device and the remote IPSec router must use the same pre-
shared key.
ZyWALL USG FLEX Series User's Guide
970
Chapter 48 Troubleshooting
· The Zyxel Device's local and peer ID type and content must match the remote IPSec router's peer and local ID type and content, respectively.
· The Zyxel Device and remote IPSec router must use the same active protocol. · The Zyxel Device and remote IPSec router must use the same encapsulation. · The Zyxel Device and remote IPSec router must use the same SPI. · If the sites are/were previously connected using a leased line or ISDN router, physically disconnect
these devices from the network before testing your new VPN connection. The old route may have been learned by RIP and would take priority over the new VPN connection. · To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Before doing so, ensure that both computers have Internet access (via the IPSec routers). · It is also helpful to have a way to look at the packets that are being sent and received by the Zyxel Device and remote IPSec router (for example, by using a packet sniffer).
Check the configuration for the following Zyxel Device features.
· The Zyxel Device does not put IPSec SAs in the routing table. You must create a policy route for each VPN tunnel. See Chapter 10 on page 325.
· Make sure the To-Zyxel Device security policies allow IPSec VPN traffic to the Zyxel Device. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
· The Zyxel Device supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-Zyxel Device security policies allow UDP port 4500 too.
· Make sure regular security policies allow traffic between the VPN tunnel and the rest of the network. Regular security policies check packets the Zyxel Device sends before the Zyxel Device encrypts them and check packets the Zyxel Device receives after the Zyxel Device decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed.
· If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using).
· If you have the Zyxel Device and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the Zyxel Device and remote IPSec router first and make sure they trust each other's certificates. If the Zyxel Device's certificate is self-signed, import it into the remote IPSec router. If it is signed by a CA, make sure the remote IPSec router trusts that CA. The Zyxel Device uses one of its Truste d C e rtific a te s to authenticate the remote IPSec router's certificate. The trusted certificate can be the remote IPSec router's self-signed certificate or that of a trusted CA that signed the remote IPSec router's certificate.
· Multiple SAs connecting through a secure gateway must have the same negotiation mode.
The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel.
If you have the C o nfig ura tio n > VPN > IPSe c VPN > VPN C o nne c tio n screen's Use Po lic y Ro ute to c o ntro l dyna m ic IPSe c rule s o ptio n enabled, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.
I uploaded a logo to show in the SSL VPN user screens but it does not display properly.
ZyWALL USG FLEX Series User's Guide
971
Chapter 48 Troubleshooting
The logo graphic must be GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The Zyxel Device automatically resizes a graphic of a different resolution to 103 x 29 pixels. The file size must be 100 kilobytes or less. Transparent background is recommended.
I logged into the SSL VPN but cannot see some of the resource links.
Available resource links vary depending on the SSL application object's configuration.
I cannot download the Zyxel Device's firmware package.
The Zyxel Device's firmware package cannot go through the Zyxel Device when you enable the antimalware De stro y c o m pre sse d file s tha t c o uld no t b e de c o m pre sse d option. The Zyxel Device classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the Zyxel Device with the option enabled, so you only need to clear the De stro y c o m pre sse d file s tha t c o uld no t b e de c o m pre sse d option while you download the firmware package. See Section 33.2 on page 625 for more on the anti-malware De stro y c o m pre sse d file s tha t c o uld no t b e de c o m pre sse d option.
I changed the LAN IP address and can no longer access the Internet.
The Zyxel Device automatically updates address objects based on an interface's IP address, subnet, or gateway if the interface's IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface.
I configured application patrol to allow and manage access to a specific service but access is blocked.
· If you want to use a service, make sure the security policy allows Security Service application patrol to go through the Zyxel Device.
I configured policy routes to manage the bandwidth of TCP and UDP traffic but the bandwidth management is not being applied properly.
It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic.
ZyWALL USG FLEX Series User's Guide
972
Chapter 48 Troubleshooting
I cannot get the RADIUS server to authenticate the Zyxel Device`s default admin account.
The default a dm in account is always authenticated locally, regardless of the authentication method setting.
The Zyxel Device fails to authentication the ext-user user accounts I configured.
An external server such as AD, LDAP or RADIUS must authenticate the ext-user accounts. If the Zyxel Device tries to use the local database to authenticate an e xt- use r, the authentication attempt will always fail. (This is related to AAA servers and authentication methods, which are discussed in other chapters in this guide.)
I cannot add the admin users to a user group with access users.
You cannot put access users and admin users in the same user group.
I cannot add the default admin account to a user group.
You cannot put the default a dm in account into any user group.
The schedule I configured is not being applied at the configured times.
Make sure the Zyxel Device's current date and time are correct.
I cannot get a certificate to import into the Zyxel Device.
1 For My C e rtific a te s, you can import a certificate that matches a corresponding certification request that was generated by the Zyxel Device. You can also import a certificate in PKCS#12 format, including the certificate's public and private keys.
2 You must remove any spaces from the certificate's filename before you can import the certificate. 3 Any certificate that you want to import has to be in one of these file formats:
· Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. · PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase
letters and numerals to convert a binary X.509 certificate into a printable form. ZyWALL USG FLEX Series User's Guide
973
Chapter 48 Troubleshooting
· Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The Zyxel Device currently allows the importation of a PKS#7 file that contains a single certificate.
· PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.
· Binary PKCS#12: This is a format for transferring public key and private key certificates.The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device.
Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.
I cannot access the Zyxel Device from a computer connected to the Internet.
Check the service control rules and to-Zyxel Device security policies.
I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly.
Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less.
I uploaded a logo to use as the screen or window background but it does not display properly.
Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less.
The Zyxel Device's traffic throughput rate decreased after I started collecting traffic statistics.
Data collection may decrease the Zyxel Device's traffic throughput rate.
I can only see newer logs. Older logs are missing.
When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.
The commands in my configuration file or shell script are not working properly.
ZyWALL USG FLEX Series User's Guide
974
Chapter 48 Troubleshooting
· In a configuration file or shell script, use "#" or "!" as the first character of a command line to have the Zyxel Device treat the line as a comment.
· Your configuration files or shell scripts can use "exit" or a command line consisting of a single "!" to have the Zyxel Device exit sub command mode.
· Include write commands in your scripts. Otherwise the changes will be lost when the Zyxel Device restarts. You could use multiple write commands in a long script.
Note: "exit" or "!'" must follow sub commands if it is to make the Zyxel Device exit sub command mode.
See Chapter 44 on page 915 for more on configuration files and shell scripts.
I cannot get the firmware uploaded using the commands.
The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.
My packet capture captured less than I wanted or failed.
The packet capture screen's File Size sets a maximum size limit for the total combined size of all the capture files on the Zyxel Device, including any existing capture files and any new capture files you generate. If you have existing capture files you may need to set this size larger or delete existing capture files. The Zyxel Device stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Dura tio n field expires.
My earlier packet capture files are missing.
New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this.
IP reputation doesn't work on IPv6 addresses.
At the time of writing, IP reputation is only for IPv4 addresses. See Chapter 34 Reputation Filter for more information.
The SecuReporter banner keeps showing up.
ZyWALL USG FLEX Series User's Guide
975
Chapter 48 Troubleshooting See SecuReporter Banner on page 838 for more information.
48.1 Re se tting the Zyxe l De vic e
If you cannot access the Zyxel Device by any method, try restarting it by turning the power off and then on again. If you still cannot access the Zyxel Device by any method or you forget the administrator password(s), you can reset the Zyxel Device to its factory-default settings. Any configuration files or shell scripts that you saved on the Zyxel Device should still be available afterwards. Use the following procedure to reset the Zyxel Device to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file. Note: This procedure removes the current configuration. 1 Make sure the SYS LED is on and not blinking. 2 Press the RESETbutton and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESETbutton, and wait for the Zyxel Device to restart. You should be able to access the Zyxel Device using the default settings.
48.2 G e tting Mo re Tro ub le sho o ting He lp
Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.
ZyWALL USG FLEX Series User's Guide
976
A PPEN DIX A
C usto m e r Suppo rt
In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a Zyxel office for the region in which you bought the device.
See http ://www.zyxe l.c o m/ho me p a g e .shtml and also http ://www.zyxe l.c o m/a b o ut_zyxe l/zyxe l_wo rldwide .shtml for the latest information.
Please have the following information ready when you contact an office.
Re q uire d Info rm a tio n
· Product model and serial number. · Warranty Information. · Date that you received your device. · Brief description of the problem and the steps you took to solve it.
C o rpo ra te He a dq ua rte rs (Wo rldwide )
Ta iwa n
· Zyxel Communications Corporation · http://www.zyxel.com
A sia
C hina
· Zyxel Communications (Shanghai) Corp. Zyxel Communications (Beijing) Corp. Zyxel Communications (Tianjin) Corp.
· http://www.zyxel.cn
Ind ia
· Zyxel Technology India Pvt Ltd · http://www.zyxel.in
Ka za khsta n
· Zyxel Kazakhstan · http://www.zyxel.kz
ZyWALL USG FLEX Series User's Guide
977
Appendix A Customer Support
Ko re a
· Zyxel Korea Corp. · http://www.zyxel.kr
Ma la ysia
· Zyxel Malaysia Sdn Bhd. · http://www.zyxel.com.my
Pa kista n
· Zyxel Pakistan (Pvt.) Ltd. · http://www.zyxel.com.pk
Philippine s
· Zyxel Philippines · http://www.zyxel.com.ph
Sing a po re
· Zyxel Singapore Pte Ltd. · http://www.zyxel.com.sg
Ta iwa n
· Zyxel Communications Corporation · https://www.zyxel.com/tw/zh/
Tha ila nd
· Zyxel Thailand Co., Ltd · http://www.zyxel.co.th
Vie tna m
· Zyxel Communications Corporation-Vietnam Office · http://www.zyxel.com/vn/vi
Euro pe
A ustria
· Zyxel Deutschland GmbH · http://www.zyxel.de
Be la rus
· Zyxel BY · http://www.zyxel.by
ZyWALL USG FLEX Series User's Guide
978
Appendix A Customer Support
Be lg ium
· Zyxel Communications B.V. · http://www.zyxel.com/be/nl/ · http://www.zyxel.com/be/fr/
Bulg a ria
· Zyxel · http://www.zyxel.com/bg/bg/
C ze c h Re pub lic
· Zyxel Communications Czech s.r.o · http://www.zyxel.cz
De nm a rk
· Zyxel Communications A/S · http://www.zyxel.dk
Esto nia
· Zyxel Estonia · http://www.zyxel.com/ee/et/
Finla nd
· Zyxel Communications · http://www.zyxel.fi
Fra nc e
· Zyxel France · http://www.zyxel.fr
G e rm a ny
· Zyxel Deutschland GmbH · http://www.zyxel.de
Hung a ry
· Zyxel Hungary & SEE · http://www.zyxel.hu
Ita ly
· Zyxel Communications Italy · http://www.zyxel.it/
ZyWALL USG FLEX Series User's Guide
979
Appendix A Customer Support
La tvia
· Zyxel Latvia · http://www.zyxel.com/lv/lv/homepage.shtml
Lithua nia
· Zyxel Lithuania · http://www.zyxel.com/lt/lt/homepage.shtml
Ne the rla nds
· Zyxel Benelux · http://www.zyxel.nl
No rwa y
· Zyxel Communications · http://www.zyxel.no
Po la nd
· Zyxel Communications Poland · http://www.zyxel.pl
Ro m a nia
· Zyxel Romania · http://www.zyxel.com/ro/ro
Russia
· Zyxel Russia · http://www.zyxel.ru
Slo va kia
· Zyxel Communications Czech s.r.o. organizacna zlozka · http://www.zyxel.sk
Spa in
· Zyxel Communications ES Ltd · http://www.zyxel.es
Swe de n
· Zyxel Communications · http://www.zyxel.se
Switze rla nd
· Studerus AG
ZyWALL USG FLEX Series User's Guide
980
Appendix A Customer Support
· http://www.zyxel.ch/
Turke y
· Zyxel Turkey A.S. · http://www.zyxel.com.tr
UK
· Zyxel Communications UK Ltd. · http://www.zyxel.co.uk
Ukra ine
· Zyxel Ukraine · http://www.ua.zyxel.com
La tin Am e ric a
Arg e ntina
· Zyxel Communication Corporation · http://www.zyxel.com/ec/es/
Bra zil
· Zyxel Communications Brasil Ltda. · https://www.zyxel.com/br/pt/
Ec ua do r
· Zyxel Communication Corporation · http://www.zyxel.com/ec/es/
Middle Ea st
Isra e l
· Zyxel Communication Corporation · http://il.zyxel.com/homepage.shtml
Middle Ea st
· Zyxel Communication Corporation · http://www.zyxel.com/me/en/
ZyWALL USG FLEX Series User's Guide
981
Appendix A Customer Support
No rth Am e ric a USA
· Zyxel Communications, Inc. - North America Headquarters · http://www.zyxel.com/us/en/
O c e a nia Austra lia
· Zyxel Communications Corporation · http://www.zyxel.com/au/en/
Afric a So uth Afric a
· Nology (Pty) Ltd. · http://www.zyxel.co.za
ZyWALL USG FLEX Series User's Guide
982
A PPEN DIX B
Pro duc t Fe a ture s
Please refer to the product datasheet for the latest product features.
VERSION MODEL NAME # of MAC Interface VLAN Virtual (Alias) PPP (System Default) PPP (User Created) Bridge Tunnel (GRE/IPv6 Transition) Routing Static Route Policy Route Reserved Sessions For Managed Devices Maximum OSPF Areas Maximum BGP Neighbor BGP Maximum Network Sessions
Maximum TCP Concurrent Sessions (Forwarding, NAT/ Firewall)
Session Rate NAT Maximum Virtual Server Number Maximum Trigger Port Rule Number Maximum Redirect Service Maximum Virtual Server Load Balancer Rule Number Maximum Real Server Number per Rule Firewall (Secure Policy)
Maximum Firewall ACL Rule Number = Secure Policy Number
Maximum Session Limit per Host Rules ADP Maximum ADP Profile Number Maximum ADP Rule Number User Profile Maximum Local User Maximum Admin User Maximum User Group Maximum User In One User Group Default Concurrent Device Login
Maximum Concurrent Device Upgrade (License)
HTTPd Max HTTPd Number Objects Address Object Address Group Maximum Address Object In One Group Service Object Service Group Maximum Service Object In One Group
4.60 USG FLEX 100 6
4.60
4.60
USG FLEX 100W USG FLEX 200
6
7
4.60 USG FLEX 500 7
4.60 USG FLEX 700 14
8 4 per interface 3 2 2 4
8 4 per interface 3 2 2 4
16
64
128
4 per interface 4 per interface 4 per interface
3
8
14
4
16
32
8
16
16
4
4
4
64
64
128
256
512
100
100
500
500
1000
500
500
500
500
500
10
10
10
10
10
5
5
5
5
5
16
16
16
16
16
300,000 8,000
300,000 8,000
600,000 12,000
1,000,000 20,000
1,600,000 30,000
128 8 per PR rule 20 5 4
128 8 per PR rule 20 5 4
256 8 per PR rule 20 10 4
1024 8 per PR rule 20 20 4
1024 8 per PR rule 20 20 4
500 1000
8 32
64 5 16 64 64 64
128
300 50 128 200 50 64
500 1000
8 32
64 5 16 64 64 64
128
300 50 128 200 50 64
500 1000
32 32
128 5 32 128 200 200
256
300 50 128 500 100 128
2000 1000
5000 1000
32
32
32
32
128
512
5
10
32
128
128
512
200
500
300 (Extend by 800 (Extend by
license)
license)
512
512
1000 200 128 1000 200 128
2000 400 256 1000 200 256
ZyWALL USG FLEX Series User's Guide
983
Appendix B Product Features
VERSION MODEL NAME Schedule Object Schedule Group Maximum Schedule Object In One Group Application Object Application Group Maximum Application Object In One Group ISP Account Maximum LDAP Server Object # Maximum RADIUS Server Object # Maximum Ad Server Object # Maximum Zone Number (System Default) Maximum Zone Number (User Defined) Trunk Maximum Trunk Number (System Default) Maximum Trunk Number (User Defined) Maximum Member Number Per Trunk VPN Maximum VTI / VPN Tunnels Number Maximum VPN Concentrator Number
4.60 USG FLEX 100 32 16 24 500 100 128 16 (PPP+3G) 2 2 4 8 8
4.60
4.60
USG FLEX 100W USG FLEX 200
32
32
16
16
24
24
500
500
100
100
128
128
16 (PPP+3G) 16 (PPP+3G)
2
8
2
8
4
8
8
8
8
16
4.60 USG FLEX 500 32 16 24 1000 200 128 32 (PPP+3G) 16 16 16 9 16
4.60 USG FLEX 700 32 16 24 1000 200 256 32 16 16 16 8 32
1
1
1
1
1
4
4
8
16
32
4+8
4+8
4+8
16+8
32+8
50
50
100
300
500
2
2
2
16
16
Maximum VPN Configuration Provision Rule Number
50
50
100
300
500
SSL VPN Default SSL VPN Connections Maximum SSL VPN Connections Maximum SSL VPN Network List SSL VPN Max Policy Certificate Certificate Buffer Size Built-In Service A Record NS Record (DNS Domain Zone Forward) MX Record Maximum Service Control Entries
30
30
60
150
150
30
30
60
150
150
8
8
8
8
8
32
32
32
64
128
128k
128k
256k
512k
512k
64 8 8 16 per service
64 8 8 16 per service
64 16 8 16 per service
128 16 16 32 per service
128 16 16 32 per service
Maximum DHCP Network Pool (VLAN + brg + Ethernet) 15
15
29
88
158
Maximum DHCP Host Pool (Static DHCP) Maximum DHCP Extended Options Maximum DDNS Profiles DHCP Relay USB Storage Device Number Centralized Log Log Entries Debug Log Entries Admin Email Address Syslog Server Application Patrol Maximum App Patrol Number
Maximum Application Object In Each Profile (Object + Object Group)
IDP Maximum IDP Profile Number Maximum Custom Signatures SSL Inspection Maximum SSL Inspection Profile Maximum Exclude List Content Filtering Maximum Number Of Content Filter Policies Forbidden Domain Entry Number Trusted Domain Entry Number
96 10 10 2 per interface
96 10 10 2 per interface
256
512
1024
15
30
30
10
10
10
2 per interface 2 per interface 2 per interface
1
1
1
1
1
512 1024 2 4
512 1024 2 4
1024 1024 2 4
1024 1024 2 4
2048 1024 2 4
32
32
32
64
96
32
32
32
64
96
8
8
8
16
16
32
32
32
256
512
6
6
8
16
16
128
128
256
256
256
16 256 per profiles 256 per profiles
16 256 per profiles 256 per profiles
16
32
64
256 per profiles 512 per profiles 512 per profiles
256 per profiles 512 per profiles 512 per profiles
ZyWALL USG FLEX Series User's Guide
984
Appendix B Product Features
VERSION MODEL NAME Keyword Blocking Number
Common Forbidden Domain Entry Number
Common Trusted Domain Entry Number
URL Threat Filter Maximum Statistics Number Maximum White List Rule Maximum Black List Rule IP Reputation Maximum Statistics Number Maximum White List Rule Maximum Black List Rule Email Security Maximum AS Rule Number (Profile) Maximum White List Rule Support Maximum Black List Rule Support Maximum DNSBL Domain Support Concurrent Mail Session Scanning Maximum Statistics Number Maximum Statistics Ranking Anti-Malware Maximum AV Rule (Profile) Maximum Statistics Number Maximum Statistics Ranking SandBoxing Support Protocol Concurrent File Collect Capability upload File Size AP Controller Default # of Control AP Maximum # of Control AP AP Group Maximum Radio Profile Maximum SSID Profile Maximum Security Profile Maximum MAC Filter Profile Maximum MAC Entry Per MAC Filter Profile Zymesh BWM Maximum BWM Rule Number BWM Per Source IP (Maximum) SIP Maximum SIP Concurrent Call Custom Web Portal Page Maximum Internal Web Portal Customize File Upload Zip File Size Unzip File Size Hotspot Management Max Dynamic Account List Max Free Time Account Limit Hotspot Support Walled Garden URL Base Walled Garden Domain/IP Base Advertisement
Ticket Printer Support
4.60 USG FLEX 100 128 per profiles
4.60
4.60
4.60
4.60
USG FLEX 100W USG FLEX 200 USG FLEX 500 USG FLEX 700
128 per profiles 128 per profiles 256 per profiles 256 per profiles
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024 1024 1024
N/A N/A N/A
16 128 128 5 200 500 10
16 500 10
N/A N/A N/A
8 24 8 32 128 128 32 512 32
128 256
50
4 Up to 2 MB Up to 5 MB
N/A N/A N/A N/A N/A N/A
N/A
1024 1024 1024
N/A N/A N/A
16 128 128 5 200 500 10
16 500 10
N/A N/A N/A
8 24 8 32 128 128 32 512 32
128 256
50
4 Up to 2 MB Up to 5 MB
N/A N/A N/A N/A N/A N/A
N/A
1024 1024 1024
N/A N/A N/A
16 128 128 5 200 500 10
16 500 10
N/A N/A N/A
8 40 8 32 128 128 32 512 32
256 1024
100
4 Up to 2 MB Up to 5 MB
1000 800 Yes 50 50 20 SP350E (Ethernet) Up to 10
1024 1024 1024
N/A N/A N/A
32 128 128 5 200 500 10
16 500 10
N/A N/A N/A
8 72 8 64 1024 1024 32 512 32
512 1024
100
4 Up to 2 MB Up to 5 MB
2000 1600 Yes 50 50 20 SP350E (Ethernet) Up to 10
1024 1024 1024
N/A N/A N/A
32 256 256 10 200 500 10
32 500 10
N/A N/A N/A
8 264 8 128 1024 1024 32 512 32
1024 2048
200
4 Up to 2 MB Up to 5 MB
4000 3200 Yes 50 50 20 SP350E (Ethernet) Up to 10
ZyWALL USG FLEX Series User's Guide
985
A PPEN DIX C
Le g a l Info rm a tio n
C o pyrig ht
Copyright © 2020 by Zyxel Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of Zyxel Communications Corporation. Published by Zyxel Communications Corporation. All rights reserved.
Disc la im e r
Zyxel does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. Zyxel further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.
Re g ula to ry No tic e a nd Sta te m e nt (C la ss B) Model List: USG FLEX 100, USG FLEX 100W, USG FLEX 200
UNITED STATES o f AMERIC A
The following information applies if you use the product within USA area.
US Importer: Zyxel Communications, Inc, 1130 North Miller Street Anaheim, CA92806-2001, https://www.zyxel.com/us/en/
FC C EMC Sta te m e nt
· The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
(1) This device may not cause harmful interference, and
(2) This device must accept any interference received, including interference that may cause undesired operation. · Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the
device. · This product has been tested and complies with the specifications for a Class B digital device, pursuant to Part 15 of the FCC Rules. These
limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy and, if not installed and used according to the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. · If this device does cause harmful interference to radio or television reception, which is found by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures: · Reorient or relocate the receiving antenna · Increase the separation between the devices · Connect the equipment to an outlet other than the receiver's · Consult a dealer or an experienced radio/TV technician for assistance
FC C Ra dia tio n Expo sure Sta te m e nt
· This device complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. · This transmitter must be at least 22 cm from the user and must not be co-located or operating in conjunction with any other antenna or
transmitter. · Operation of this device is restricted to indoor use only, except for relevant user's manual mention that this device can be installed into the
external environment.
C ANA DA
The following information applies if you use the product within Canada area
Inno va tio n, Sc ie nc e a nd Ec o no m ic De ve lo pm e nt C a na da IC ES Sta te m e nt C AN IC ES- 3 (B)/ NMB- 3(B)
ZyWALL USG FLEX Series User's Guide
986
Appendix C Legal Information
Inno va tio n, Sc ie nc e a nd Ec o no m ic De ve lo pm e nt C a na da RSS- G EN & RSS- 247 Sta te m e nt
· This device contains licence-exempt transmitter(s)/receiver(s) that comply with Innovation, Science and Economic Development Canada's licence-exempt RSS(s). Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of the device.
· This radio transmitter (2468C-ATP100W) has been approved by Innovation, Science and Economic Development Canada to operate with the antenna types listed below with the maximum permissible gain indicated. Antenna types not included in this list that have, a gain greater than the maximum gain indicated for any type listed, are strictly prohibited for use with this device.
Ante nna Info rm a tio n
Ty p e Dipole (2412 2462MHz) Dipole (5180 5240MHz) Dipole (5745 5825MHz)
Ma nufa c ture r Master Wave Master Wave Master Wave
G a in 2.7 3.86 4.17
C o nne c to r Reverse SMA Reverse SMA Reverse SMA
Im p e da nc e 50 50 50
If the product with 5G wireless function operating in 5150 5250 MHz and 5725 5850 MHz, the following attention must be paid,
· The device for operation in the band 5150 5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems.
· For devices with detachable antenna(s), the maximum antenna gain permitted for devices in the band 5725 5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits as appropriate; and
· Where applicable, antenna type(s), antenna models(s), and the worst-case tilt angle(s) necessary to remain compliant with the e.i.r.p. elevation mask requirement set forth in Section 6.2.2.3 of RSS 247 shall be clearly indicated.
If the product with 5G wireless function operating in 5250 5350 MHz and 5470 5725 MHz, the following attention must be paid.
· For devices with detachable antenna(s), the maximum antenna gain permitted for devices in the bands 5250 5350 MHz and 5470 5725 MHz shall be such that the equipment still complies with the e.i.r.p. limit.
· L'émetteur/récepteur exempt de licence contenu dans le présent appareil est conforme aux CNR d'Innovation, Sciences et Développement économique Canada applicables aux appareils radio exempts de licence. L'exploitation est autorisée aux deux conditions suivantes : (1) l'appareil ne doit pas produire de brouillage; (2) L'appareil doit accepter tout brouillage radioélectrique subi, même si le brouillage est susceptible d'en compromettre le fonctionnement.
· Le présent émetteur radio (2468C-ATP100W) a été approuvé par Innovation, Sciences et Développement économique Canada pour fonctionner avec les types d'antenne énumérés ci dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est supérieur au gain maximal indiqué pour tout type figurant sur la liste, sont strictement interdits pour l'exploitation de l'émetteur.
info rm a tio ns a nte nne
Ty p e Dipole (2412 2462MHz) Dipole (5180 5240MHz) Dipole (5745 5825MHz)
fa b ric a nt Master Wave Master Wave Master Wave
G a in 2.7 3.86 4.17
C o nne c te ur Reverse SMA Reverse SMA Reverse SMA
im pé da nc e 50 50 50
Lorsque la fonction sans fil 5G fonctionnant en 5150 5250 MHz and 5725 5850 MHz est activée pour ce produit , il est nécessaire de porter une attention particulière aux choses suivantes · Les dispositifs fonctionnant dans la bande de 5 150 à 5 250 MHz sont réservés uniquement pour une utilisation à l'intérieur afin de réduire les
risques de brouillage préjudiciable aux systèmes de satellites mobiles utilisant les mêmes canaux; · Pour les dispositifs munis d'antennes amovibles, le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5 725 à 5 850 MHz)
doit être conforme à la limite de la p.i.r.e. spécifiée, selon le cas; · Lorsqu'il y a lieu, les types d'antennes (s'il y en a plusieurs), les numéros de modèle de l'antenne et les pires angles d'inclinaison nécessaires
pour rester conforme à l'exigence de la p.i.r.e. applicable au masque d'élévation, énoncée à la section 6.2.2.3 du CNR-247, doivent être clairement indiqués.
Lorsque la fonction sans fil 5G fonctionnant en 5250 5350 MHz et 5470 5725 MHz est activée pour ce produit , il est nécessaire de porter une attention particulière aux choses suivantes. · Pour les dispositifs munis d'antennes amovibles, le gain maximal d'antenne permis pour les dispositifs utilisant les bandes de 5 250 à 5 350 MHz
et de 5 470 à 5 725 MHz doit être conforme à la limite de la p.i.r.e.
Industry C a na da ra dia tio n e xpo sure sta te m e nt
This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 25 cm between the radiator and your body.
Dé c la ra tio n d'e xpo sitio n a ux ra dia tio ns:
Cet équipement est conforme aux limites d'exposition aux rayonnements ISED établies pour un environnement non contrôlé. Cet équipement doit être installé et utilisé avec un minimum de 25 cm de distance entre la source de rayonnement et votre corps.
ZyWALL USG FLEX Series User's Guide
987
EURO PEA N UNIO N
Appendix C Legal Information
The following information applies if you use the product within the European Union.
De c la ra tio n o f C o nfo rm ity with Re g a rd to EU Dire c tive 2014/ 53/ EU (Ra dio Eq uipm e nt Dire c tive , RED)
Model List: USG FLEX 100W
· Compliance information for 2.4 GHz and/or 5 GHz wireless products relevant to the EU and other Countries following the EU Directive 2014/ 53/EU (RED). And this product may be used in all EU countries (and other countries following the EU Directive 2014/53/EU) without any limitation except for the countries mentioned below table:
· In the majority of the EU and other European countries, the 5 GHz bands have been made available for the use of wireless local area networks (LANs). Later in this document you will find an overview of countries in which additional restrictions or requirements or both are applicable. The requirements for any country may evolve. Zyxel recommends that you check with the local authorities for the latest status of their national regulations for the 5 GHz wireless LANs.
· If this device for operation in the band 5150 5350 MHz, it is for indoor use only. · This equipment should be installed and operated with a minimum distance of 20 cm between the radio equipment and your body. · The maximum RF power operating for each band as follows:
· the band 2,400 to 2,483.5 MHz is 97.95 mW,
· the bands 5,150 MHz to 5,350 MHz is 191.87 mW,
· the 5,470 MHz to 5,725 MHz is 963.83 mW.
List o f na tio na l c o de s
COUNTRY Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia
ISO 3166 2 LETTER CODE AT BE BG HR CY CZ DK EE FI FR DE GR HU IS IE IT LV
COUNTRY Liechtenstein Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Switzerland Sweden Turkey United Kingdom
ISO 3166 2 LETTER CODE LI LT LU MT NL NO PL PT RO RS SK SI ES CH SE TR GB
Sa fe ty Wa rning s
· Do not use this product near water, for example, in a wet basement or near a swimming pool. · Do not expose your device to dampness, dust or corrosive liquids. · Do not store things on the device. · Do not obstruct the device ventilation slots as insufficient airflow may harm your device. For example, do not place the device in an
enclosed space such as a box or on a very soft surface such as a bed or sofa. · Do not install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. · Connect ONLY suitable accessories to the device. · Do not open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. · Only qualified service personnel should service or disassemble this device. Please contact your vendor for further information. · Make sure to connect the cables to the correct ports. · Place connecting cables carefully so that no one will step on them or stumble over them. · Always disconnect all cables from this device before servicing or disassembling. · Do not remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to
a power outlet.
ZyWALL USG FLEX Series User's Guide
988
Appendix C Legal Information
· Do not allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
· Please use the provided or designated connection cables/power cables/ adaptors. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). If the power adaptor or cord is damaged, it might cause electrocution. Remove it from the device and the power source, repairing the power adapter or cord is prohibited. Contact your local vendor to order a new one.
· Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. · CAUTION: Risk of explosion if battery is replaced by an incorrect type, dispose of used batteries according to the instruction. Dispose them at
the applicable collection point for the recycling of electrical and electronic devices. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product. · The following warning statements apply, where the disconnect device is not incorporated in the device or where the plug on the power supply cord is intended to serve as the disconnect device, For permanently connected devices, a readily accessible disconnect device shall be incorporated external to the device; For pluggable devices, the socket-outlet shall be installed near the device and shall be easily accessible. · CLASS 1 LASER PRODUCT · APPAREIL À LASER DE CLASS 1 · PRODUCT COMPLIES WITH 21 CFR 1040.10 AND 1040.11. · PRODUIT CONFORME SELON 21 CFR 1040.10 ET 1040.11.
Enviro nm e nt Sta te m e nt
ErP (Ene rg y- re la te d Pro duc ts)
Zyxel products put on the EU market in compliance with the requirement of the European Parliament and the Council published Directive 2009/ 125/EC establishing a framework for the setting of ecodesign requirements for energy-related products (recast), so called as "ErP Directive (Energy-related Products directive) as well as ecodesign requirement laid down in applicable implementing measures, power consumption has satisfied regulation requirements which are: · Network standby power consumption < 8W, and/or · Off mode power consumption < 0.5W, and/or · Standby mode power consumption < 0.5W.
Euro pe a n Unio n Dispo sa l a nd Re c yc ling Info rm a tio n
The symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic waste. If this product is end of life, take it to a recycling station designated by local authorities. At the time of disposal, the separate collection of your product and/or its battery will help save natural resources and ensure that the environment is sustainable development.
Die folgende Symbol bedeutet, dass Ihr Produkt und/oder seine Batterie gemäß den örtlichen Bestimmungen getrennt vom Hausmüll entsorgt werden muss. Wenden Sie sich an eine Recyclingstation, wenn dieses Produkt das Ende seiner Lebensdauer erreicht hat. Zum Zeitpunkt der Entsorgung wird die getrennte Sammlung von Produkt und/oder seiner Batterie dazu beitragen, natürliche Ressourcen zu sparen und die Umwelt und die menschliche Gesundheit zu schützen.
El símbolo de abajo indica que según las regulaciones locales, su producto y/o su batería deberán depositarse como basura separada de la doméstica. Cuando este producto alcance el final de su vida útil, llévelo a un punto limpio. Cuando llegue el momento de desechar el producto, la recogida por separado éste y/o su batería ayudará a salvar los recursos naturales y a proteger la salud humana y medioambiental.
Le symbole ci-dessous signifie que selon les réglementations locales votre produit et/ou sa batterie doivent être éliminés séparément des ordures ménagères. Lorsque ce produit atteint sa fin de vie, amenez-le à un centre de recyclage. Au moment de la mise au rebut, la collecte séparée de votre produit et/ou de sa batterie aidera à économiser les ressources naturelles et protéger l'environnement et la santé humaine.
Il simbolo sotto significa che secondo i regolamenti locali il vostro prodotto e/o batteria deve essere smaltito separatamente dai rifiuti domestici. Quando questo prodotto raggiunge la fine della vita di servizio portarlo a una stazione di riciclaggio. Al momento dello smaltimento, la raccolta separata del vostro prodotto e/o della sua batteria aiuta a risparmiare risorse naturali e a proteggere l'ambiente e la salute umana.
Symbolen innebär att enligt lokal lagstiftning ska produkten och/eller dess batteri kastas separat från hushållsavfallet. När den här produkten når slutet av sin livslängd ska du ta den till en återvinningsstation. Vid tiden för kasseringen bidrar du till en bättre miljö och mänsklig hälsa genom att göra dig av med den på ett återvinningsställe.
ZyWALL USG FLEX Series User's Guide
989
Appendix C Legal Information
:
· ·
- - · · · · · · · · · ( : / 110V AC 230V AC) · · · · · · · :
(USG FLEX 100W)
· · · · · · ·
Ab o ut the Sym b o ls
Various symbols are used in this product to ensure correct usage, to prevent danger to the user and others, and to prevent property damage. The meaning of these symbols are described below. It is important that you read these descriptions thoroughly and fully understand the contents.
ZyWALL USG FLEX Series User's Guide
990
Appendix C Legal Information
Expla na tio n o f the Sym b o ls
SYMBOL
EXPLANATION Alternating current (AC): AC is an electric current in which the flow of electric charge periodically reverses direction.
Direct current (DC): DC if the unidirectional flow or movement of electric charge carriers.
Earth; ground: A wiring terminal intended for connection of a Protective Earthing Conductor.
Class II equipment:
The method of protection against electric shock in the case of class II equipment is either double insulation or reinforced insulation.
Vie wing C e rtific a tio ns
Go to http://www.zyxel.com to view this product's documentation and certifications.
Zyxe l Lim ite d Wa rra nty
Zyxel warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized Zyxel local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, Zyxel will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of Zyxel. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
No te
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/support_warranty_info.php.
Re g istra tio n
Register your product online at www.zyxel.com to receive email notices of firmware upgrades and related information.
Tra de m a rks
ZyNOS (Zyxel Network Operating System) and ZON (Zyxel One Network) are registered trademarks of Zyxel Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
O pe n So urc e Lic e nse s
This product may contain in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. If you cannot find it there, contact your vendor or Zyxel Technical Support at support@zyxel.com.tw. To obtain the source code covered under those Licenses, please contact your vendor or Zyxel Technical Support at support@zyxel.com.
Re g ula to ry No tic e a nd Sta te m e nt (C la ss A)
Model List: USG FLEX 500, USG FLEX 700
United States of America
The following information applies if you use the product within USA area.
ZyWALL USG FLEX Series User's Guide
991
Appendix C Legal Information
US Importer: Zyxel Communications, Inc, 1130 North Miller Street Anaheim, CA92806-2001, https://www.zyxel.com/us/en/
Canada
FC C EMC Sta te m e nt
· This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation.
· Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.
· This device has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.
The following information applies if you use the product within Canada area
Inno va tio n, Sc ie nc e a nd Ec o no m ic De ve lo pm e nt C a na da Industry IC ES Sta te m e nt
CAN ICES-3 (A)/NMB-3(A)
European Union
The following information applies if you use the product within the European Union.
C E EMC sta te m e nt
WARNING: This equipment is compliant with Class A of EN55032. In a residential environment this equipment may cause radio interference.
List o f Na tio na l C o de s
COUNTRY Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia
ISO 3166 2 LETTER CODE AT BE BG HR CY CR DK EE FI FR DE GR HU IS IE IT LV
COUNTRY Liechtenstein Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Turkey United Kingdom
ISO 3166 2 LETTER CODE LI LT LU MT NL NO PL PT RO RS SK SI ES SE CH TR GB
Sa fe ty Wa rning s
· Do not use this product near water, for example, in a wet basement or near a swimming pool. · Do not expose your device to dampness, dust or corrosive liquids. · Do not store things on the device. · Do not obstruct the device ventilation slots as insufficient airflow may harm your device. For example, do not place the device in an
enclosed space such as a box or on a very soft surface such as a bed or sofa. · Do not install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. · Connect ONLY suitable accessories to the device.
ZyWALL USG FLEX Series User's Guide
992
Appendix C Legal Information
· Do not open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. Only qualified service personnel should service or disassemble this device. Please contact your vendor for further information.
· Make sure to connect the cables to the correct ports. · Place connecting cables carefully so that no one will step on them or stumble over them. · Always disconnect all cables from this device before servicing or disassembling. · Do not remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to
a power outlet. · Do not allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor
or cord. · Please use the provided or designated connection cables/power cables/ adaptors. Connect it to the right supply voltage (for example,
110V AC in North America or 230V AC in Europe). If the power adaptor or cord is damaged, it might cause electrocution. Remove it from the device and the power source, repairing the power adapter or cord is prohibited. Contact your local vendor to order a new one. · Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. · Caution: Risk of explosion if battery is replaced by an incorrect type, dispose of used batteries according to the instruction. Dispose them at the applicable collection point for the recycling of electrical and electronic device. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product. · Use ONLY power wires of the appropriate wire gauge for your device. Connect it to a power supply of the correct voltage. · Fuse Warning! Replace a fuse only with a fuse of the same type and rating. · The POE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables must all be completely indoors. · The following warning statements apply, where the disconnect device is not incorporated in the device or where the plug on the power supply cord is intended to serve as the disconnect device, For permanently connected devices, a readily accessible disconnect device shall be incorporated external to the device; For pluggable devices, the socket-outlet shall be installed near the device and shall be easily accessible. · This device must be grounded by qualified service personnel Never defeat the ground conductor or operate the device in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. If your device has an earthing screw (frame ground), connect the screw to a ground terminal using an appropriate AWG ground wire. Do this before you make other connections. If your device has no earthing screw, but has a 3-prong power plug, make sure to connect the plug to a 3-hole earthed socket. · When connecting or disconnecting power to hot-pluggable power supplies, if offered with your system, observe the following guidelines: Install the power supply before connecting the power cable to the power supply. Unplug the power cable before removing the power supply. If the system has multiple sources of power, disconnect power from the system by unplugging all power cables from the power supply. · CLASS 1 LASER PRODUCT · APPAREIL À LASER DE CLASS 1 · PRODUCT COMPLIES WITH 21 CFR 1040.10 AND 1040.11. · PRODUIT CONFORME SELON 21 CFR 1040.10 ET 1040.11.
Enviro nm e nt Sta te m e nt
Euro pe a n Unio n Dispo sa l a nd Re c yc ling Info rm a tio n
The symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic waste. If this product is end of life, take it to a recycling station designated by local authorities. At the time of disposal, the separate collection of your product and/or its battery will help save natural resources and ensure that the environment is sustainable development.
Die folgende Symbol bedeutet, dass Ihr Produkt und/oder seine Batterie gemäß den örtlichen Bestimmungen getrennt vom Hausmüll entsorgt werden muss. Wenden Sie sich an eine Recyclingstation, wenn dieses Produkt das Ende seiner Lebensdauer erreicht hat. Zum Zeitpunkt der Entsorgung wird die getrennte Sammlung von Produkt und/oder seiner Batterie dazu beitragen, natürliche Ressourcen zu sparen und die Umwelt und die menschliche Gesundheit zu schützen.
El símbolo de abajo indica que según las regulaciones locales, su producto y/o su batería deberán depositarse como basura separada de la doméstica. Cuando este producto alcance el final de su vida útil, llévelo a un punto limpio. Cuando llegue el momento de desechar el producto, la recogida por separado éste y/o su batería ayudará a salvar los recursos naturales y a proteger la salud humana y medioambiental.
Le symbole ci-dessous signifie que selon les réglementations locales votre produit et/ou sa batterie doivent être éliminés séparément des ordures ménagères. Lorsque ce produit atteint sa fin de vie, amenez-le à un centre de recyclage. Au moment de la mise au rebut, la collecte séparée de votre produit et/ou de sa batterie aidera à économiser les ressources naturelles et protéger l'environnement et la santé humaine.
Il simbolo sotto significa che secondo i regolamenti locali il vostro prodotto e/o batteria deve essere smaltito separatamente dai rifiuti domestici. Quando questo prodotto raggiunge la fine della vita di servizio portarlo a una stazione di riciclaggio. Al momento dello smaltimento, la raccolta separata del vostro prodotto e/o della sua batteria aiuta a risparmiare risorse naturali e a proteggere l'ambiente e la salute umana.
Symbolen innebär att enligt lokal lagstiftning ska produkten och/eller dess batteri kastas separat från hushållsavfallet. När den här produkten når slutet av sin livslängd ska du ta den till en återvinningsstation. Vid tiden för kasseringen bidrar du till en bättre miljö och mänsklig hälsa genom att göra dig av med den på ett återvinningsställe.
ZyWALL USG FLEX Series User's Guide
993
Appendix C Legal Information
·
:
· · :
- - · · · · · · · · · ( : / 110V AC 230V AC) · · · · · · · :
Ab o ut the Sym b o ls
Various symbols are used in this product to ensure correct usage, to prevent danger to the user and others, and to prevent property damage. The meaning of these symbols are described below. It is important that you read these descriptions thoroughly and fully understand the contents.
ZyWALL USG FLEX Series User's Guide
994
Appendix C Legal Information
Expla na tio n o f the Sym b o ls
SYMBOL
EXPLANATION Alternating current (AC): AC is an electric current in which the flow of electric charge periodically reverses direction.
Direct current (DC): DC if the unidirectional flow or movement of electric charge carriers.
Earth; ground: A wiring terminal intended for connection of a Protective Earthing Conductor.
Class II equipment:
The method of protection against electric shock in the case of class II equipment is either double insulation or reinforced insulation.
Vie wing C e rtific a tio ns
Go to http://www.zyxel.com to view this product's documentation and certifications.
Zyxe l Lim ite d Wa rra nty
Zyxel warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized Zyxel local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, Zyxel will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of Zyxel. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
No te
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/support_warranty_info.php.
Re g istra tio n
Register your product online at www.zyxel.com to receive email notices of firmware upgrades and related information.
O pe n So urc e Lic e nse s
This product may contain in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. If you cannot find it there, contact your vendor or Zyxel Technical Support at support@zyxel.com.tw. To obtain the source code covered under those Licenses, please contact your vendor or Zyxel Technical Support at support@zyxel.com.
ZyWALL USG FLEX Series User's Guide
995
Index
Inde x
Symbols
Numbers
3322 Dynamic DNS 352 3DES 446 6in4 tunneling 275 6to4 tunneling 275
A
AAA Base DN 787 Bind DN 787, 790 directory structure 786 Distinguished Name, see DN DN 787, 788, 790 password 790 port 790, 792 search time limit 790 SSL 790
AAA server 784 AD 786 and users 714 directory service 785 LDAP 785, 786 local user database 786 RADIUS 785, 786, 791 RADIUS group 791 see also RADIUS
access 33 access control attacks 654 Access Point Name, see APN Access Restricted Web Page
Response Message 894 access users 713, 715
custom page 863
forcing login 482 idle timeout 726 logging in 482 multiple logins 727 see also users 713 Web Configurator 728
access users, see also force user authentication policies
account dynamic guest 138 quota (T/U/D) 139 user 713, 822
accounting server 784
Active Directory, see AD
active protocol 450 AH 450 and encapsulation 450 ESP 450
active sessions 118, 135
ActiveX 615
AD 785, 787, 788, 790 directory structure 786 Distinguished Name, see DN password 790 port 790, 792 search time limit 790 SSL 790
address groups 764 and content filtering 595, 596 and FTP 882 and security policy 486 and SNMP 887 and SSH 877 and Telnet 880 and WWW 863
address objects 764 and content filtering 595, 596 and FTP 882 and NAT 333, 363 and policy routes 332 and security policy 486 and SNMP 887 and SSH 877
ZyWALL USG FLEX Series User's Guide
996
Index
and Telnet 880 and VPN connections 423 and WWW 863 HOST 765 RANGE 765 SUBNET 765 types of 765, 771
address record 852
admin user troubleshooting 973
admin users 713 multiple logins 727 see also users 713
ADP 572 false negatives 574 false positives 574 inline profile 574 monitor profile 574
Advanced Encryption Standard, see AES
advertisement remove 557 URL entries 558 web page 557
AES 446
AF 336
AH 429, 450 and transport mode 451
alerts 907, 908, 910, 911, 912, 913 IDP 700, 701
ALG 381, 387 and NAT 381, 383 and policy routes 383, 387 and security policy 381, 383 and trunks 387 FTP 381, 382 H.323 381, 382, 387 peer-to-peer calls 383 RTP 387 see also VoIP pass through 381 SIP 381, 382
and anti-malware 628
Anomaly Detection and Prevention, see ADP
Anonymizer 642, 646
anti-malware 620 boot sector virus 638 EICAR 627, 636 e-mail
virus 638 encryption 628 file decompression 628, 634 file infector 638 file infector virus 638 firmware package blocking 628, 634 infection and prevention 638 macro virus 638 malware life cycle 638 malware types 638 mutation virus 638 overview 620 packet scan 620 packet types 621 polymorphic virus 638 scanner types 638 signatures 631 statistics 179 virus 620 worm 620
anti-spam 675, 678, 679, 684 action for spam mails 678, 684 black list 675, 678, 679, 684 concurrent e-mail sessions 186 DNSBL 676, 678, 684 e-mail header buffer 676 e-mail headers 676 general settings 677 identifying legitimate e-mail 675 identifying spam 675 POP2 676 POP3 676 regular expressions 682 SMTP 676 white list 675, 678, 680, 684
anti-virus EICAR 627, 636 e-mail virus 638 polymorphic virus 638 statistics 179 troubleshooting 964, 967 troubleshooting signatures update 964 updating signatures 200
AP antenna orientation 162 group 159 management icons 152 status 152 status icons 155
ZyWALL USG FLEX Series User's Guide
997
Index
ZyMesh Profile 162
AP group 208, 212
APN 270
Application Layer Gateway, see ALG
application patrol 586 actions 586 and HTTP redirect 376 and security policy 586 classification 586 exceptions 586 port-less 586 ports 587 service ports 587 troubleshooting 964, 969, 970, 972
ASAS (Authenex Strong Authentication System) 785
asymmetrical routes 566 allowing through the security policy 569 vs virtual interfaces 566
attacks access control 654 backdoor 655 buffer overflow 655 Denial of Service (DoS) 427 DoS/DDoS 655 IM 655 P2P 655 scan 655 spam 655 trapdoor 655 trojan 655 virus 620, 656 worm 656
Authenex Strong Authentication System (ASAS) 785
authentication in IPSec 430 LDAP/AD 786 server 784
authentication algorithms 445, 446 and active protocol 445 MD5 446 SHA1 446
Authentication Header, see AH
authentication method objects 794 and users 714 and WWW 862 create 795 example 794
authentication policy
exceptional services 484 Authentication server
RADIUS client 890 authentication server 889, 891 authentication type 84, 821 Authentication, Authorization, Accounting servers,
see AAA server authorization server 784 Autonomous Systems (AS) 346 auxiliary interfaces 229
B
backdoor attacks 655 backing up configuration files 917 bandwidth
egress 271, 280 ingress 271, 280 bandwidth limit troubleshooting 966 bandwidth management 586 maximize bandwidth usage 336, 469 see also application patrol 586 troubleshooting 966 Base DN 787 Batch import 834 BGP 351 billing accumulation accounting method 513 built-in billing 513 credit card service 525 discount pricing plan 523 identity token 526 online payment service 527 printout 520 profile 513, 516 quota (T/U/D) 517 quota type 523 SMS message 519 time-to-finish accounting method 513 user logon settings 515 Bind DN 787, 790 BitTorrent 655 black list 678, 679, 684 anti-spam 675
ZyWALL USG FLEX Series User's Guide
998
Index
Blaster 673 bridge interfaces 229, 295
and virtual interfaces of members 296 basic characteristics 229 effect on routing table 296 member interfaces 296 virtual 254 bridges 295 buffer overflow 655 buffer overflow attacks 655
C
CA and certificates 803
CA (Certificate Authority), see certificates Calling Station ID 746, 748, 750, 753, 756 capturing packets 937, 940 card SIM 271 CEF (Common Event Format) 905, 911 cellular 265
APN 270 interfaces 229 network types 144 signal quality 144, 145 SIM card 271 SIM Card IMSI 145 status 143, 146 system 144, 145 troubleshooting 965, 966 certificate troubleshooting 973 Certificate Authority (CA) see certificates Certificate Revocation List (CRL) 803 vs OCSP 819 certificates 802 advantages of 803 and CA 803 and FTP 882 and HTTPS 859 and IKE SA 450 and SSH 877 and VPN gateways 423 and WWW 861 certification path 803, 811, 817
expired 803 factory-default 804 file formats 804 fingerprints 812, 818 importing 808 in IPSec 436 not used for encryption 803 revoked 803 self-signed 804, 810 serial number 812, 817 storage space 806, 814 thumbprint algorithms 805 thumbprints 805 used for authentication 803 verifying fingerprints 804
certification requests 810
certifications 988 viewing 991, 995
Challenge Handshake Authentication Protocol (CHAP) 821
CHAP (Challenge Handshake Authentication Protocol) 821
CHAP/PAP 821
CLI 32, 40 button 40 messages 40 popup window 40 Reference Guide 2
commands 32 sent by Web Configurator 40
Common Event Format (CEF) 905, 911
compression (stac) 822
computer names 250, 292, 305, 323, 463
computer virus 620 see also virus
concurrent e-mail sessions 186
configuration information 931
configuration file troubleshooting 974
configuration files 915 at restart 918 backing up 917 downloading 919, 951 downloading with FTP 881 editing 915 how applied 916 lastgood.conf 918, 920
ZyWALL USG FLEX Series User's Guide
999
Index
managing 917 startup-config.conf 920 startup-config-bad.conf 918 syntax 916 system-default.conf 920 uploading 921 uploading with FTP 881 use without restart 915
connection troubleshooting 970
connection monitor (in SSL) 175
connectivity check 249, 264, 271, 280, 291, 307, 311, 430
console port speed 847
contact information 977, 983
content (pattern) 662
content filter troubleshooting 964
content filtering 595, 596 and address groups 595, 596 and address objects 595, 596 and schedules 595, 596 and user groups 595 and users 595 by category 595, 596, 603 by keyword (in URL) 596, 616 by URL 596, 615, 617, 618 by web feature 596, 615 cache 619 categories 603 category service 602 default policy 596 external web filtering service 602, 619 filter list 596 managed web pages 602 policies 595, 596 registration status 199 statistics 178 testing 603 uncategorized pages 602 URL for blocked access 598
cookies 33, 615
copyright 986
CPU usage 118
current date/time 116, 843 and schedules 779 daylight savings 845
setting manually 846 time server 847 current user list 175 custom access user page 863 login page 863 custom signatures 654, 657, 672, 968 applying 664 example 662 verifying 665 custom.rules file 654, 672, 968 customer support 977, 983
D
Data Encryption Standard, see DES date 843 daylight savings 845 DDNS 352
backup mail exchanger 357 mail exchanger 357 service providers 352 troubleshooting 969 DDoS attacks 655 Dead Peer Detection, see DPD decompression of files (in anti-malware) 628, 634 default security policy behavior 565 Default_L2TP_VPN_GW 461 Denial of Service (DoS) attacks 655 Denial of Service (Dos) attacks 427 DES 445 device access troubleshooting 963 Device HA 826 device HA virtual router 828 device High Availability see Device HA 826 DHCP 322, 842 and DNS servers 323 and domain name 842 and interfaces 322 pool 323 static DHCP 323
ZyWALL USG FLEX Series User's Guide
1000
Index
DHCP Unique IDentifier 233 DHCPv6 822
DHCP Unique IDentifier 233 DHCPv6 Request 822 diagnostics 931 Differentiated Services Code Point (DSCP) 658 Diffie-Hellman key group 446 DiffServ 336 Digital Signature Algorithm public-key algorithm, see
DSA direct routes 328 directory 785 directory service 785
file structure 786 disclaimer 986 Distinguished Name (DN) 787, 788, 790 Distributed Denial of Service (DDoS) attacks 655 DN 787, 788, 790 DNS 848
address records 852 domain name forwarders 854 domain name to IP address 852 IP address to domain name 852 L2TP VPN 463 Mail eXchange (MX) records 855 pointer (PTR) records 852 DNS Blacklist see DNSBL 676 DNS inbound LB 412 DNS servers 85, 848, 854 and interfaces 323 DNSBL 676, 678, 684, 687 see also anti-spam 676 domain name 842 Domain Name System, see DNS DoS (Denial of Service) attacks 655 DPD 438 DSA 810 DSCP 329, 332, 472, 955 DUID 233 Dynamic Domain Name System, see DDNS dynamic guest 138 dynamic guest account 138, 714 dynamic guest accounts 517 Dynamic Host Configuration Protocol, see DHCP. dynamic peers in IPSec 428
DynDNS 352 DynDNS see also DDNS 352 Dynu 352
E
eBGP (exterior Border Gate Protocol) 346 e-Donkey 655 egress bandwidth 271, 280 Ekahau RTLS 224 e-mail 675
daily statistics report 902 header buffer 676 headers 676 Email Security DNSBL 687 e-Mule 655 Encapsulating Security Payload, see ESP encapsulation and active protocol 450 IPSec 429 transport mode 450 tunnel mode 450 VPN 450 encryption and anti-malware 634 IPSec 430 RSA 812 encryption algorithms 445 3DES 446 AES 446 and active protocol 445 DES 445 encryption method 821 end of IP list 658 enforcing policies in IPSec 428 ESP 429, 450 and transport mode 451 Ethernet interfaces 229 and OSPF 237 and RIP 237 and routing protocols 235 basic characteristics 229 virtual 254 ethernet interfaces
ZyWALL USG FLEX Series User's Guide
1001
Index
neighboring devices 147 exceptional services 484 extended authentication
and VPN gateways 423 IKE SA 449 Extended Service Set IDentification 732 ext-user troubleshooting 973
F
additional signaling port 386 ALG 381 and address groups 882 and address objects 882 and certificates 882 and zones 882 signaling port 386 troubleshooting 970 with Transport Layer Security (TLS) 882
full tunnel mode 454, 458
Fully-Qualified Domain Name, see FQDN
false negatives 574 false positives 574, 577 file decompression (in anti-malware) 628, 634 file extensions
configuration files 915 shell scripts 915 file manager 915 Firefox 33 firewall and SMTP redirect 377 firmware 531 and restart 922 current version 116, 926 getting updated 922 uploading 925 uploading with FTP 881 firmware package troubleshooting 972 firmware upload troubleshooting 975 flags 658 flash usage 118 forcing login 482 FQDN 852 fragmentation flag 660 fragmentation offset 660 free time configuration 543 dynamic guest account 543 enable 543 maximum number of users 544 reset 544 settings 543 FTP 881
G
Generic Routing Encapsulation, see GRE. global SSL setting 458 Grace Period 29 GRE 324 GSM 271 Guide
CLI Reference 2 Quick Start 2
H
H.323 387 additional signaling port 386 ALG 381, 387 and RTP 387 and security policy 382 signaling port 386 troubleshooting 970
header checksum 658 host-based intrusions 673 Hotspot Service Status 516 HSDPA 271 HTTP
over SSL, see HTTPS redirect to HTTPS 861 vs HTTPS 859 HTTP redirect and application patrol 376 and interfaces 380 and policy routes 376, 377
ZyWALL USG FLEX Series User's Guide
1002
Index
and security policy 376 packet flow 376 troubleshooting 969 HTTPS 859 and certificates 859 authenticating clients 859 avoiding warning messages 869 example 868 vs HTTP 859 with Internet Explorer 868 with Netscape Navigator 868 hub-and-spoke VPN, see VPN concentrator HyperText Transfer Protocol over Secure Socket Layer, see HTTPS
I
ICMP 775 code 661 sequence number 661 type 661
icons dynamic guest 139
identification (IP) 660 identifying
legitimate e-mail 675 spam 675 IDP 651 action 580 alerts 700, 701 applying custom signatures 664 custom signature example 662 custom signatures 657 log options 577, 581, 700, 701 reject sender 580 reject-both 580 reject-receiver 580 service group 656 signatures 651 Snort signatures 673 statistics 183 troubleshooting 964, 968 verifying custom signatures 665 IEEE 802.11ax 732 IEEE 802.1q VLAN IEEE 802.1q. See VLAN.
IEEE 802.1x 732
IHL (IP Header Length) 658
IKE SA aggressive mode 444, 448 and certificates 450 and RADIUS 449 and to-ZyWALL security policy 971 authentication algorithms 445, 446 content 447 Dead Peer Detection (DPD) 438 Diffie-Hellman key group 446 encryption algorithms 445 extended authentication 449 ID type 447 IP address, remote IPSec router 445 IP address, Zyxel device 445 local identity 447 main mode 444, 448 NAT traversal 449 negotiation mode 444 password 449 peer identity 447 pre-shared key 447 proposal 445 see also VPN user name 449
IM (Instant Messenger) 655
IMAP 676
iMesh 655
inbound LB algorithm least connection 414 least load 414 weighted round robin 414
inbound load balancing 412 time to live 415
incoming bandwidth 271, 280
ingress bandwidth 271, 280
inline profile 574
installation desktop 74
installation scenarios 74
Instant Messenger (IM) 586, 655 managing 586
interface status 129 troubleshooting 965
interfaces 228
ZyWALL USG FLEX Series User's Guide
1003
Index
and DNS servers 323 and HTTP redirect 380 and layer-3 virtualization 229 and NAT 362 and physical ports 229 and policy routes 332 and static routes 335 and VPN gateways 423 and zones 229 as DHCP relays 322 as DHCP servers 322, 842 auxiliary, see also auxiliary interfaces. backup, see trunks bandwidth management 319, 320, 322 bridge, see also bridge interfaces. cellular 229 DHCP clients 321 Ethernet, see also Ethernet interfaces. gateway 321 general characteristics 228 IP address 321 metric 321 MTU 322 overlapping IP address and subnet mask 321 port groups, see also port groups. PPPoE/PPTP, see also PPPoE/PPTP interfaces. prerequisites 230 relationships between 230 static DHCP 323 subnet mask 321 trunks, see also trunks. Tunnel, see also Tunnel interfaces. types 229 virtual, see also virtual interfaces. VLAN, see also VLAN interfaces. WLAN, see also WLAN interfaces.
Internet access troubleshooting 963, 972
Internet Control Message Protocol, see ICMP
Internet Explorer 33
Internet Message Access Protocol, see IMAP 676
Internet Protocol (IP) 657
Internet Protocol Security, see IPSec
Internet Protocol version 6, see IPv6
Intrusion, Detection and Prevention see IDP 651
intrusions host 673 network 673
IP (Internet Protocol) 657
IP options 658, 661
IP Plug and Play (IPnP) 548 internal interface(s) 549 scenario 548
IP policy routing, see policy routes
IP pool 458
IP protocols 774 and service objects 775 ICMP, see ICMP TCP, see TCP UDP, see UDP
IP security option 658
IP static routes, see static routes
IP stream identifier 658
IP v4 packet headers 658
IP/MAC binding 403 exempt list 407 monitor 141 static DHCP 406
IPSec 418, 564 active protocol 429 AH 429 and certificates 423 authentication 430 basic troubleshooting 970 certificates 436 connections 423 connectivity check 430 Default_L2TP_VPN_GW 461 encapsulation 429 encryption 430 ESP 429 established in two phases 420 L2TP VPN 460 local network 418 local policy 428 NetBIOS 427 peer 418 Perfect Forward Secrecy 430 PFS 430 phase 2 settings 429 policy enforcement 428 remote access 428 remote IPSec router 418 remote network 418 remote policy 428 replay detection 427
ZyWALL USG FLEX Series User's Guide
1004
Index
SA life time 429 SA monitor 174 SA see also IPSec SA 450 see also VPN site-to-site with dynamic peer 428 static site-to-site 428 transport encapsulation 429 tunnel encapsulation 429 VPN gateway 423
IPSec SA active protocol 450 and security policy 971 and to-ZyWALL security policy 971 authentication algorithms 445, 446 destination NAT for inbound traffic 453 encapsulation 450 encryption algorithms 445 local policy 450 NAT for inbound traffic 452 NAT for outbound traffic 452 Perfect Forward Secrecy (PFS) 451 proposal 451 remote policy 450 search by name 174 search by policy 174 Security Parameter Index (SPI) (manual keys) 451 see also IPSec see also VPN source NAT for inbound traffic 452 source NAT for outbound traffic 452 status 174 transport mode 450 tunnel mode 450 when IKE SA is disconnected 450
IPSec VPN troubleshooting 970
IPv6 231 link-local address 232 prefix 231 prefix delegation 232 prefix length 231 stateless autoconfiguration 232
IPv6 tunnelings 6in4 tunneling 275 6to4 tunneling 275
IPv6-in-IPv4 tunneling 275
ISP account CHAP 821 CHAP/PAP 821
MPPE 821 MSCHAP 821 MSCHAP-V2 821 PAP 821 ISP accounts 819 and PPPoE/PPTP interfaces 259, 819 authentication type 821 encryption method 821 stac compression 822
J
Java 615 permissions 33
JavaScripts 33
K
key pairs 803
L
L2TP VPN 460 Default_L2TP_VPN_GW 461 DNS 463 IPSec configuration 460 policy routes 461 session monitor 176 WINS 463
lastgood.conf 918, 920 Layer 2 Tunneling Protocol Virtual Private Network, see
L2TP VPN 460 layer-2 isolation 408
example 408 IP 409 LDAP 785 and users 714 Base DN 787 Bind DN 787, 790 directory 785 directory structure 786 Distinguished Name, see DN DN 787, 788, 790
ZyWALL USG FLEX Series User's Guide
1005
Index
password 790 port 790, 792 search time limit 790 SSL 790 user attributes 731 least connection algorithm 414 least load algorithm 414 least load first load balancing 314 LED suppression mode 153, 205 LED troubleshooting 963 legitimate e-mail 675 level-4 inspection 587 level-7 inspection 586 licensing 196 Lightweight Directory Access Protocol, see LDAP Link Layer Discovery Protocol (LLDP ) 147 LLDP (Link Layer Discovery Protocol) 147 load balancing 217, 313 algorithms 314, 318, 320 DNS inbound 412 least load first 314 round robin 314 see also trunks 313 session-oriented 314 spillover 315 weighted round robin 315 local user database 786 log dynamic guest account 126 troubleshooting 974 log messages categories 908, 910, 911, 912, 913 debugging 190 regular 190 types of 190 log options (IDP) 577, 581, 700, 701 login custom page 863 logo troubleshooting 974 logout Web Configurator 37 logs and security policy 572 e-mail profiles 904
e-mailing log messages 194, 907 formats 905 log consolidation 908 settings 904 syslog servers 904 system 904 types of 904 loose source routing 658
M
MAC address 729 and VLAN 281 Ethernet interface 245 range 116
MAC authentication 745, 747, 750, 753, 756 Calling Station ID 746, 748, 750, 753, 756 case 745, 746, 748, 750, 753, 756 delimiter 745, 746, 747, 748, 750, 753, 756
mac role 729 managed web pages 602 management access
troubleshooting 974 Management Information Base (MIB) 884, 885 managing the device
using SNMP. See SNMP. MD5 446 memory usage 118 Message Digest 5, see MD5 messages
CLI 40 metrics, see reports Microsoft
Challenge-Handshake Authentication Protocol (MSCHAP) 821
Challenge-Handshake Authentication Protocol Version 2 (MSCHAP-V2) 821
Point-to-Point Encryption (MPPE) 821 mobile broadband see also cellular 265 Monitor 834 monitor 175
SA 174 sessions 135 monitor profile ADP 574
ZyWALL USG FLEX Series User's Guide
1006
Index
mounting rack 32, 74 wall 76
MPPE (Microsoft Point-to-Point Encryption) 821 MSCHAP (Microsoft Challenge-Handshake
Authentication Protocol) 821 MSCHAP-V2 (Microsoft Challenge-Handshake
Authentication Protocol Version 2) 821 MTU 271, 280 multicast 739 multicast rate 739 My Certificates, see also certificates 805 MyDoom 673 myZyXEL 28
accounts, creating 28
N
NAT 336, 358 ALG, see ALG and address objects 333 and address objects (HOST) 363 and ALG 381, 383 and interfaces 362 and policy routes 326, 333 and security policy 567 and to-ZyWALL security policy 364 and VoIP pass through 383 and VPN 448 loopback 364 port forwarding, see NAT port translation, see NAT traversal 449
NAT Port Mapping Protocol 388 NAT Traversal 388 NAT-PMP 388 NBNS 250, 292, 305, 323, 458 NetBIOS
Broadcast over IPSec 427 Name Server, see NBNS. NetBIOS Name Server, see NBNS NetMeeting 387 see also H.323 Netscape Navigator 33 network access mode 30
full tunnel 454 Network Address Translation, see NAT network list, see SSL 458 Network Time Protocol (NTP) 846 network-based intrusions 673 Nimda 673 no IP options 658 No-IP 352 NSSA 339
O
objects 455 AAA server 784 addresses and address groups 764 authentication method 794 certificates 802 schedules 779 services and service groups 774 users, user groups 713, 822
offset (patterns) 662 ommon 638 One-Time Password (OTP) 785 Online Certificate Status Protocol (OCSP) 819
vs CRL 819 Open Shortest Path First, see OSPF operating mode 215 OSI (Open System Interconnection) 651 OSI level-4 587 OSI level-7 586 OSPF 339
and Ethernet interfaces 237 and RIP 340 and static routes 340 and to-ZyWALL security policy 339 area 0 340 areas, see OSPF areas authentication method 237 autonomous system (AS) 339 backbone 340 configuration steps 341 direction 237 link cost 237 priority 237 redistribute 340
ZyWALL USG FLEX Series User's Guide
1007
Index
redistribute type (cost) 342 routers, see OSPF routers virtual links 341 vs RIP 337, 339 OSPF areas 339 and Ethernet interfaces 237 backbone 339 Not So Stubby Area (NSSA) 339 stub areas 339 types of 339 OSPF routers 340 area border (ABR) 340 autonomous system boundary (ASBR) 340 backbone (BR) 340 backup designated (BDR) 341 designated (DR) 341 internal (IR) 340 link state advertisements priority 341 types of 340 OTP (One-Time Password) 785 outgoing bandwidth 271, 280
P
P2P (Peer-to-peer) 655 attacks 655 see also Peer-to-peer
packet inspection signatures 652 scan 620 statistics 126, 127, 155
packet capture 937, 940 files 936, 943, 944, 946 troubleshooting 975
packet captures downloading files 937, 944, 946
packet statistics 126 padding 658 PAP (Password Authentication Protocol) 821 Password Authentication Protocol (PAP) 821 payload
option 661 size 662 Peanut Hull 352 Peer-to-peer (P2P) 655
calls 383 managing 586
Perfect Forward Secrecy (PFS) 430 Diffie-Hellman key group 451
performance troubleshooting 967, 968, 969
Personal Identification Number code, see PIN code
PFS (Perfect Forward Secrecy) 430, 451
Phishing 640
physical ports packet statistics 126, 127, 155
PIN code 271
PIN generator 785
pointer record 852
Point-to-Point Protocol over Ethernet, see PPPoE.
Point-to-Point Tunneling Protocol, see PPTP
policy enforcement in IPSec 428
policy routes 326 actions 327 and address objects 332 and ALG 383, 387 and HTTP redirect 376, 377 and interfaces 332 and NAT 326 and schedules 332, 471, 475 and service objects 775 and SMTP redirect 377 and trunks 313, 332 and user groups 331, 471, 475 and users 331, 471, 475 and VoIP pass through 383 and VPN connections 332, 971 benefits 326 criteria 327 L2TP VPN 461 overriding direct routes 328 troubleshooting 964, 972
POP POP2 676 POP3 676
pop-up windows 33
port forwarding, see NAT
port groups 229, 234
port roles 233 and Ethernet interfaces 233 and physical ports 233
port translation, see NAT
ZyWALL USG FLEX Series User's Guide
1008
Index
Post Office Protocol, see POP 676 power off 959 PPP 323
troubleshooting 965 PPP interfaces
subnet mask 321 PPPoE 323
and RADIUS 323 TCP port 1723 324 PPPoE/PPTP interfaces 229, 258 and ISP accounts 259, 819 basic characteristics 229 gateway 259 subnet mask 259 PPTP 323 and GRE 324 as VPN 324 prefix delegation 232 printer account printout. 538 add 534 edit 534 external statement 531 key combination 539 list 531 management 531 manually configure 535 reports 539 secret key 532 status 173 product registration 991 proxy servers 376 web, see web proxy servers PTR record 852 Public-Key Infrastructure (PKI) 803 public-private key pairs 802, 803
Q
QoS 326, 466 Quick Start Guide 2
R
rack-mounting 32, 74 RADIUS 785, 786
advantages 785 and IKE SA 449 and PPPoE 323 and users 714 user attributes 731 RADIUS server 889, 891 troubleshooting 973 Real-time Transport Protocol, see RTP record route 658 Reference Guide, CLI 2 registration 196 product 991 reject (IDP) both 580 receiver 580 sender 580 Relative Distinguished Name (RDN) 787, 788, 790 remote access IPSec 428 Remote Authentication Dial-In User Service, see RADIUS remote management FTP, see FTP see also service control 858 Telnet 879 to-Device security policy 565 WWW, see WWW remote network 418 replay detection 427 reports anti-virus 179 collecting data 132 content filtering 178 daily 902 daily e-mail 902 IDP 183 specifications 134 traffic statistics 132 reputation filter anonymizers 640 categories 640 spyware adware keyloggers 640 statistics 182 reset 976
ZyWALL USG FLEX Series User's Guide
1009
Index
RESET button 976 Response Message 894 RFC
1058 (RIP) 337 1389 (RIP) 337 1587 (OSPF areas) 339 1631 (NAT) 336 1889 (RTP) 387 2131 (DHCP) 322 2132 (DHCP) 322 2328 (OSPF) 339 2402 (AH) 429, 450 2406 (ESP) 429, 450 2516 (PPPoE) 323 2637 (PPTP) 323 2890 (GRE) 324 3261 (SIP) 387 RIP 337 and Ethernet interfaces 237 and OSPF 337 and static routes 337 and to-ZyWALL security policyl 337 authentication 337 direction 237 redistribute 337 RIP-2 broadcasting methods 237 versions 237 vs OSPF 337 Rivest, Shamir and Adleman public-key algorithm (RSA) 810 round robin 314 routing troubleshooting 969 Routing Information Protocol, see RIP routing protocols 336 and Ethernet interfaces 235 RSA 810, 812, 818 RSSI threshold 739 RTLS 224 RTP 387 see also ALG 387 rubber feet 74
S
same IP 661
scan attacks 655
scanner types 638
schedule troubleshooting 973
schedules 779 and content filtering 595, 596 and current date/time 779 and policy routes 332, 471, 475 and security policy 471, 475, 486, 572 one-time 779 recurring 779 types of 779
screen resolution 33
Secure Hash Algorithm, see SHA1
Secure Socket Layer, see SSL
security associations, see IPSec
security policy 564 actions 572 and address groups 486 and address objects 486 and ALG 381, 383 and application patrol 586 and H.323 (ALG) 382 and HTTP redirect 376 and IPSec VPN 971 and logs 572 and NAT 567 and schedules 471, 475, 486, 572 and service groups 571 and service objects 775 and services 571 and SIP (ALG) 382 and user groups 572, 583 and users 572, 583 and VoIP pass through 383 and zones 564, 570, 590, 600, 699 asymmetrical routes 566, 569 global rules 565 priority 570, 590, 600, 699 rule criteria 565 see also to-Device security policy 564 session limits 566, 581 triangle routes 566, 569 troubleshooting 965
security settings troubleshooting 964
sensitivity level 577
serial number 115
ZyWALL USG FLEX Series User's Guide
1010
Index
service control 858 and to-ZyWALL security policy 858 and users 858 limitations 858 timeouts 858
service groups 775 and security policy 571 in IDP 656
service objects 774 and IP protocols 775 and policy routes 775 and security policy 775
Service Set 732
service subscription status 199
services 774 and security policy 571
Session Initiation Protocol, see SIP
session limits 566, 581
session monitor (L2TP VPN) 176
sessions 135
sessions usage 118
SHA1 446
shell script troubleshooting 974
shell scripts 915 and users 731 downloading 929 editing 928 how applied 916 managing 928 syntax 916 uploading 930
Short Message Service 892
shutdown 959
signal quality 144, 145
signature categories access control 654 backdoor/Trojan 655 buffer overflow 655 DoS/DDoS 655 IM 655 P2P 655 scan 655 spam 655 virus/worm 656 Web attack 656
signature ID 654, 660, 672
signatures anti-malware 631 IDP 651 updating 199
SIM card 271
Simple Mail Transfer Protocol, see SMTP 676
Simple Network Management Protocol, see SNMP
Simple Traversal of UDP through NAT, see STUN
SIP 382, 387 ALG 381 and RTP 387 and security policy 382 media inactivity timeout 385 signaling inactivity timeout 386 signaling port 386 troubleshooting 969
SMS 892 Email-to-SMS 892 send account information 892
SMS gateway 892
SMTP 676
SMTP redirect and firewall 377 and policy routes 377 packet flow 377
SNAT 336 troubleshooting 969
SNMP 32, 883, 884 agents 884 and address groups 887 and address objects 887 and zones 887 authentication 888 Get 884 GetNext 884 Manager 884 managers 884 MIB 884, 885 network components 884 Set 884 Trap 884 traps 885 version 3 and security 884 versions 883
Snort equivalent terms 674 rule header 673 rule options 673
ZyWALL USG FLEX Series User's Guide
1011
Index
signatures 673
Source Network Address Translation, see SNAT
spam 655, 675
Spam URLs 640
spillover (for load balancing) 315
SQL slammer 673
SSH 875 and address groups 877 and address objects 877 and certificates 877 and zones 877 client requirements 876 encryption methods 876 for secure Telnet 878 versions 876
SSL 454, 458, 859 access policy 454 and AAA 790 and AD 790 and LDAP 790 computer names 458 connection monitor 175 full tunnel mode 458 global setting 458 IP pool 458 network list 458 see also SSL VPN 454 troubleshooting 971 WINS 458
SSL Inspection Protocols 694
SSL inspection Server Signed Certificate Keys 696
SSL policy add 456 edit 456 objects used 455
SSL VPN 454 access policy 454 full tunnel mode 454 network access mode 30 see also SSL 454 troubleshooting 971
stac compression 822
startup-config.conf 920 if errors 918 missing at restart 918 present at restart 918
startup-config-bad.conf 918 static DHCP 406 static routes 326
and interfaces 335 and OSPF 340 and RIP 337 metric 335 statistics anti-virus 179 content filtering 178 daily e-mail report 902 IDP 183 traffic 132 status 113 streaming protocols management 586 strict source routing 658 stub area 339 STUN 383 and ALG 383 subscription services status 199 supported browsers 33 syslog 905, 911 syslog servers, see also logs system log, see logs system name 115, 842 system reports, see reports system uptime 116 system-default.conf 920
T
TCP 775 ACK number 661 attack packet 580 connections 775 flag bits 661 port numbers 775 window size 661
Telnet 879 and address groups 880 and address objects 880 and zones 880 with SSH 878
throughput rate
ZyWALL USG FLEX Series User's Guide
1012
Index
troubleshooting 974
time 843
time servers (default) 846
time to live 658
timestamp 658
to-Device security policy and remote management 565 global rules 565 see also security policy 564
token 785
to-ZyWALL security policy and NAT 364 and NAT traversal (VPN) 971 and OSPF 339 and RIP 337 and service control 858 and VPN 971
TR-069 protocol 833
trademarks 991
traffic statistics 132
Transmission Control Protocol, see TCP
transport encapsulation 429
Transport Layer Security (TLS) 882
trapdoor attacks 655
triangle routes 566 allowing through the security policy 569 vs virtual interfaces 566
Triple Data Encryption Standard, see 3DES
trojan attacks 655
troubleshooting 931, 963 admin user 973 anti-virus 964, 967 anti-virus signatures update 964 application patrol 964, 969, 970, 972 bandwidth limit 966 bandwidth management 966 cellular 965, 966 certificate 973 configuration file 974 connection resets 970 content filter 964 DDNS 969 device access 963 ext-user 973 firmware package 972 firmware upload 975 FTP 970
H.323 970 HTTP redirect 969 IDP 964, 968 interface 965 Internet access 963, 972 IPSec VPN 970 LEDs 963 logo 974 logs 974 management access 974 packet capture 975 performance 967, 968, 969 policy routes 964, 972 PPP 965 problems 963 RADIUS server 973 routing 969 schedules 973 security policy 965 security settings 964 shell scripts 974 SIP 969 SNAT 969 SSL 971 SSL VPN 971 throughput rate 974 VLAN 966 VPN 971 WLAN 966 zipped files 967 trunks 229, 313 and ALG 387 and policy routes 313, 332 member interface mode 318, 320 member interfaces 318, 320 see also load balancing 313 Trusted Certificates, see also certificates 814 tunnel encapsulation 429 Tunnel interfaces 229 TWT (Target Wakeup Time) 732
U
UDP 775 attack packet 580 messages 775 port numbers 775
ZyWALL USG FLEX Series User's Guide
1013
Index
Universal Plug and Play 388 Application 388 security issues 389
unsolicited commercial e-mail 675
updating anti-virus signatures 200 signatures 199
upgrading firmware 925
uploading configuration files 921 firmware 925 shell scripts 928
UPnP 388
UPnP-enabled Network Device auto-discover 396
URI (Uniform Resource Identifier) 662
URL Threat Filter 640
usage CPU 118 flash 118 memory 118 onboard flash 118 sessions 118
user accounts for WLAN 715
user authentication 713 external 714 local user database 786
user awareness 715
User Datagram Protocol, see UDP
user group objects 713, 822
user groups 713, 715, 822 and content filtering 595 and policy routes 331, 471, 475 and security policy 572, 583
user name rules 716
user objects 713, 822
user sessions, see sessions
user-aware 487
users 713, 822 access, see also access users admin (type) 713 admin, see also admin users and AAA servers 714 and authentication method objects 714
and content filtering 595 and LDAP 714 and policy routes 331, 471, 475 and RADIUS 714 and security policy 572, 583 and service control 858 and shell scripts 731 attributes for Ext-User 714 attributes for LDAP 731 attributes for RADIUS 731 attributes in AAA servers 731 default lease time 726, 728 default reauthentication time 726, 728 default type for Ext-User 714 ext-group-user (type) 714 Ext-User (type) 714 ext-user (type) 713 groups, see user groups Guest (type) 713 guest-manager (type) 714 lease time 719 limited-admin (type) 713 lockout 727 reauthentication time 719 types of 713 user (type) 713 user names 716
V
Vantage Report (VRPT) 905, 911 ventilation holes 74 virtual interfaces 229, 254
basic characteristics 229 not DHCP clients 321 types of 254 vs asymmetrical routes 566 vs triangle routes 566 virtual load balancing 150 Virtual Local Area Network, see VLAN. Virtual Local Area Network. See VLAN. Virtual Private Network, see VPN virtual router 828 virus 656 attack 620, 656 boot sector 638 e-mail 638
ZyWALL USG FLEX Series User's Guide
1014
Index
file infector 638 macro 638 mutation 638 polymorphic 638
VLAN 274, 281 advantages 281 and MAC address 281 ID 281 troubleshooting 966
VLAN interfaces 229, 282 and Ethernet interfaces 282, 966 basic characteristics 229 virtual 254
VoIP pass through 387 and NAT 383 and policy routes 383 and security policy 383 see also ALG 381
VPN 418 active protocol 450 and NAT 448 basic troubleshooting 970 hub-and-spoke, see VPN concentrator IKE SA, see IKE SA IPSec 418, 564 IPSec SA proposal 445 security associations (SA) 420 see also IKE SA see also IPSec 418, 564 see also IPSec SA troubleshooting 971
VPN concentrator 440 advantages 440 and IPSec SA policy enforcement 442 disadvantages 440
VPN connections and address objects 423 and policy routes 332, 971
VPN gateways and certificates 423 and extended authentication 423 and interfaces 423 and to-ZyWALL security policy 971
VRPT (Vantage Report) 905, 911
W
walled garden 551 define 551 domain name 554 site links 551 URLs 552
wall-mounting 76 warranty 991, 995
note 991, 995 Web attack 656 Web Configurator 32
access 33 access users 728 requirements 33 supported browsers 33 web features ActiveX 615 cookies 615 Java 615 web proxy servers 615 web proxy servers 376, 615 weighted round robin (for load balancing) 315 weighted round robin algorithm 414 WEP (Wired Equivalent Privacy) 732 white list (anti-spam) 675, 678, 680, 684 Wi-Fi Protected Access 732 WiFi standards comparison table 733 WiFi6 introduction 732 Windows Internet Naming Service, see WINS Windows Internet Naming Service, see WINS. WINS 250, 292, 305, 323, 458 in L2TP VPN 463 WINS server 250, 463 Wireshark 663 Wizard Setup 51, 79 WLAN troubleshooting 966 user accounts 715 WLAN interfaces 229 worm 620, 656 attacks 656 WPA 732 WPA2 732
ZyWALL USG FLEX Series User's Guide
1015
WWW 859 and address groups 863 and address objects 863 and authentication method objects 862 and certificates 861 and zones 863 see also HTTP, HTTPS 859
Index
Z
zipped files troubleshooting 967
ZON utility 147, 896
zones 710 and FTP 882 and interfaces 710 and security policy 564, 570, 590, 600, 699 and SNMP 887 and SSH 877 and Telnet 880 and VPN 710 and WWW 863 extra-zone traffic 711 inter-zone traffic 711 intra-zone traffic 711 types of traffic 710
ZyMesh 761 auto provision 761 bridge loops 762 hop 762 profile 763 Repeater 762 repeater 761 root AP 761, 762 security 764 SSID 764 WDS 761
Zyxel Discovery Protocol (ZDP) 147
Zyxel One Network (ZON) 147
ZyWALL USG FLEX Series User's Guide
1016
Acrobat Distiller 11.0 (Windows)