chapter - FCC ID
C HAPTER
16
IP/MAC Binding
16.1 IP/MAC Binding Overview
IP address to MAC address binding helps ensure that only the intended devices get to use privileged
IP addresses. The ZyWALL/USG uses DHCP to assign IP addresses and records the MAC address it
assigned to each IP address. The ZyWALL/USG then checks incoming connection attempts against
this list. A user cannot manually assign another IP to his computer and use it to connect to the
ZyWALL/USG.
Suppose you configure access privileges for IP address 192.168.1.27 and use static DHCP to assign
it to Tim’s computer’s MAC address of 12:34:56:78:90:AB. IP/MAC binding drops traffic from any
computer trying to use IP address 192.168.1.27 with another MAC address.
Figure 221 IP/MAC Binding Example
MAC: 12:34:56:78:90:AB
Tim
Jim
IP: 192.168.1.27
MAC: AB:CD:EF:12:34:56
IP: 192.168.1.27
16.1.1 What You Can Do in this Chapter
• Use the Summary and Edit screens (Section 16.2 on page 321) to bind IP addresses to MAC
addresses.
• Use the Exempt List screen (Section 16.3 on page 323) to configure ranges of IP addresses to
which the ZyWALL/USG does not apply IP/MAC binding.
16.1.2 What You Need to Know
DHCP
IP/MAC address bindings are based on the ZyWALL/USG’s dynamic and static DHCP entries.
ZyWALL/USG Series User’s Guide
320
Chapter 16 IP/MAC Binding
Interfaces Used With IP/MAC Binding
IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet,
bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in
an interface’s configuration screen.
16.2 IP/MAC Binding Summary
Click Configuration > Network > IP/MAC Binding to open the IP/MAC Binding Summary
screen. This screen lists the total number of IP to MAC address bindings for devices connected to
each supported interface.
Figure 222 Configuration > Network > IP/MAC Binding > Summary
The following table describes the labels in this screen.
Table 133 Configuration > Network > IP/MAC Binding > Summary
LABEL
DESCRIPTION
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
#
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Interface
This is the name of an interface that supports IP/MAC binding.
Number of
Binding
This field displays the interface’s total number of IP/MAC bindings and IP addresses that the
interface has assigned by DHCP.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
16.2.1 IP/MAC Binding Edit
Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit
screen. Use this screen to configure an interface’s IP to MAC address binding settings.
ZyWALL/USG Series User’s Guide
321
Chapter 16 IP/MAC Binding
Figure 223 Configuration > Network > IP/MAC Binding > Edit
The following table describes the labels in this screen.
Table 134 Configuration > Network > IP/MAC Binding > Edit
LABEL
DESCRIPTION
IP/MAC Binding Settings
Interface Name
This field displays the name of the interface within the ZyWALL/USG and the
interface’s IP address and subnet mask.
Enable IP/MAC
Binding
Select this option to have this interface enforce links between specific IP
addresses and specific MAC addresses. This stops anyone else from manually
using a bound IP address on another device connected to this interface. Use this
to make use only the intended users get to use specific IP addresses.
Enable Logs for IP/
MAC Binding Violation
Select this option to have the ZyWALL/USG generate a log if a device connected to
this interface attempts to use an IP address not assigned by the ZyWALL/USG.
Static DHCP Bindings
This table lists the bound IP and MAC addresses. The ZyWALL/USG checks this
table when it assigns IP addresses. If the computer’s MAC address is in the table,
the ZyWALL/USG assigns the corresponding IP address. You can also access this
table from the interface’s edit screen.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you
want to remove it before doing so.
#
This is the index number of the static DHCP entry.
IP Address
This is the IP address that the ZyWALL/USG assigns to a device with the entry’s
MAC address.
MAC Address
This is the MAC address of the device to which the ZyWALL/USG assigns the
entry’s IP address.
Description
This helps identify the entry.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving.
16.2.2 Static DHCP Edit
Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit
screen. Click the Add or Edit icon to open the following screen. Use this screen to configure an
interface’s IP to MAC address binding settings.
ZyWALL/USG Series User’s Guide
322
Chapter 16 IP/MAC Binding
Figure 224 Configuration > Network > IP/MAC Binding > Edit > Add
The following table describes the labels in this screen.
Table 135 Configuration > Network > IP/MAC Binding > Edit > Add
LABEL
DESCRIPTION
Interface Name
This field displays the name of the interface within the ZyWALL/USG and the interface’s
IP address and subnet mask.
IP Address
Enter the IP address that the ZyWALL/USG is to assign to a device with the entry’s MAC
address.
MAC Address
Enter the MAC address of the device to which the ZyWALL/USG assigns the entry’s IP
address.
Description
Enter up to 64 printable ASCII characters to help identify the entry. For example, you
may want to list the computer’s owner.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving.
16.3 IP/MAC Binding Exempt List
Click Configuration > Network > IP/MAC Binding > Exempt List to open the IP/MAC
Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the
ZyWALL/USG does not apply IP/MAC binding.
Figure 225 Configuration > Network > IP/MAC Binding > Exempt List
The following table describes the labels in this screen.
Table 136 Configuration > Network > IP/MAC Binding > Exempt List
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Click an entry or select it and click Edit to modify the entry’s settings.
ZyWALL/USG Series User’s Guide
323
Chapter 16 IP/MAC Binding
Table 136 Configuration > Network > IP/MAC Binding > Exempt List (continued)
LABEL
DESCRIPTION
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
#
This is the index number of the IP/MAC binding list entry.
Name
Enter a name to help identify this entry.
Start IP
Enter the first IP address in a range of IP addresses for which the ZyWALL/USG does not
apply IP/MAC binding.
End IP
Enter the last IP address in a range of IP addresses for which the ZyWALL/USG does not
apply IP/MAC binding.
Add icon
Click the Add icon to add a new entry.
Click the Remove icon to delete an entry. A window displays asking you to confirm that you
want to delete it.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
ZyWALL/USG Series User’s Guide
324
C HAPTER
17
Layer 2 Isolation
17.1 Overview
Layer-2 isolation is used to prevent connected devices from communicating with each other in the
ZyWALL/USG’s local network(s), except for the devices in the white list, when layer-2 isolation is
enabled on the ZyWALL/USG and the local interface(s).
Note: The security policy control must be enabled before you can use layer-2 isolation.
In the following example, layer-2 isolation is enabled on the ZyWALL/USG’s interface Vlan1. A
printer, PC and AP are in the Vlan1. The IP address of network printer (C) is added to the white list.
With this setting, the connected AP then cannot communicate with the PC (D), but can access the
network printer (C), server (B), wireless client (A) and the Internet.
Figure 226 Layer-2 Isolation Application
17.1.1 What You Can Do in this Chapter
• Use the General screen (Section 17.2 on page 326) to enable layer-2 isolation on the ZyWALL/
USG and the internal interface(s).
• Use the White List screen (Section 17.3 on page 326) to enable and configures the white list.
ZyWALL/USG Series User’s Guide
325
Chapter 17 Layer 2 Isolation
17.2 Layer-2 Isolation General Screen
This screen allows you to enable Layer-2 isolation on the ZyWALL/USG and specific internal
interface(s). To access this screen click Configuration > Network > Layer 2 Isolation.
Figure 227 Configuration > Network > Layer 2 Isolation
The following table describes the labels in this screen.
Table 137 Configuration > Network > Layer 2 Isolation
LABEL
DESCRIPTION
Enable Layer2
Isolation
Select this option to turn on the layer-2 isolation feature on the ZyWALL/USG.
Note: You can enable this feature only when the security policy is enabled.
Member List
The Available list displays the name(s) of the internal interface(s) on which you can
enable layer-2 isolation.
To enable layer-2 isolation on an interface, you can double-click a single entry to move it
or use the [Shift] or [Ctrl] key to select multiple entriess and click the right arrow button to
add to the Member list. To remove an interface, select the name(s) in the Member list
and click the left arrow button.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
17.3 White List Screen
IP addresses that are not listed in the white list are blocked from communicating with other devices
in the layer-2-isolation-enabled internal interface(s) except for broadcast packets.
To access this screen click Configuration > Network > Layer 2 Isolation > White List.
ZyWALL/USG Series User’s Guide
326
Chapter 17 Layer 2 Isolation
Figure 228 Configuration > Network > Layer 2 Isolation > White List
The following table describes the labels in this screen.
Table 138 Configuration > Network > Layer 2 Isolation > White List
LABEL
DESCRIPTION
Enable White List Select this option to turn on the white list on the ZyWALL/USG.
Note: You can enable this feature only when the security policy is enabled.
Add
Click this to add a new rule.
Edit
Click this to edit the selected rule.
Remove
Click this to remove the selected rule.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
#
This field is a sequential value, and it is not associated with a specific rule.
Status
This icon is lit when the rule is active and dimmed when the rule is inactive.
IP Address
This field displays the IP address of device that can be accessed by the devices connected
to an internal interface on which layer-2 isolation is enabled.
Description
This field displays the description for the IP address in this rule.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
17.3.1 Add/Edit White List Rule
This screen allows you to create a new rule in the white list or edit an existing one. To access this
screen, click the Add button or select an entry from the list and click the Edit button.
Note: You can configure up to 100 white list rules on the ZyWALL/USG.
Note: You need to know the IP address of each connected device that you want to allow
to be accessed by other devices when layer-2 isolation is enabled.
ZyWALL/USG Series User’s Guide
327
Chapter 17 Layer 2 Isolation
Figure 229 Configuration > Network > Layer 2 Isolation > White List > Add/Edit
The following table describes the labels in this screen.
Table 139 Configuration > Network > Layer 2 Isolation > White List > Add/Edit
LABEL
DESCRIPTION
Enable
Select this option to turn on the rule.
Host IP Address
Enter an IPv4 address associated with this rule.
Description
Specify a description for the IP address associated with this rule. Enter up to 60 characters,
spaces and underscores allowed.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User’s Guide
328
C HAPTER
18
Inbound Load Balancing
18.1 Inbound Load Balancing Overview
Inbound load balancing enables the ZyWALL/USG to respond to a DNS query message with a
different IP address for DNS name resolution. The ZyWALL/USG checks which member interface
has the least load and responds to the DNS query message with the interface’s IP address.
In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in
order to resolve a domain name of www.example.com. DNS server D redirects it to the ZyWALL/
USG (Z)’s WAN1 with an IP address of 1.1.1.1. The ZyWALL/USG receives the DNS query message
and responds to it with the WAN2’s IP address, 2.2.2.2, because the WAN2 has the least load at
that moment.
Another Internet host (B) also sends a DNS query message to ask where www.example.com is. The
ZyWALL/USG responds to it with the WAN1’s IP address, 1.1.1.1, since WAN1 has the least load this
time.
Figure 230 DNS Load Balancing Example
A: Where is
www.example.com?
D
A: Where is
www.example.com?
Z: It’s 2.2.2.2.
1.1.1.1
W
1
2
D: Ask 1.1.1.1.
Internet
A
3
2.2.2.2
Z
D
B: Where is
B: Where is
www.example.com?
www.example.com?
Z: It’s 1.1.1.1
1.1.1.1
W
1
2
D: Ask 1.1.1.1.
Internet
3
B
2.2.2.2
Z
18.1.1 What You Can Do in this Chapter
• Use the Inbound LB screen (see Section 18.2 on page 330) to view a list of the configured DNS
load balancing rules.
ZyWALL/USG Series User’s Guide
329
Chapter 18 Inbound Load Balancing
• Use the Inbound LB Add/Edit screen (see Section 18.2.1 on page 331) to add or edit a DNS
load balancing rule.
18.2 The Inbound LB Screen
The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You
can also use this screen to add, edit, or remove the rules. Click Configuration > Network >
Inbound LB to open the following screen.
Note: After you finish the inbound load balancing settings, go to security policy and NAT
screens to configure the corresponding rule and virtual server to allow the Internet
users to access your internal servers.
Figure 231 Configuration > Network > DNS Inbound LB
The following table describes the labels in this screen.
Table 140 Configuration > Network > Inbound LB
LABEL
DESCRIPTION
Global Setting
Enable DNS Load
Balancing
Select this to enable DNS load balancing.
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you
want to remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To move an entry to a different number in the list, click the Move icon. In the field
that appears, specify the number to which you want to move the entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Priority
This field displays the order in which the ZyWALL/USG checks the member
interfaces of this DNS load balancing rule.
Query Domain Name
This field displays the domain name for which the ZyWALL/USG manages load
balancing between the specified interfaces.
ZyWALL/USG Series User’s Guide
330
Chapter 18 Inbound Load Balancing
Table 140 Configuration > Network > Inbound LB (continued)
LABEL
DESCRIPTION
Query From Address
This field displays the source IP address of the DNS query messages to which the
ZyWALL/USG applies the DNS load balancing rule.
Query From Zone
The ZyWALL/USG applies the DNS load balancing rule to the query messages
received from this zone.
Load Balancing Member This field displays the member interfaces which the ZyWALL/USG manages for load
balancing.
Algorithm
This field displays the load balancing method the ZyWALL/USG uses for this DNS
load balancing rule.
Weighted Round Robin - Each member interface is assigned a weight. An
interface with a larger weight gets more chances to transmit traffic than an interface
with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces
is 2:1, the ZyWALL/USG chooses wan1 for 2 sessions’ traffic and wan2 for 1
session’s traffic in each round of 3 new sessions.
Least Connection - The ZyWALL/USG chooses choose a member interface which is
handling the least number of sessions.
Least Load - Outbound - The ZyWALL/USG chooses a member interface which is
handling the least amount of outgoing traffic.
Least Load - Inbound - The ZyWALL/USG chooses a member interface which is
handling the least amount of incoming traffic.
Least Load - Total - The ZyWALL/USG chooses a member interface which is
handling the least amount of outgoing and incoming traffic.
Apply
Click this button to save your changes to the ZyWALL/USG.
Reset
Click this button to return the screen to its last-saved settings.
18.2.1 The Inbound LB Add/Edit Screen
The Add DNS Load Balancing screen allows you to add a domain name for which the ZyWALL/
USG manages load balancing between the specified interfaces. You can configure the ZyWALL/USG
to apply DNS load balancing to some specific hosts only by configuring the Query From settings.
Click Configuration > Network > Inbound LB and then the Add or Edit icon to open this
screen.
ZyWALL/USG Series User’s Guide
331
Chapter 18 Inbound Load Balancing
Figure 232 Configuration > Network > Inbound LB > Add
The following table describes the labels in this screen.
Table 141 Configuration > Network > Inbound LB > Add/Edit
LABEL
DESCRIPTION
Create New Object
Use this to configure any new setting objects that you need to use in this screen.
General Settings
Enable
Select this to enable this DNS load balancing rule.
DNS Setting
Query Domain Name
Type up to 255 characters for a domain name for which you want the ZyWALL/USG
to manage DNS load balancing. You can use a wildcard (*) to let multiple domains
match the name. For example, use *.example.com to specify any domain name that
ends with “example.com” would match.
Time to Live
Enter the number of seconds the ZyWALL/USG recommends DNS request hosts to
keep the DNS entry in their caches before removing it. Enter 0 to have the ZyWALL/
USG not recommend this so the DNS request hosts will follow their DNS server’s TTL
setting.
Query From Setting
IP Address
Enter the IP address of a computer or a DNS server which makes the DNS queries
upon which to apply this rule.
DNS servers process client queries using recursion or iteration:
•
•
Zone
In recursion, DNS servers make recursive queries on behalf of clients. So you
have to configure this field to the DNS server’s IP address when recursion is
used.
In iteration, a client asks the DNS server and expects the best and immediate
answer without the DNS server contacting other DNS servers. If the primary DNS
server cannot provide the best answer, the client makes iteration queries to other
configured DNS servers to resolve the name. You have to configure this field to
the client’s IP address when iteration is used.
Select the zone of DNS query messages upon which to apply this rule.
ZyWALL/USG Series User’s Guide
332
Chapter 18 Inbound Load Balancing
Table 141 Configuration > Network > Inbound LB > Add/Edit (continued)
LABEL
DESCRIPTION
Load Balancing
Member
Load Balancing
Algorithm
Select a load balancing method to use from the drop-down list box.
Select Weighted Round Robin to balance the traffic load between
interfaces based on their respective weights. An interface with a larger
weight gets more chances to transmit traffic than an interface with a
smaller weight. For example, if the weight ratio of wan1 and wan2
interfaces is 2:1, the ZyWALL/USG chooses wan1 for 2 sessions’ traffic and
wan2 for every session’s traffic in each round of 3 new sessions.
Select Least Connection to have the ZyWALL/USG choose the member interface
which is handling the least number of sessions.
Select Least Load - Outbound to have the ZyWALL/USG choose the member
interface which is handling the least amount of outgoing traffic.
Select Least Load - Inbound to have the ZyWALL/USG choose the member
interface which is handling the least amount of incoming traffic.
Select Least Load - Total to have the ZyWALL/USG choose the member interface
which is handling the least amount of outgoing and incoming traffic.
Failover IP Address
Enter an alternate IP address with which the ZyWALL/USG will respond to a DNS
query message when the load balancing algorithm cannot find any available
interface.
Add
Click this to create a new member interface for this rule.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want
to remove it before doing so.
#
This field displays the order in which the ZyWALL/USG checks this rule’s member
interfaces.
IP Address
This field displays the IP address of the member interface.
Monitor Interface
This field displays the name of the member interface. The ZyWALL/USG manages
load balancing between the member interfaces.
Weight
This field is available if you selected Weighted Round Robin as the load balancing
algorithm. This field displays the weight of the member interface. An interface with a
larger weight gets more chances to transmit traffic than an interface with a smaller
weight.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving.
18.2.2 The Inbound LB Member Add/Edit Screen
The Add Load Balancing Member screen allows you to add a member interface for the DNS load
balancing rule. Click Configuration > Network > Inbound LB > Add or Edit and then an Add or
Edit icon to open this screen.
ZyWALL/USG Series User’s Guide
333
Chapter 18 Inbound Load Balancing
Figure 233 Configuration > Network > Inbound LB > Add/Edit > Add
The following table describes the labels in this screen.
Table 142 Configuration > Network > Inbound LB > Add/Edit > Add/Edit
LABEL
DESCRIPTION
Member
The ZyWALL/USG checks each member interface’s loading in the order displayed
here.
Monitor Interface
Select an interface to associate it with the DNS load balancing rule. This field also
displays whether the IP address is a static IP address (Static), dynamically assigned
(Dynamic) or obtained from a DHCP server (DHCP Client), as well as the IP address
and subnet mask.
Weight
This field is available if you selected Weighted Round Robin for the load balancing
algorithm.
Specify the weight of the member interface. An interface with a larger weight gets
more chances to transmit traffic than an interface with a smaller weight.
IP Address
Same as Monitor
Interface
Select this to send the IP address displayed in the Monitor Interface field to the
DNS query senders.
Custom
Select this and enter another IP address to send to the DNS query senders.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving.
ZyWALL/USG Series User’s Guide
334
C HAPTER
19
Web Authentication
19.1 Web Auth Overview
Web authentication can intercept network traffic, according to the authentication policies, until the
user authenticates his or her connection, usually through a specifically designated login web page.
This means all web page requests can initially be redirected to a special web page that requires
users to authenticate their sessions. Once authentication is successful, they can then connect to the
rest of the network or Internet.
As soon as a user attempt to open a web page, the ZyWALL/USG reroutes his/her browser to a web
portal page that prompts him/her to log in.
Figure 234 Web Authentication Example
The web authentication page only appears once per authentication session. Unless a user session
times out or he/she closes the connection, he or she generally will not see it again during the same
session.
19.1.1 What You Can Do in this Chapter
• Use the Configuration > Web Authentication screens (Section 19.2 on page 336) to create
and manage web authentication policies.
• Use the Configuration > Web Authentication > SSO screen (Section 19.3 on page 340) to
configure how the ZyWALL/USG communictates with a Single Sign-On agent.
ZyWALL/USG Series User’s Guide
335
Chapter 19 Web Authentication
19.1.2 What You Need to Know
Single Sign-On
A SSO (Single Sign On) agent integrates Domain Controller and ZyWALL/USG authentication
mechanisms, so that users just need to log in once (single) to get access to permitted resources.
Forced User Authentication
Instead of making users for which user-aware policies have been configured go to the ZyWALL/USG
Login screen manually, you can configure the ZyWALL/USG to display the Login screen
automatically whenever it routes HTTP traffic for anyone who has not logged in yet.
Note: This works with HTTP traffic only. The ZyWALL/USG does not display the Login
screen when users attempt to send other kinds of traffic.
The ZyWALL/USG does not automatically route the request that prompted the login, however, so
users have to make this request again.
19.2 Web Authentication Screen
The Web Authentication screen displays the web portal settings and web authentication policies
you have configured on the ZyWALL/USG. The screen differs depending on what you select in the
Authentication field.
Click Configuration > Web Authentication to display the screen.
ZyWALL/USG Series User’s Guide
336
Chapter 19 Web Authentication
Figure 235 Configuration > Web Authentication (Web Portal)
The following table gives an overview of the objects you can configure.
Table 143 Configuration > Web Authentication
LABEL
DESCRIPTION
Enable Web
Authentication
Select Enable Web Authentication to turn on the web authentication feature.
Internal Web
Portal
Select this to use the default login page built into the ZyWALL/USG. If you later assign a
custom login page, you can still return to the ZyWALL/USG’s default page as it is saved
indefinitely.
Once enabled, all network traffic is blocked until a client authenticates with the ZyWALL/
USG through the specifically designated web portal.
The login page appears whenever the web portal intercepts network traffic, preventing
unauthorized users from gaining access to the network.
You can customize the login page built into the ZyWALL/USG in the System > WWW >
Login Page screen.
External Web
Portal
Login URL
Select this to use a custom login page from an external web portal instead of the default
one built into the ZyWALL/USG. You can configure the look and feel of the web portal page.
Specify the login page’s URL; for example, http://IIS server IP Address/login.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Logout URL
Specify the logout page’s URL; for example, http://IIS server IP Address/logout.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
ZyWALL/USG Series User’s Guide
337
Chapter 19 Web Authentication
Table 143 Configuration > Web Authentication (continued)
LABEL
Welcome URL
DESCRIPTION
Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Session URL
Specify the session page’s URL; for example, http://IIS server IP Address/session.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Error URL
Specify the error page’s URL; for example, http://IIS server IP Address/error.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Download
Click this to download an example web portal file for your reference.
Exceptional
Services
Use this table to list services that users can access without logging in. In the list, select
one or more entries and click Remove to delete it or them. Keeping DNS as a member
allows users’ computers to resolve domain names into IP addresses. Click Add to add new
services that users can access without logging in.
Web
Authentication
Policy Summary
Use this table to manage the ZyWALL/USG’s list of web authentication policies.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after
the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To move an entry to a different number in the list, click the Move icon. In the field that
appears, specify the number to which you want to move the interface.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Priority
This is the position of the authentication policy in the list. The priority is important as the
policies are applied in order of priority. Default displays for the default authentication
policy that the ZyWALL/USG uses on traffic that does not match any exceptional service or
other authentication policy. You can edit the default rule but not delete it.
Source
This displays the source address object to which this policy applies.
Destination
This displays the destination address object to which this policy applies.
Schedule
This field displays the schedule object that dictates when the policy applies. none means
the policy is active at all times if enabled.
Authentication
This field displays the authentication requirement for users when their traffic matches this
policy.
unnecessary - Users do not need to be authenticated.
required - Users need to be authenticated. They must manually go to the login screen.
The ZyWALL/USG will not redirect them to the login screen.
force - Users need to be authenticated. The ZyWALL/USG automatically displays the login
screen whenever it routes HTTP traffic for users who have not logged in yet.
Description
If the entry has a description configured, it displays here. This is n/a for the default policy.
Apply
Click this button to save your changes to the ZyWALL/USG.
Reset
Click this button to return the screen to its last-saved settings.
ZyWALL/USG Series User’s Guide
338
Chapter 19 Web Authentication
19.2.1 Creating Exceptional Services
This screen lists services that users can access without logging in. Click Add under Exceptional
Services in the previous screen to display this screen. You can change the list’s membership here.
Available services appear on the left. Select any services you want users to be able to access
without logging in and click the right arrow button -> to add them. The member services are on the
right. Select any service that you want to remove from the member list, and click the left arrow <button to remove them. Then click OK to apply the changes and return to the main Web
Authentication screen. Alternatively, click Cancel to discard the changes and return to the main
Web Authentication screen.
Figure 236 Configuration > Web Authentication > Add Exceptional Service
19.2.2 Creating/Editing an Authentication Policy
Click Configuration > Web Authentication and then the Add (or Edit) icon in the Web
Authentication Policy Summary section to open the Auth. Policy Add/Edit screen. Use this
screen to configure an authentication policy.
Figure 237 Configuration > Web Authentication > Add Authentication Policy
ZyWALL/USG Series User’s Guide
339
Chapter 19 Web Authentication
The following table gives an overview of the objects you can configure.
Table 144 Configuration > Web Authentication > Add Authentication Policy
LABEL
DESCRIPTION
Create new
Object
Use to configure any new settings objects that you need to use in this screen. Select
Address or Schedule.
Enable Policy
Select this check box to activate the authentication policy. This field is available for userconfigured policies.
Description
Enter a descriptive name of up to 60 printable ASCII characters for the policy. Spaces are
allowed. This field is available for user-configured policies.
User
Authentication
Policy
Use this section of the screen to determine which traffic requires (or does not require) the
senders to be authenticated in order to be routed.
Source Address
Select a source address or address group for whom this policy applies. Select any if the
policy is effective for every source. This is any and not configurable for the default policy.
Destination
Address
Select a destination address or address group for whom this policy applies. Select any if
the policy is effective for every destination. This is any and not configurable for the default
policy.
Schedule
Select a schedule that defines when the policy applies. Otherwise, select none and the rule
is always effective. This is none and not configurable for the default policy.
Authentication
Select the authentication requirement for users when their traffic matches this policy.
unnecessary - Users do not need to be authenticated.
required - Users need to be authenticated. If Force User Authentication is selected, all
HTTP traffic from unauthenticated users is redirected to a default or user-defined login
page. Otherwise, they must manually go to the login screen. The ZyWALL/USG will not
redirect them to the login screen.
Single Sign-on
This field is available for user-configured policies that require Single Sign-On (SSO). Select
this to have the ZyWALL/USG enable the SSO feature. You can set up this feature in the
SSO screen.
Force User
Authentication
This field is available for user-configured policies that require authentication. Select this to
have the ZyWALL/USG automatically display the login screen when users who have not
logged in yet try to send HTTP traffic.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving.
19.3 SSO Overview
The SSO (Single Sign-On) function integrates Domain Controller and ZyWALL/USG authentication
mechanisms, so that users just need to log in once (single login) to get access to permitted
resources.
In the following figure, U user logs into a Domain Controller (DC) which passes the user’s login
credentials to the SSO agent. The SSO agent checks that these credentials are correct with the AD
server, and if the AD server confirms so, the SSO then notifies the ZyWALL/USG to allow access for
the user to the permitted resource (Internet access, for example).
ZyWALL/USG Series User’s Guide
340
Chapter 19 Web Authentication
Note: The ZyWALL/USG, the DC, the SSO agent and the AD server must all be in the
same domain and be able to communicate with each other.
SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network
environment with Windows AD (Active Directory) authentication database.
You must enable Web Authentication in the Configuration > Web Authentication
screen.
Figure 238 SSO Overview
U
User
DC
Domain Controller
SSO
Single Sign-On agent
AD
Active Directory
Install the SSO Agent on one of the following platforms:
• Windows 7 Professional (32-bit and 64-bit)
• Windows Server 2008 Enterprise (32-bit and 64-bit)
• Windows 2008 R2 (64-bit)
• Windows Server 2012 (64-bit)
ZyWALL/USG Series User’s Guide
341
Chapter 19 Web Authentication
19.4 SSO - ZyWALL/USG Configuration
This section shows what you have to do on the ZyWALL/USG in order to use SSO.
Table 145 ZyWALL/USG - SSO Agent Field Mapping
ZYWALL/USG
SSO
SCREEN
FIELD
SCREEN
FIELD
Web Authentication >
SSO
Listen Port
Agent Configuration
Page > Gateway
Setting
Gateway Port
Web Authentication >
SSO
Primary Agent Port
Agent Configuration
Page
Agent Listening Port
Object > User/Group
> User > Add
Group Identifier
Agent Configuration
Page > Configure
LDAP/AD Server
Group Membership
Object > AAA Server >
Active Directory > Add
Base DN
Agent Configuration
Page > Configure
LDAP/AD Server
Base DN
Object > AAA Server >
Active Directory > Add
Bind DN
Agent Configuration
Page > Configure
LDAP/AD Server
Bind DN
Object > User/Group
> User > Add
User Name
Agent Configuration
Page > Configure
LDAP/AD Server
Login Name Attribute
Object > AAA Server >
Active Directory > Add
Server Address
Agent Configuration
Page > Configure
LDAP/AD Server
Server Address
Network > Interface >
Ethernet > wan (IPv4)
IP address
Agent Configuration
Page > Gateway
Setting
Gateway IP
19.4.1 Configuration Overview
These are the screens you need to configure:
• Configure the ZyWALL/USG to Communicate with SSO on page 342
• Enable Web Authentication on page 343
• Create a Security Policy on page 344
• Configure User Information on page 345
• Configure an Authentication Method on page 346
• Configure Active Directory on page 347 or Configure Active Directory on page 347
19.4.2 Configure the ZyWALL/USG to Communicate with SSO
Use Configuration > Web Authentication > SSO to configure how the ZyWALL/USG
communicates with the Single Sign-On (SSO) agent.
ZyWALL/USG Series User’s Guide
342
Chapter 19 Web Authentication
Figure 239 Configuration > Web Authentication > SSO
The following table gives an overview of the objects you can configure.
Table 146 Configuration > Web Authentication > SSO
LABEL
DESCRIPTION
Listen Port
The default agent listening port is 2158. If you change it on the ZyWALL/USG,
then change it to the same number in the Gateway Port field on the SSO agent
too. Type a number ranging from 1025 to 65535.
Agent PreShareKey
Type 8-32 printable ASCII characters or exactly 32 hex characters (0-9; a-f).
The Agent PreShareKey is used to encrypt communications between the
ZyWALL/USG and the SSO agent.
Primary Agent Address
Type the IPv4 address of the SSO agent. The ZyWALL/USG and the SSO agent
must be in the same domain and be able to communicate with each other.
Primary Agent Port
Type the same port number here as in the Agent Listening Port field on the
SSO agent. Type a number ranging from 1025 to 65535.
Secondary Agent Address
(Optional)
Type the IPv4 address of the backup SSO agent if there is one. The ZyWALL/USG
and the backup SSO agent must be in the same domain and be able to
communicate with each other.
Secondary Agent Port
(Optional)
Type the same port number here as in the Agent Listening Port field on the
backup SSO agent if there is one. Type a number ranging from 1025 to 65535.
Apply
Click this button to save your changes to the ZyWALL/USG.
Reset
Click this button to return the screen to its last-saved settings
19.4.3 Enable Web Authentication
Enable Web Authentication and add a web authentication policy.
ZyWALL/USG Series User’s Guide
343
Chapter 19 Web Authentication
Make sure you select Enable Policy, Single Sign-On and choose required in Authentication.
Do NOT select any as the source address unless you want all incoming connections to be
authenticated!
See Table 143 on page 337 and Table 144 on page 340 for more information on configuring these
screens.
19.4.4 Create a Security Policy
Configure a Security Policy for SSO traffic source and destination direction in order to prevent the
security policy from blocking this traffic. Go to Configuration > Security Policy > Policy and add
a new policy if a default one does not cover the SSO web authentication traffic direction.
ZyWALL/USG Series User’s Guide
344
Chapter 19 Web Authentication
Configure the fields as shown in the following screen. Configure the source and destination
addresses according to the SSO web authrntication traffic in your network.
19.4.5 Configure User Information
Configure a User account of the ext-group-user type.
ZyWALL/USG Series User’s Guide
345
Chapter 19 Web Authentication
Configure Group Identifier to be the same as Group Membership on the SSO agent.
19.4.6 Configure an Authentication Method
Configure Active Directory (AD) for authentication with SSO.
Choose group ad as the authentication server for SSO.
ZyWALL/USG Series User’s Guide
346
Chapter 19 Web Authentication
19.4.7 Configure Active Directory
You must configure an Active Directory (AD) server in AAA Setup to be the same as AD configured
on the SSO agent.
The default AD server port is 389. If you change this, make sure you make the same changes on
the SSO. Configure the Base DN exactly the same as on the Domain Controller and SSO. Bind DN
is a user name and password that allows the ZyWALL/USG to join the domain with administrative
privileges. It is a required field.
ZyWALL/USG Series User’s Guide
347
Chapter 19 Web Authentication
19.5 SSO Agent Configuration
This section shows what you have to do on the SSO agent in order to work with the ZyWALL/USG.
After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen)
ZyWALL/USG Series User’s Guide
348
Chapter 19 Web Authentication
Right-click the SSO icon and select Configure ZyXEL SSO Agent.
Configure the Agent Listening Port, AD server exactly as you have done on the ZyWALL/USG.
Add the ZyWALL/USG IP address as the Gateway. Make sure the ZyWALL/USG and SSO agent are
able to communicate with each other.
ZyWALL/USG Series User’s Guide
349
Chapter 19 Web Authentication
Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group
Membership for the AD server settings exactly as you have done on the ZyWALL/USG. Group
Membership is called Group Identifier on the ZyWALL/USG.
LDAP/AD Server Configuration
ZyWALL/USG Series User’s Guide
350
Chapter 19 Web Authentication
Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in
the ZyWALL/USG Configuration > Web Authentication > SSO screen. If you want to use
Generate Key to have the SSO create a random password, select Check to show PreShareKey as
clear Text so as to see the password, then copy and paste it to the ZyWALL/USG.
After all SSO agent configurations are done, right-click the SSO icon in the system tray and select
Enable ZyXEL SSO Agent.
ZyWALL/USG Series User’s Guide
351
C HAPTER
20
RTLS
20.1 Overview
Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs
managed by the ZyWALL/USG to create maps, alerts, and reports.
The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a
Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements. Use
the ZyWALL/USG with the Ekahau RTLS system to take signal strength measurements at the APs
(Integrated Approach / Blink Mode).
The following example shows the Ekahau RTLS Integrated Approach (Blink Mode).
1
The Wi-Fi tag sends blink packets at specified intervals (or triggered by something like motion or
button presses).
2
The APs pick up the blink packets, measure the signal strength, and send it to the ZyWALL/USG.
3
The ZyWALL/USG forwards the signal measurements to the Ekahau RTLS Controller.
4
The Ekahau RTLS Controller calculates the tag positions.
Figure 240 RTLS Example
20.1.1 What You Can Do in this Chapter
Use the RTLS screen (Section 20.3 on page 353) to use the managed APs as part of an Ekahau
RTLS to track the location of Ekahau Wi-Fi tags.
ZyWALL/USG Series User’s Guide
352
Chapter 20 RTLS
20.2 Before You Begin
You need:
• At least three APs managed by the ZyWALL/USG (the more APs the better since it increases the
amount of information the Ekahau RTLS Controller has for calculating the location of the tags)
• IP addresses for the Ekahau Wi-Fi tags
• A dedicated RTLS SSID is recommended
• Ekahau RTLS Controller in blink mode with TZSP Updater enabled
• Security policies to allow RTLS traffic if the ZyWALL/USG security policy control is enabled or the
Ekahau RTLS Controller is behind a firewall.
For example, if the Ekahau RTLS Controller is behind a firewall, open ports 8550, 8553, and 8569 to
allow traffic the APs send to reach the Ekahau RTLS Controller.
The following table lists default port numbers and types of packets RTLS uses.
Table 147 RTLS Traffic Port Numbers
PORT NUMBER
TYPE
DESCRIPTION
8548
TCP
Ekahau T201 location update.
8549
UDP
Ekahau T201 location update.
8550
TCP
Ekahau T201 tag maintenance protocol and Ekahau RTLS Controller user
interface.
8552
UDP
Ekahau Location Protocol
8553
UDP
Ekahau Maintenance Protocol
8554
UDP
Ekahau T301 firmware update.
8560
TCP
Ekahau Vision web interface
8562
UDP
Ekahau T301W firmware update.
8569
UDP
Ekahau TZSP Listener Port
20.3 Configuring RTLS
Click Configuration > RTLS to open this screen. Use this screen to turn RTLS (Real Time Location
System) on or off and specify the IP address and server port of the Ekahau RTLS Controller.
Figure 241 Configuration > RTLS
ZyWALL/USG Series User’s Guide
353
Chapter 20 RTLS
The following table describes the labels in this screen.
Table 148 Configuration > RTLS
LABEL
DESCRIPTION
Enable
Select this to use Wi-Fi to track the location of Ekahau Wi-Fi tags.
IP Address
Specify the IP address of the Ekahau RTLS Controller.
Server Port
Specify the server port number of the Ekahau RTLS Controller.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
ZyWALL/USG Series User’s Guide
354
C HAPTER
21
Security Policy
21.1 Overview
A security policy is a template of security settings that can be applied to specific traffic at specific
times. The policy can be applied:
• to a specific direction of travel of packets (from / to)
• to a specific source and destination address objects
• to a specific type of traffic (services)
• to a specific user or group of users
• at a specific schedule
The policy can be configured:
• to allow or deny traffic that matches the criteria above
• send a log or alert for traffic that matches the criteria above
• to apply the actions configured in the UTM profiles (application patrol, content filter, IDP, antivirus, anti-spam) to traffic that matches the criteria above
Note: Security policies can be applied to both IPv4 and IPv6 traffic.
The security policies can also limit the number of user sessions.
The following example shows the ZyWALL/USG’s default security policies behavior for a specific
direction of travel of packets. WAN to LAN traffic and how stateful inspection works. A LAN user can
initiate a Telnet session from within the LAN zone and the ZyWALL/USG allows the response.
However, the ZyWALL/USG blocks incoming Telnet traffic initiated from the WAN zone and destined
for the LAN zone.
Figure 242 Default Directional Security Policy Example
21.1.1 What You Can Do in this Chapter
• Use the Security Policy Control screens (Section 21.2 on page 357) to enable or disable
policies, asymmetrical routes, and manage and configure policies.
ZyWALL/USG Series User’s Guide
355
Chapter 21 Security Policy
• Use the Anomaly Detection and Prevention (ADP) screens (Section 21.3 on page 363) to
detect traffic with protocol anomalies and take appropriate action.
• Use the Session Control screens (see Section 21.3 on page 363) to limit the number of
concurrent NAT/security policies traffic sessions a client can use.
21.1.2 What You Need to Know
Stateful Inspection
The ZyWALL/USG uses stateful inspection in its security policies. The ZyWALL/USG restricts access
by screening data packets against defined access rules. It also inspects sessions. For example,
traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces. Group the ZyWALL/USG’s interfaces into different zones based on
your needs. You can configure security policies for data passing between zones or even between
interfaces.
Default Directional Security Policy Behavior
Security Policies can be grouped based on the direction of travel of packets to which they apply.
Here is the The ZyWALL/USG has default Security Policy behavior for traffic going through the
ZyWALL/USG in various directions.
Table 149 Directional Security Policy Behavior
FROM ZONE TO ZONE
BEHAVIOR
From any to Device
DHCP traffic from any interface to the ZyWALL/USG is allowed.
From LAN1 to any (other than
the ZyWALL/USG)
Traffic from the LAN1 to any of the networks connected to the ZyWALL/USG is
allowed.
From LAN2 to any (other than
the ZyWALL/USG)
Traffic from the LAN2 to any of the networks connected to the ZyWALL/USG is
allowed.
From LAN1 to Device
Traffic from the LAN1 to the ZyWALL/USG itself is allowed.
From LAN2 to Device
Traffic from the LAN2 to the ZyWALL/USG itself is allowed.
From WAN to Device
The default services listed in To-Device Policies on page 356 are allowed from
the WAN to the ZyWALL/USG itself. All other WAN to ZyWALL/USG traffic is
dropped.
From any to any
Traffic that does not match any Security policy is dropped. This includes
traffic from the WAN to any of the networks behind the ZyWALL/USG.
This also includes traffic to or from interfaces that are not assigned to a zone
(extra-zone traffic).
To-Device Policies
Policies with Device as the To Zone apply to traffic going to the ZyWALL/USG itself. By default:
• The Security Policy allows only LAN, or WAN computers to access or manage the ZyWALL/USG.
• The ZyWALL/USG allows DHCP traffic from any interface to the ZyWALL/USG.
ZyWALL/USG Series User’s Guide
356
Chapter 21 Security Policy
• The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself and
generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the ZyWALL/USG itself, make
sure it does not conflict with your service control rule. The ZyWALL/USG checks the security policy
before the service control rules for traffic destined for the ZyWALL/USG.
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Global Security Policies
Security Policies with from any and/or to any as the packet direction are called global Security
Policies. The global Security Policies are the only Security Policies that apply to an interface that is
not included in a zone. The from any policies apply to traffic coming from the interface and the to
any policies apply to traffic going to the interface.
Security Policy Rule Criteria
The ZyWALL/USG checks the schedule, user name (user’s login name on the ZyWALL/USG), source
IP address and object, destination IP address and object, IP protocol type of network traffic
(service) and UTM profile criteria against the Security Policies (in the order you list them). When
the traffic matches a policy, the ZyWALL/USG takes the action specified in the policy.
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from
any computer to access a zone by logging in to the ZyWALL/USG, you can set up a policy based on
the user name only. If you also apply a schedule to the Security Policy, the user can only access the
network at the scheduled time. A user-aware Security Policy is activated whenever the user logs in
to the ZyWALL/USG and will be disabled after the user logs out of the ZyWALL/USG.
Session Limits
Accessing the ZyWALL/USG or network resources through the ZyWALL/USG requires a NAT session
and corresponding Security Policy session. Peer to peer applications, such as file sharing
applications, may use a large number of NAT sessions. A single client could use all of the available
NAT sessions and prevent others from connecting to or through the ZyWALL/USG. The ZyWALL/
USG lets you limit the number of concurrent NAT/Security Policy sessions a client can use.
21.2 The Security Policy Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL/USG’s LAN
IP address, return traffic may not go through the ZyWALL/USG. This is called an asymmetrical or
“triangle” route. This causes the ZyWALL/USG to reset the connection, as the connection has not
been acknowledged.
You can have the ZyWALL/USG permit the use of asymmetrical route topology on the network (not
reset the connection). However, allowing asymmetrical routes may let traffic from the WAN go
ZyWALL/USG Series User’s Guide
357
Chapter 21 Security Policy
directly to the LAN without passing through the ZyWALL/USG. A better solution is to use virtual
interfaces to put the ZyWALL/USG and the backup gateway on separate subnets. Virtual interfaces
allow you to partition your network into logical sections over the same interface. See the chapter
about interfaces for more information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning
network traffic must pass through the ZyWALL/USG to the LAN. The following steps and figure
describe such a scenario.
1
A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the
WAN.
2
The ZyWALL/USG reroutes the packet to gateway A, which is in Subnet 2.
3
The reply from the WAN goes to the ZyWALL/USG.
4
The ZyWALL/USG then sends it to the computer on the LAN1 in Subnet 1.
Figure 243 Using Virtual Interfaces to Avoid Asymmetrical Routes
21.2.1 Configuring the Security Policy Control Screen
Click Configuration > Security Policy > Policy Control to open the Security Policy screen.
Use this screen to enable or disable the Security Policy and asymmetrical routes, set a maximum
number of sessions per host, and display the configured Security Policies. Specify from which zone
packets come and to which zone packets travel to display only the policies specific to the selected
direction. Note the following.
• Besides configuring the Security Policy, you also need to configure NAT rules to allow computers
on the WAN to access LAN devices.
• The ZyWALL/USG applies NAT (Destination NAT) settings before applying the Security Policies. So
for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you
configure a corresponding Security Policy to allow the traffic, you need to set the LAN IP address
as the destination.
• The ordering of your policies is very important as policies are applied in sequence.
ZyWALL/USG Series User’s Guide
358
Chapter 21 Security Policy
The following screen shows the Security Policy summary screen.
Figure 244 Configuration > Security Policy > Policy Control
The following table describes the labels in this screen.
Table 150 Configuration > Security Policy > Policy Control
LABEL
DESCRIPTION
Show Filter/Hide
Filter
Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters.
IPv4 / IPv6
Configuration
Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies
based on direction, application, user, source, destination and/or schedule.
From / To
Select a zone to view all security policies from a particular zone and/or to a particular zone.
any means all zones.
IPv4 / IPv6
Source
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6
source address object used.
•
•
An IPv4 IP address is written as four integer blocks separated by periods. This is an
example IPv4 address: 172.16.6.7.
An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by
colons (:). This is an example IPv6 address:
2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
ZyWALL/USG Series User’s Guide
359
Chapter 21 Security Policy
Table 150 Configuration > Security Policy > Policy Control (continued)
LABEL
IPv4 / IPv6
Destination
DESCRIPTION
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6
destination address object used.
•
•
An IPv4 IP address is written as four integer blocks separated by periods. This is an
example IPv4 address: 172.16.6.7.
An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by
colons (:). This is an example IPv6 address:
2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Service
View all security policies based the service object used.
User
View all security policies based on user or user group object used.
Schedule
View all security policies based on the schedule object used.
General Settings
Enable or disable the Security Policy feature on the ZyWALL/USG.
Enable Policy
Control
Select this to activate Security Policy on the ZyWALL/USG to perform access control.
IPv4/IPv6 Policy
Management
Use the following items to manage IPv4 and IPv6 policies.
Allow
Asymmetrica
l Route
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL/
USG’s LAN IP address, return traffic may not go through the ZyWALL/USG. This is called an
asymmetrical or “triangle” route. This causes the ZyWALL/USG to reset the connection, as
the connection has not been acknowledged.
Select this check box to have the ZyWALL/USG permit the use of asymmetrical route
topology on the network (not reset the connection).
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN
without passing through the ZyWALL/USG. A better solution is to use virtual
interfaces to put the ZyWALL/USG and the backup gateway on separate subnets.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after
the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To change a policy’s position in the numbered list, select the policy and click Move to
display a field to type a number for where you want to put that policy and press [ENTER] to
move the policy to the number that you typed.
The ordering of your policies is important as they are applied in order of their numbering.
Clone
Use Clone to create a new entry by modifying an existing one.
•
•
•
Select an existing entry.
Click Clone, type a number where the new entry should go and then press [ENTER].
A configuration copy of the selected entry pops up. You must at least change the name
as duplicate entry names are not allowed.
The following read-only fields summarize the policies you have created that apply to traffic traveling in the
selected packet direction.
Priority
This is the position of your Security Policy in the global policy list (including all throughZyWALL/USG and to-ZyWALL/USG policies). The ordering of your policies is important as
policies are applied in sequence. Default displays for the default Security Policy behavior
that the ZyWALL/USG performs on traffic that does not match any other Security Policy.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
ZyWALL/USG Series User’s Guide
360
Chapter 21 Security Policy
Table 150 Configuration > Security Policy > Policy Control (continued)
LABEL
DESCRIPTION
Name
This is the name of the Security policy.
From / To
This is the direction of travel of packets. Select from which zone the packets come and to
which zone they go.
Security Policies Rare grouped based on the direction of travel of packets to which they
apply. For example, from LAN to LAN means packets traveling from a computer or subnet
on the LAN to either another computer or subnet on the LAN.
From any displays all the Security Policies for traffic going to the selected To Zone.
To any displays all the Security Policies for traffic coming from the selected From Zone.
From any to any displays all of the Security Policies.
To ZyWALL policies are for traffic that is destined for the ZyWALL/USG and control which
computers can manage the ZyWALL/USG.
IPv4 / IPv6
Source
This displays the IPv4 / IPv6 source address object to which this Security Policy applies.
IPv4 / IPv6
Destination
This displays the IPv4 / IPv6 destination address object to which this Security Policy
applies.
Service
This displays the service object to which this Security Policy applies.
User
This is the user name or user group name to which this Security Policy applies.
Schedule
This field tells you the schedule object that the policy uses. none means the policy is active
at all times if enabled.
Action
This field displays whether the Security Policy silently discards packets without notification
(deny), permits the passage of packets (allow) or drops packets with notification (reject)
UTM Profile
This field shows you which UTM profiles (application patrol, content filter, IDP, anti-virus,
anti-spam) apply to this Security policy. Click an applied UTM profile icon to edit the profile
directly.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
21.2.2 The Security Policy Control Add/Edit Screen
In the Security Policy Control screen, click the Edit or Add icon to display the Security Policy
Edit or Add screen.
ZyWALL/USG Series User’s Guide
361
Chapter 21 Security Policy
Figure 245 Configuration > Security Policy > Policy Control > Add
The following table describes the labels in this screen.
Table 151 Configuration > Security Policy > Policy Control > Add
LABEL
DESCRIPTION
Create new
Object
Use to configure any new settings objects that you need to use in this screen.
Enable
Select this check box to activate the Security policy.
Name
Type a name to identify the policy
Description
Enter a descriptive name of up to 60 printable ASCII characters for the Policy. Spaces are
allowed.
From
For through-ZyWALL/USG policies, select the direction of travel of packets to which the
policy applies.
To
any means all interfaces.
Device means packets destined for the ZyWALL/USG itself.
Source
Select an IPv4 / IPv6 address or address group object to apply the policy to traffic coming
from it. Select any to apply the policy to all traffic coming from IPv4 / IPv6 addresses.
Destination
Select an IPv4 / IPv6 address or address group to apply the policy to traffic going to it.
Select any to apply the policy to all traffic going to IPv4 / IPv6 addresses.
Service
Select a service or service group from the drop-down list box.
ZyWALL/USG Series User’s Guide
362
Chapter 21 Security Policy
Table 151 Configuration > Security Policy > Policy Control > Add (continued)
LABEL
DESCRIPTION
User
This field is not available when you are configuring a to-ZyWALL/USG policy.
Select a user name or user group to which to apply the policy. The Security Policy is
activated only when the specified user logs into the system and the policy will be disabled
when the user logs out.
Otherwise, select any and there is no need for user logging.
Note: If you specified a source IP address (group) instead of any in the field below, the user’s
IP address should be within the IP address range.
Schedule
Select a schedule that defines when the policy applies. Otherwise, select none and the
policy is always effective.
Action
Use the drop-down list box to select what the Security Policy is to do with packets that
match this policy.
Select deny to silently discard the packets without sending a TCP reset packet or an ICMP
destination-unreachable message to the sender.
Select reject to discard the packets and send a TCP reset packet or an ICMP destinationunreachable message to the sender.
Select allow to permit the passage of the packets.
Log matched
traffic
Select whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or
not (no) when the policy is matched to the criteria listed above..
UTM Profile
Use this section to apply anti- x profiles (created in the Configuration > UTM Profile
screens) to traffic that matches the criteria above. You must have created a profile first;
otherwise none displays.
Use Log to generate a log (log), log and alert (log alert) or not (no) for all traffic that
matches criteria in the profile.
Application
Patrol
Select an Application Patrol profile from the list box; none displays if no profiles have been
created in the Configuration > UTM Profile > App Patrol screen.
Content
Filter
Select a Content Filter profile from the list box; none displays if no profiles have been
created in the Configuration > UTM Profile > Content Filter screen.
IDP
Select an IDP profile from the list box; none displays if no profiles have been created in the
Configuration > UTM Profile > IDP screen.
Anti-Virus
Select an Anti-Virus profile from the list box; none displays if no profiles have been created
in the Configuration > UTM Profile > Anti-Virus screen.
Anti-Spam
Select an Anti-Spam profile from the list box; none displays if no profiles have been created
in the Configuration > UTM Profile > Anti-Spam screen.
SSL
Inspection
Select an SSL Inspection profile from the list box; none displays if no profiles have been
created in the Configuration > UTM Profile > SSL Inspection screen.
OK
Click OK to save your customized settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.
21.3 Anomaly Detection and Prevention Overview
Anomaly Detection and Prevention (ADP) protects against anomalies based on violations of protocol
standards (RFCs – Requests for Comments) and abnormal flows such as port scans. This section
introduces ADP, anomaly profiles and applying an ADP profile to a traffic direction.
ZyWALL/USG Series User’s Guide
363
Chapter 21 Security Policy
Traffic Anomalies
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or
network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated
when you upload new firmware.
Protocol Anomalies
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments).
Protocol anomaly detection includes:
• TCP Decoder
• UDP Decoder
• ICMP Decoder
Protocol anomaly policies may be updated when you upload new firmware.
Note: First, create an ADP profile in the In the Configuration > Security Policy > ADP
> Profile screen.
Then, apply the profile to traffic originating from a specific zone in the
Configuration > Security Policy > ADP > General screen.
21.3.1 The Anomaly Detection and Prevention General Screen
Click Configuration > Security Policy > ADP > General to display the next screen.
Figure 246 Configuration > Security Policy > ADP > General
The following table describes the labels in this screen.
Table 152 Configuration > Security Policy > ADP > General
LABEL
DESCRIPTION
General Settings
Enable Anomaly Detection
and Prevention
Add
Select this to enable traffic anomaly and protocol anomaly detection and
prevention.
Select an entry and click Add to append a new row beneath the one selected.
ADP policies are applied in order (Priority) shown in this screen
ZyWALL/USG Series User’s Guide
364
Chapter 21 Security Policy
Table 152 Configuration > Security Policy > ADP > General
LABEL
DESCRIPTION
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To change an entry’s position in the numbered list, select it and click Move to
display a field to type a number for where you want to put that entry and press
[ENTER] to move the entry to the number that you typed.
#
This is the entry’s index number in the list.
Priority
This is the rank in the list of anomaly profile policies. The list is applied in order
of priority.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive.
From
This is the direction of travel of packets to which an anomaly profile is bound.
Traffic direction is defined by the zone the traffic is coming from.
Use the From field to specify the zone from which the traffic is coming. Select
ZyWALL to specify traffic coming from the ZyWALL/USG itself.
From LAN means packets traveling from a computer on one LAN subnet to a
computer on another subnet via the ZyWALL/USG’s LAN1 zone interfaces. The
ZyWALL/USG does not check packets traveling from a LAN computer to another
LAN computer on the same subnet.
From WAN means packets that come in from the WAN zone and the ZyWALL/
USG routes back out through the WAN zone.
Note: Depending on your network topology and traffic load, applying every packet
direction to an anomaly profile may affect the ZyWALL/USG’s
performance.
Anomaly Profile
An anomaly profile is a set of anomaly policies with configured activation, log
and action settings. This field shows which anomaly profile is bound to which
traffic direction. Select an ADP profile to apply to the entry’s traffic direction.
Configure the ADP profiles in the ADP profile screens.
21.3.2 Creating New ADP Profiles
Create new ADP profiles in the Configuration > Security Policy > ADP > Profile screens.
When creating ADP profiles. you may find that certain policies are triggering too many false
positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false
negative is when invalid traffic is wrongly allowed to pass through the ZyWALL/USG. As each
network is different, false positives and false negatives are common on initial ADP deployment.
To counter this, you could create a ‘monitor profile’ that creates logs, but all actions are disabled.
Observe the logs over time and try to eliminate the causes of the false alarms. When you’re
satisfied that they have been reduced to an acceptable level, you could then create an ‘in-line
profile’ whereby you configure appropriate actions to be taken when a packet matches a policy.
ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To create a new
profile, select a base profile and then click OK to go to the profile details screen. Type a new profile
name, enable or disable individual policies and then edit the default log options and actions.
Click Configuration > Security Policy > ADP > Profile to view the following screen.
ZyWALL/USG Series User’s Guide
365
Chapter 21 Security Policy
Figure 247 Configuration > Security Policy > ADP > Profile
The following table describes the labels in this screen.
Table 153 Configuration > Security Policy > ADP > Profile
LABEL
DESCRIPTION
Profile Management
Create ADP profiles here and then apply them in the Configuration > Security
Policy > ADP > Profile screen.
Add
Click Add and first choose a none or all Base Profile.
•
•
none base profile sets all ADP entries to have Log set to no and Action set
to none by default.
all base profile sets all ADP entries to have Log set to log and Action set to
block by default.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Clone
Use Clone to create a new entry by modifying an existing one.
•
•
•
Select an existing entry.
Click Clone.
A configuration copy of the selected entry pops up. You must at least change
the name as duplicate entry names are not allowed.
#
This is the entry’s index number in the list.
Name
This is the name of the profile you created.
Description
This is the description of the profile you created.
Base Profile
This is the name of the base profile used to create this profile.
Reference
This is the number of object references used to create this profile.
21.3.3 Traffic Anomaly Profiles
Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. In the
Configuration > Security Policy > ADP > Profile screen, click the Edit or Add icon and choose
a base profile. Traffic Anomaly is the first tab in the profile.
ZyWALL/USG Series User’s Guide
366
Chapter 21 Security Policy
Figure 248 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
The following table describes the labels in this screen.
Table 154 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
LABELS
DESCRIPTION
Name
A name is automatically generated that you can edit. The name must be the
same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP
profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes
(-), but the first character cannot be a number. This value is case-sensitive.
These are valid, unique profile names:
•
•
•
•
•
•
•
•
Description
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
In addition to the name, type additional information to help you identify this ADP
profile.
ZyWALL/USG Series User’s Guide
367
Chapter 21 Security Policy
Table 154 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued)
LABELS
DESCRIPTION
Scan/Flood Detection
Scan detection, such as port scanning, tries to find attacks where an attacker
scans device(s) to determine what types of network protocols or services a
device supports.
Flood detection tries to find attacks that saturate a network with useless data,
use up all available bandwidth, and so aim to make communications in the
network impossible.
Sensitivity
(Scan detection only.) Select a sensitivity level so as to reduce false positives in
your network. If you choose low sensitivity, then scan thresholds and sample
times are set low, so you will have fewer logs and false positives; however some
traffic anomaly attacks may not be detected.
If you choose high sensitivity, then scan thresholds and sample times are set
high, so most traffic anomaly attacks will be detected; however you will have
more logs and false positives.
Block Period
Specify for how many seconds the ZyWALL/USG blocks all packets from being
sent to the victim (destination) of a detected anomaly attack. Flood Detection
applies blocking to the destination IP address and Scan Detection applies
blocking to the source IP address.
Edit (Flood Detection
only)
Select an entry and click this to be able to modify it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Log
To edit an item’s log option, select it and use the Log icon. Select whether to
have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither
(no) when traffic matches this anomaly policy.
Action
To edit what action the ZyWALL/USG takes when a packet matches a policy,
select the policy and use the Action icon.
none: The ZyWALL/USG takes no action when a packet matches the policy.
block: The ZyWALL/USG silently drops packets that matches the policy. Neither
sender nor receiver are notified.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive.
Name
This is the name of the anomaly policy. Click the Name column heading to sort
in ascending or descending order according to the protocol anomaly policy
name.
Log
These are the log options. To edit this, select an item and use the Log icon.
Action
This is the action the ZyWALL/USG should take when a packet matches a policy.
To edit this, select an item and use the Action icon.
Threshold (pkt/sec)
(Flood detection only.) Select a suitable threshold level (the number of packets
per second that match the flood detection criteria) for your network. If you
choose a low threshold, most traffic anomaly attacks will be detected, but you
may have more logs and false positives.
If you choose a high threshold, some traffic anomaly attacks may not be
detected, but you will have fewer logs and false positives.
OK
Click OK to save your settings to the ZyWALL/USG, complete the profile and
return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
Click Save to save the configuration to the ZyWALL/USG but remain in the same
page. You may then go to the another profile screen (tab) in order to complete
the profile. Click OK in the final profile screen to complete the profile.
ZyWALL/USG Series User’s Guide
368
Chapter 21 Security Policy
21.3.4 Protocol Anomalies
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments).
Protocol anomaly detection includes:
• TCP Decoder
• UDP Decoder
• ICMP Decoder
Figure 249 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
ZyWALL/USG Series User’s Guide
369
Chapter 21 Security Policy
The following table describes the labels in this screen.
Table 155 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
LABEL
DESCRIPTION
Name
A name is automatically generated that you can edit. The name must be the
same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP
profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes
(-), but the first character cannot be a number. This value is case-sensitive.
These are valid, unique profile names:
•
•
•
•
•
•
•
•
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
Description
In addition to the name, type additional information to help you identify this ADP
profile.
TCP Decoder/UDP
Decoder/ICMP Decoder
Perform the following actions for each type of encoder.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Log
To edit an item’s log option, select it and use the Log icon. Select whether to
have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither
(no) when traffic matches this anomaly policy.
Action
To edit what action the ZyWALL/USG takes when a packet matches a policy,
select the policy and use the Action icon.
original setting: Select this action to return each rule in a service group to its
previously saved configuration.
none: Select this action to have the ZyWALL/USG take no action when a packet
matches a policy.
drop: Select this action to have the ZyWALL/USG silently drop a packet that
matches a policy. Neither sender nor receiver are notified.
reject-sender: Select this action to have the ZyWALL/USG send a reset to the
sender when a packet matches the policy. If it is a TCP attack packet, the
ZyWALL/USG will send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack
packet, the ZyWALL/USG will send an ICMP unreachable packet.
reject-receiver: Select this action to have the ZyWALL/USG send a reset to the
receiver when a packet matches the policy. If it is a TCP attack packet, the
ZyWALL/USG will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP
attack packet, the ZyWALL/USG will do nothing.
reject-both: Select this action to have the ZyWALL/USG send a reset to both
the sender and receiver when a packet matches the policy. If it is a TCP attack
packet, the ZyWALL/USG will send a packet with a ‘RST’ flag to the receiver and
sender. If it is an ICMP or UDP attack packet, the ZyWALL/USG will send an ICMP
unreachable packet.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive.
Name
This is the name of the anomaly policy. Click the Name column heading to sort
in ascending or descending order according to the protocol anomaly policy
name.
ZyWALL/USG Series User’s Guide
370
Chapter 21 Security Policy
Table 155 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
LABEL
DESCRIPTION
Log
These are the log options. To edit this, select an item and use the Log icon.
Action
This is the action the ZyWALL/USG should take when a packet matches a policy.
To edit this, select an item and use the Action icon.
OK
Click OK to save your settings to the ZyWALL/USG, complete the profile and
return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
Click Save to save the configuration to the ZyWALL/USG but remain in the same
page. You may then go to the another profile screen (tab) in order to complete
the profile. Click OK in the final profile screen to complete the profile.
21.4 The Session Control Screen
Click Configuration > Security Policy > Session Control to display the Security Policy
Session Control screen. Use this screen to limit the number of concurrent NAT/Security Policy
sessions a client can use. You can apply a default limit for all users and individual limits for specific
users, addresses, or both. The individual limit takes priority if you apply both.
Figure 250 Configuration > Security Policy > Session Control
ZyWALL/USG Series User’s Guide
371
Chapter 21 Security Policy
The following table describes the labels in this screen.
Table 156 Configuration > Security Policy > Session Control
LABEL
DESCRIPTION
General Settings
UDP Session
Time Out
Set how many seconds (from 1 to 300) the ZyWALL/USG will allow a UDP session to
remain idle (without UDP traffic) before closing it.
Session Limit
Settings
Enable Session
limit
Select this check box to control the number of concurrent sessions hosts can have.
IPv4 / IPv6 Rule
Summary
This table lists the rules for limiting the number of concurrent sessions hosts can have.
Default
Session per
Host
This field is configurable only when you enable session limit.
Use this field to set a common limit to the number of concurrent NAT/Security Policy
sessions each client computer can have.
If only a few clients use peer to peer applications, you can raise this number to improve
their performance. With heavy peer to peer application use, lower this number to ensure
no single client uses too many of the available NAT sessions.
Create rules below to apply other limits for specific users or addresses.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after
the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To change a rule’s position in the numbered list, select the rule and click Move to display a
field to type a number for where you want to put that rule and press [ENTER] to move the
rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their numbering.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
#
This is the index number of a session limit rule. It is not associated with a specific rule.
User
This is the user name or user group name to which this session limit rule applies.
IPv4 / IPv6
Address
This is the IPv4 / IPv6 address object to which this session limit rule applies.
Description
This is the information configured to help you identify the rule.
Limit
This is how many concurrent sessions this user or address is allowed to have.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
21.4.1 The Session Control Add/Edit Screen
Click Configuration > Security Policy > Session Control and the Add or Edit icon to display
the Add or Edit screen. Use this screen to configure rules that define a session limit for specific
users or addresses.
ZyWALL/USG Series User’s Guide
372
Chapter 21 Security Policy
Figure 251 Configuration > Security Policy > Session Control > Edit
The following table describes the labels in this screen.
Table 157 Configuration > Security Policy > Session Control > Add / Edit
LABEL
DESCRIPTION
Create new
Object
Use to configure new settings for User or Address objects that you need to use in this
screen.Click on the down arrow to see the menu.
Enable Rule
Select this check box to turn on this session limit rule.
Description
Enter information to help you identify this rule. Use up to 60 printable ASCII characters.
Spaces are allowed.
User
Select a user name or user group to which to apply the rule. The rule is activated only
when the specified user logs into the system and the rule will be disabled when the user
logs out.
Otherwise, select any and there is no need for user logging.
Note: If you specified an IP address (or address group) instead of any in the field below, the
user’s IP address should be within the IP address range.
Address
Select the IPv4 source address or address group to which this rule applies. Select any to
apply the rule to all IPv4 source addresses.
IPv6 Address
Select the IPv6 source address or address group to which this rule applies. Select any to
apply the rule to all IPv6 source addresses.
Session Limit per
Host
Use this field to set a limit to the number of concurrent NAT/Security Policy sessions this
rule’s users or addresses can have.
For this rule’s users and addresses, this setting overrides the Default Session per Host
setting in the general Security Policy Session Control screen.
OK
Click OK to save your customized settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.
21.5 Security Policy Example Applications
Suppose you decide to block LAN users from using IRC (Internet Relay Chat) through the Internet.
To do this, you would configure a LAN to WAN Security Policy that blocks IRC traffic from any source
IP address from going to any destination address. You do not need to specify a schedule since you
need the Security Policy to always be in effect. The following figure shows the results of this policy.
ZyWALL/USG Series User’s Guide
373
Chapter 21 Security Policy
Figure 252 Blocking All LAN to WAN IRC Traffic Example
Your Security Policy would have the following settings.
Table 158 Blocking All LAN to WAN IRC Traffic Example
#
USER
SOURCE
DESTINATION
SCHEDULE
UTM PROFILE
ACTION
1
Any
Any
Any
Any
IRC
Deny
2
Any
Any
Any
Any
Any
Allow
• The first row blocks LAN access to the IRC service on the WAN.
• The second row is the Security Policy’s default policy that allows all LAN1 to WAN traffic.
The ZyWALL/USG applies the security policies in order. So for this example, when the ZyWALL/USG
receives traffic from the LAN, it checks it against the first policy. If the traffic matches (if it is IRC
traffic) the security policy takes the action in the policy (drop) and stops checking the subsequent
security policies. Any traffic that does not match the first security policy will match the second
security policy and the ZyWALL/USG forwards it.
Now suppose you need to let the CEO use IRC. You configure a LAN1 to WAN security policy that
allows IRC traffic from the IP address of the CEO’s computer. You can also configure a LAN to WAN
policy that allows IRC traffic from any computer through which the CEO logs into the ZyWALL/USG
with his/her user name. In order to make sure that the CEO’s computer always uses the same IP
address, make sure it either:
• Has a static IP address,
or
• You configure a static DHCP entry for it so the ZyWALL/USG always assigns it the same IP
address.
Now you configure a LAN1 to WAN security policy that allows IRC traffic from the IP address of the
CEO’s computer (172.16.1.7 for example) to go to any destination address. You do not need to
specify a schedule since you want the security policy to always be in effect. The following figure
shows the results of your two custom policies.
ZyWALL/USG Series User’s Guide
374
Chapter 21 Security Policy
Figure 253 Limited LAN to WAN IRC Traffic Example
Your security policy would have the following configuration.
Table 159 Limited LAN1 to WAN IRC Traffic Example 1
#
USER
SOURCE
DESTINATION
SCHEDULE
UTM PROFILE
ACTION
1
Any
172.16.1.7
Any
Any
IRC
Allow
2
Any
Any
Any
Any
IRC
Deny
3
Any
Any
Any
Any
Any
Allow
• The first row allows the LAN1 computer at IP address 172.16.1.7 to access the IRC service on the
WAN.
• The second row blocks LAN1 access to the IRC service on the WAN.
• The third row is the default policy of allowing all traffic from the LAN1 to go to the WAN.
Alternatively, you configure a LAN1 to WAN policy with the CEO’s user name (say CEO) to allow IRC
traffic from any source IP address to go to any destination address.
Your Security Policy would have the following settings.
Table 160 Limited LAN1 to WAN IRC Traffic Example 2
#
USER
SOURCE
DESTINATION
SCHEDULE
UTM PROFILE
ACTION
1
CEO
Any
Any
Any
IRC
Allow
2
Any
Any
Any
Any
IRC
Deny
3
Any
Any
Any
Any
Any
Allow
• The first row allows any LAN1 computer to access the IRC service on the WAN by logging into the
ZyWALL/USG with the CEO’s user name.
• The second row blocks LAN1 access to the IRC service on the WAN.
• The third row is the default policy of allowing allows all traffic from the LAN1 to go to the WAN.
The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic. If the
policy that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that
policy and the ZyWALL/USG would drop it and not check any other security policies.
ZyWALL/USG Series User’s Guide
375
C HAPTER
22
IPSec VPN
22.1 Virtual Private Networks (VPN) Overview
A virtual private network (VPN) provides secure communications between sites without the expense
of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication,
access control and auditing. It is used to transport traffic over the Internet or any insecure network
that uses TCP/IP for communication.
IPSec VPN
Internet Protocol Security (IPSec) VPN connects IPSec routers or remote users using IPSec client
software. This standards-based VPN offers flexible solutions for secure data communications across
a public network. IPSec is built around a number of standardized cryptographic techniques to
provide confidentiality, data integrity and authentication at the IP layer. The ZyWALL/USG can also
combine multiple IPSec VPN connections into one secure network. Here local ZyWALL/USG X uses
an IPSec VPN tunnel to remote (peer) ZyWALL/USG Y to connect the local (A) and remote (B)
networks.
Figure 254 IPSec VPN Example
Internet Key Exchange (IKE): IKEv1 and IKEv2
The ZyWALL/USG supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic. IKE (Internet Key Exchange)
is a protocol used in setting up security associations that allows two parties to send data securely.
IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to
set up a shared session secret from which encryption keys are derived. A security policy for each
peer must be manually created.
IPSec VPN consists of two phases: Phase 1 and Phase 2. Phase 1's purpose is to establish a secure
authenticated communication channel by using the Diffie–Hellman key exchange algorithm to
generate a shared secret key to encrypt IKE communications. This negotiation results in one single
bi-directional ISAKMP Security Association (SA). The authentication can be performed using either
pre-shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either
ZyWALL/USG Series User’s Guide
376
Chapter 22 IPSec VPN
Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive
Mode does not.
During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to
negotiate Security Associations for IPsec. The negotiation results in a minimum of two
unidirectional security associations (one inbound and one outbound). Phase 2 uses Quick Mode
(only). Quick mode occurs after IKE has established the secure tunnel in Phase 1. It negotiates a
shared IPSec policy, derives shared secret keys used for the IPSec security algorithms, and
establishes IPSec SAs. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA
lifetime expires.
In the ZyWALL/USG, use the VPN Connection tab to set up Phase 2 and the VPN Gateway tab to
set up Phase 1.
Some differences between IKEv1 and IKEv2 include:
• IKEv2 uses less bandwidth than IKEv1. IKEv2 uses one exchange procedure with 4 messages.
IKEv1 uses two phases with Main Mode (9 messages) or Aggressive Mode (6 messages) in phase
1.
• IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports XAuth. EAP is important when connecting to existing enterprise authentication systems.
• IKEv2 always uses NAT traversal and Dead Peer Detection (DPD), but they can be disabled in
IKEv1 using ZyWALL/USG firmware (the default is on).
• Configuration payload (includes the IP address pool in the VPN setup data) is supported in IKEv2
(off by default), but not in IKEv1.
• Narrowed (has the SA apply only to IP addresses in common between the ZyWALL/USG and the
remote IPSec router) is supported in IKEv2, but not in IKEv1.
• The IKEv2 protocol supports connectivity checks which is used to detect whether the tunnel is
still up or not. If the check fails (the tunnel is down), IKEv2 can re-establish the connection
automatically. The ZyWALL/USG uses firmware to perform connectivity checks when using IKEv1.
SSL VPN
SSL VPN uses remote users’ web browsers to provide the easiest-to-use of the ZyWALL/USG’s VPN
solutions. A user just browses to the ZyWALL/USG’s web address and enters his user name and
password to securely connect to the ZyWALL/USG’s network. Remote users do not need to
configure security settings. Here a user uses his browser to securely connect to network resources
in the same way as if he were part of the internal network. See Chapter 23 on page 411 for more
on SSL VPN.
ZyWALL/USG Series User’s Guide
377
Chapter 22 IPSec VPN
Figure 255 SSL VPN
LAN (192.168.1.X)
https://
Web Mail
File Share
Web-based Application
Non-Web
Application
Server
L2TP VPN
L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or
Windows operating systems for secure connections to the network behind the ZyWALL/USG. The
remote users do not need their own IPSec gateways or third-party VPN client software. For
example, configure sales representatives’ laptops, tablets, or smartphones to securely connect to
the ZyWALL/USG’s network. See Chapter 26 on page 439 for more on L2TP over IPSec.
Figure 256 L2TP VPN
22.1.1 What You Can Do in this Chapter
• Use the VPN Connection screens (see Section 22.2 on page 381) to specify which IPSec VPN
gateway an IPSec VPN connection policy uses, which devices behind the IPSec routers can use
the VPN tunnel, and the IPSec SA settings (phase 2 settings). You can also activate or deactivate
and connect or disconnect each VPN connection (each IPSec SA).
• Use the VPN Gateway screens (see Section 22.2.1 on page 382) to manage the ZyWALL/USG’s
VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the
IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway.
• Use the VPN Concentrator screens (see Section 22.4 on page 397) to combine several IPSec
VPN connections into a single secure network.
• Use the Configuration Provisioning screen (see Section 22.5 on page 399) to set who can
retrieve VPN rule settings from the ZyWALL/USG using the ZyWALL/USG IPSec VPN Client.
ZyWALL/USG Series User’s Guide
378
Chapter 22 IPSec VPN
22.1.2 What You Need to Know
An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security
association (SA), a contract indicating what security parameters the ZyWALL/USG and the remote
IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the
ZyWALL/USG and remote IPSec router. The second phase uses the IKE SA to securely establish an
IPSec SA through which the ZyWALL/USG and remote IPSec router can send data between
computers on the local network and remote network. This is illustrated in the following figure.
Figure 257 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in network B. Inside
networks A and B, the data is transmitted the same way data is normally transmitted in the
networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication,
and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y
established the IKE SA first.
ZyWALL/USG Series User’s Guide
379
Chapter 22 IPSec VPN
Application Scenarios
The ZyWALL/USG’s application scenarios make it easier to configure your VPN connection settings.
Table 161 IPSec VPN Application Scenarios
SITE-TO-SITE
Choose this if the remote
IPSec router has a static
IP address or a domain
name.
This ZyWALL/USG can
initiate the VPN tunnel.
The remote IPSec router
can also initiate the VPN
tunnel if this ZyWALL/
USG has a static IP
address or a domain
name.
SITE-TO-SITE WITH
DYNAMIC PEER
REMOTE ACCESS
(SERVER ROLE)
REMOTE ACCESS
(CLIENT ROLE)
Choose this if the remote
IPSec router has a
dynamic IP address.
Choose this to allow
incoming connections
from IPSec VPN clients.
Choose this to connect to
an IPSec server.
You don’t specify the
remote IPSec router’s
address, but you specify
the remote policy (the
addresses of the devices
behind the remote IPSec
router).
The clients have dynamic
IP addresses and are also
known as dial-in users.
This ZyWALL/USG must
have a static IP address
or a domain name.
Only the remote IPSec
router can initiate the
VPN tunnel.
You don’t specify the
addresses of the client
IPSec routers or the
remote policy.
This creates a dynamic
IPSec VPN rule that can
let multiple clients
connect.
Only the clients can
initiate the VPN tunnel.
This ZyWALL/USG is the
client (dial-in user).
Client role ZyWALL/USGs
initiate IPSec VPN
connections to a server
role ZyWALL/USG.
This ZyWALL/USG can
have a dynamic IP
address.
The IPSec server doesn’t
configure this ZyWALL/
USG’s IP address or the
addresses of the devices
behind it.
Only this ZyWALL/USG
can initiate the VPN
tunnel.
Finding Out More
• See Section 22.6 on page 401 for IPSec VPN background information.
• See the help in the IPSec VPN quick setup wizard screens.
ZyWALL/USG Series User’s Guide
380
Chapter 22 IPSec VPN
22.1.3 Before You Begin
This section briefly explains the relationship between VPN tunnels and other features. It also gives
some basic suggestions for troubleshooting.
You should set up the following features before you set up the VPN tunnel.
• In any VPN connection, you have to select address objects to specify the local policy and remote
policy. You should set up the address objects first.
• In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, VLAN
interface, or virtual VLAN interface to specify what address the ZyWALL/USG uses as its IP
address when it establishes the IKE SA. You should set up the interface first.
• In a VPN gateway, you can enable extended authentication. If the ZyWALL/USG is in server
mode, you should set up the authentication method (AAA server) first. The authentication
method specifies how the ZyWALL/USG authenticates the remote IPSec router.
• In a VPN gateway, the ZyWALL/USG and remote IPSec router can use certificates to authenticate
each other. Make sure the ZyWALL/USG and the remote IPSec router will trust each other’s
certificates.
22.2 The VPN Connection Screen
Click Configuration > VPN > IPSec VPN to open the VPN Connection screen. The VPN
Connection screen lists the VPN connection policies and their associated VPN gateway(s), and
various settings. In addition, it also lets you activate or deactivate and connect or disconnect each
VPN connection (each IPSec SA). Click a column’s heading cell to sort the table entries by that
column’s criteria. Click the heading cell again to reverse the sort order.
Figure 258 Configuration > VPN > IPSec VPN > VPN Connection
ZyWALL/USG Series User’s Guide
381
Chapter 22 IPSec VPN
Each field is discussed in the following table.
Table 162 Configuration > VPN > IPSec VPN > VPN Connection
LABEL
DESCRIPTION
Global Setting
The following two fields are for all IPSec VPN policies.
Click on the VPN icon to go to the ZyXEL VPN Client product page at the ZyXEL website.
Use Policy
Route to
control
dynamic
IPSec rules
Select this to be able to use policy routes to manually specify the destination addresses of
dynamic IPSec rules. You must manually create these policy routes. The ZyWALL/USG
automatically obtains source and destination addresses for dynamic IPSec rules that do not
match any of the policy routes.
Clear this to have the ZyWALL/USG automatically obtain source and destination addresses
for all dynamic IPSec rules.
Ignore
"Don't
Fragment"
setting in
packet
header
Select this to fragment packets larger than the MTU (Maximum Transmission Unit) that have
the "Don't Fragment" bit in the IP header turned on. When you clear this the ZyWALL/USG
drops packets larger than the MTU that have the "Don't Fragment" bit in the header turned
on.
IPv4 / IPv6
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Connect
To connect an IPSec SA, select it and click Connect.
Disconnect
To disconnect an IPSec SA, select it and click Disconnect.
Object
Reference
Select an entry and click Object Reference to open a screen that shows which settings use
the entry. See Section 9.3.2 on page 201 for an example.
#
This field is a sequential value, and it is not associated with a specific connection.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
Name
This field displays the name of the IPSec SA.
VPN Gateway
This field displays the VPN gateway in use for this VPN connection.
Gateway IP
Version
This field displays what IP version the associated VPN gateway(s) is using. An IPv4 gateway
may use an IKEv1 or IKEv2 SA. An IPv6 gateway may use IKEv2 only.
Policy
This field displays the local policy and the remote policy, respectively.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
The connect icon is lit when the interface is connected and dimmed when it is disconnected.
22.2.1 The VPN Connection Add/Edit (IKE) Screen
The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection
policy or edit an existing one. To access this screen, go to the Configuration > VPN Connection
screen (see Section 22.2 on page 381), and click either the Add icon or an Edit icon.
ZyWALL/USG Series User’s Guide
382
Chapter 22 IPSec VPN
Figure 259 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)
ZyWALL/USG Series User’s Guide
383
Chapter 22 IPSec VPN
Each field is described in the following table.
Table 163 Configuration > VPN > IPSec VPN > VPN Connection > Edit
LABEL
DESCRIPTION
Show Advanced
Settings / Hide
Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Create new Object
Use to configure any new settings objects that you need to use in this screen.
General Settings
Enable
Select this check box to activate this VPN connection.
Connection Name
Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric
characters, underscores (_), or dashes (-), but the first character cannot be a
number. This value is case-sensitive.
Nailed-Up
Select this if you want the ZyWALL/USG to automatically renegotiate the IPSec SA
when the SA life time expires.
Enable Replay
Detection
Select this check box to detect and reject old or duplicate packets to protect against
Denial-of-Service attacks.
Enable NetBIOS
Broadcast over
IPSec
Select this check box if you the ZyWALL/USG to send NetBIOS (Network Basic Input/
Output System) packets through the IPSec SA.
NetBIOS packets are TCP or UDP packets that enable a computer to connect to and
communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets
to pass through IPSec SAs in order to allow local computers to find computers on the
remote network and vice versa.
MSS Adjustment
Select Custom Size to set a specific number of bytes for the Maximum Segment Size
(MSS) meaning the largest amount of data in a single TCP segment or IP datagram
for this VPN connection.
Some VPN clients may not be able to use a custom MSS size if it is set too small. In
that case those VPN clients will ignore the size set here and use the minimum size
that they can use.
Select Auto to have the ZyWALL/USG automatically set the MSS for this VPN
connection.
Narrowed
If the IP range on the ZyWALL/USG (local policy) and the local IP range on the
remote IPSec router overlap in an IKEv2 SA, then you may select Narrowed to have
the SA only apply to the IP addresses in common.
Here are some examples.
ZyWALL/USG (local policy)
Remote IPSec router
IKEv2 SA-1
192.168.20.1 ~ 192.168.20.20
Narrowed
IKEv2 SA- 2
Narrowed
192.168.20.0/24
192.168.20.1 ~ 192.168.20.20
192.168.30.50 ~ 192.168.30.70
192.168.30.60 ~ 192.168.30.70
VPN Gateway
ZyWALL/USG Series User’s Guide
384
192.168.30.60 ~ 192.168.30.80
Chapter 22 IPSec VPN
Table 163 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
Application
Scenario
DESCRIPTION
Select the scenario that best describes your intended VPN connection.
Site-to-site - Choose this if the remote IPSec router has a static IP address or a
domain name. This ZyWALL/USG can initiate the VPN tunnel.
Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has a
dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel.
Remote Access (Server Role) - Choose this to allow incoming connections from
IPSec VPN clients. The clients have dynamic IP addresses and are also known as dialin users. Only the clients can initiate the VPN tunnel.
Remote Access (Client Role) - Choose this to connect to an IPSec server. This
ZyWALL/USG is the client (dial-in user) and can initiate the VPN tunnel.
VPN Gateway
Select the VPN gateway this VPN connection is to use or select Create Object to add
another VPN gateway for this VPN connection to use.
Policy
Local Policy
Select the address corresponding to the local network. Use Create new Object if
you need to configure a new one.
Remote Policy
Select the address corresponding to the remote network. Use Create new Object if
you need to configure a new one.
Enable GRE over
IPSec
Select this to allow traffic using the Generic Routing Encapsulation (GRE) tunneling
protocol through an IPSec tunnel.
Policy Enforcement
Clear this to allow traffic with source and destination IP addresses that do not match
the local and remote policy to use the VPN tunnel. Leave this cleared for free access
between the local and remote networks.
Selecting this restricts who can use the VPN tunnel. The ZyWALL/USG drops traffic
with source and destination IP addresses that do not match the local and remote
policy.
Configuration Payload
This is only available when you have created an IKEv2 Gateway and are using
Remote Access (Server Role).
Enable Configuration
Payload
Select this to have at least have the IP address pool included in the VPN setup data.
IP Address Pool:
Select an address object from the drop-down list box.
First DNS Server
(optional)
The Domain Name System (DNS) maps a domain name to an IP address and vice
versa. The ZyWALL/USG uses these (in the order you specify here) to resolve domain
names for VPN. Enter a DNS server's IP address.
Second DNS
Server (Optional)
Enter a secondary DNS server's IP address that is checked if the first one is
unavailable.
First WINS Server
(Optional)
Type the IP address of the WINS (Windows Internet Naming Service) server that you
want to send to the DHCP clients. The WINS server keeps a mapping table of the
computer names on your network and the IP addresses that they are currently using.
Second WINS
Server (Optional)
Enter a secondary WINS server's IP address that is checked if the first one is
unavailable.
Phase 2 Settings
SA Life Time
Type the maximum number of seconds the IPSec SA can last. Shorter life times
provide better security. The ZyWALL/USG automatically negotiates a new IPSec SA
before the current one expires, if there are users who are accessing remote
resources.
ZyWALL/USG Series User’s Guide
385
Chapter 22 IPSec VPN
Table 163 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
Active Protocol
DESCRIPTION
Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not encryption. If you select AH, you must
select an Authentication algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its
authentication is weaker. If you select ESP, you must select an Encryption algorithm
and Authentication algorithm.
Both AH and ESP increase processing requirements and latency (delay).
The ZyWALL/USG and remote IPSec router must use the same active protocol.
Encapsulation
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel - this mode encrypts the IP header information and the data.
Transport - this mode only encrypts the data.
The ZyWALL/USG and remote IPSec router must use the same encapsulation.
Proposal
Use this section to manage the encryption algorithm and authentication algorithm
pairs the ZyWALL/USG accepts from the remote IPSec router for negotiating the
IPSec SA.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This field is a sequential value, and it is not associated with a specific proposal. The
sequence of proposals should not affect performance significantly.
Encryption
This field is applicable when the Active Protocol is ESP. Select which key size and
encryption algorithm to use in the IPSec SA. Choices are:
NULL - no encryption key or algorithm
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL/USG and the remote IPSec router must both have at least one proposal
that uses use the same encryption and the same key.
Longer keys are more secure, but require more processing power, resulting in
increased latency and decreased throughput.
Authentication
Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered
stronger than MD5, but it is also slower.
The ZyWALL/USG and the remote IPSec router must both have a proposal that uses
the same authentication algorithm.
ZyWALL/USG Series User’s Guide
386
Chapter 22 IPSec VPN
Table 163 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
Perfect Forward
Secrecy (PFS)
DESCRIPTION
Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you
do, which Diffie-Hellman key group to use for encryption. Choices are:
none - disable PFS
DH1 - enable PFS and use a 768-bit random number
DH2 - enable PFS and use a 1024-bit random number
DH5 - enable PFS and use a 1536-bit random number
PFS changes the root key that is used to generate encryption keys for each IPSec SA.
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
PFS is ignored in initial IKEv2 authentication but is used when reauthenticating.
Related Settings
Zone
Connectivity Check
Select the security zone into which to add this VPN connection policy. Any security
rules or settings configured for the selected zone apply to this VPN connection policy.
The ZyWALL/USG can regularly check the VPN connection to the gateway you
specified to make sure it is still available.
Enable
Connectivity Check
Select this to turn on the VPN connection check.
Check Method
Select how the ZyWALL/USG checks the connection. The peer must be configured to
respond to the method you select.
Select icmp to have the ZyWALL/USG regularly ping the address you specify to make
sure traffic can still go through the connection. You may need to configure the peer to
respond to pings.
Select tcp to have the ZyWALL/USG regularly perform a TCP handshake with the
address you specify to make sure traffic can still go through the connection. You may
need to configure the peer to accept the TCP connection.
Check Port
This field displays when you set the Check Method to tcp. Specify the port number
to use for a TCP connectivity check.
Check Period
Enter the number of seconds between connection check attempts.
Check Timeout
Enter the number of seconds to wait for a response before the attempt is a failure.
Check Fail
Tolerance
Enter the number of consecutive failures allowed before the ZyWALL/USG disconnects
the VPN tunnel. The ZyWALL/USG resumes using the first peer gateway address
when the VPN connection passes the connectivity check.
Check this Address
Select this to specify a domain name or IP address for the connectivity check. Enter
that domain name or IP address in the field next to it.
Check the First
and Last IP
Address in the
Remote Policy
Select this to have the ZyWALL/USG check the connection to the first and last IP
addresses in the connection’s remote policy. Make sure one of these is the peer
gateway’s LAN IP address.
Log
Select this to have the ZyWALL/USG generate a log every time it checks this VPN
connection.
Inbound/Outbound
traffic NAT
Outbound Traffic
Source NAT
This translation hides the source address of computers in the local network. It may
also be necessary if you want the ZyWALL/USG to route packets from computers
outside the local network through the IPSec SA.
ZyWALL/USG Series User’s Guide
387
Chapter 22 IPSec VPN
Table 163 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
DESCRIPTION
Source
Select the address object that represents the original source address (or select
Create Object to configure a new one). This is the address object for the computer
or network outside the local network. The size of the original source address range
(Source) must be equal to the size of the translated source address range (SNAT).
Destination
Select the address object that represents the original destination address (or select
Create Object to configure a new one). This is the address object for the remote
network.
SNAT
Select the address object that represents the translated source address (or select
Create Object to configure a new one). This is the address object for the local
network. The size of the original source address range (Source) must be equal to the
size of the translated source address range (SNAT).
Inbound Traffic
Source NAT
This translation hides the source address of computers in the remote network.
Source
Select the address object that represents the original source address (or select
Create Object to configure a new one). This is the address object for the remote
network. The size of the original source address range (Source) must be equal to the
size of the translated source address range (SNAT).
Destination
Select the address object that represents the original destination address (or select
Create Object to configure a new one). This is the address object for the local
network.
SNAT
Select the address object that represents the translated source address (or select
Create Object to configure a new one). This is the address that hides the original
source address. The size of the original source address range (Source) must be
equal to the size of the translated source address range (SNAT).
Destination NAT
This translation forwards packets (for example, mail) from the remote network to a
specific computer (for example, the mail server) in the local network.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry
after the selected entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Move
To change an entry’s position in the numbered list, select it and click Move to display
a field to type a number for where you want to put that entry and press [ENTER] to
move the entry to the number that you typed.
#
This field is a sequential value, and it is not associated with a specific NAT record.
However, the order of records is the sequence in which conditions are checked and
executed.
Original IP
Select the address object that represents the original destination address. This is the
address object for the remote network.
Mapped IP
Select the address object that represents the desired destination address. For
example, this is the address object for the mail server.
Protocol
Select the protocol required to use this translation. Choices are: TCP, UDP, or All.
Original Port Start
/ Original Port End
These fields are available if the protocol is TCP or UDP. Enter the original destination
port or range of original destination ports. The size of the original port range must be
the same size as the size of the mapped port range.
Mapped Port Start
/ Mapped Port End
These fields are available if the protocol is TCP or UDP. Enter the translated
destination port or range of translated destination ports. The size of the original port
range must be the same size as the size of the mapped port range.
OK
Click OK to save the changes.
Cancel
Click Cancel to discard all changes and return to the main VPN screen.
ZyWALL/USG Series User’s Guide
388
Chapter 22 IPSec VPN
22.3 The VPN Gateway Screen
The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL/USG,
as well as the ZyWALL/USG’s address, remote IPSec router’s address, and associated VPN
connections for each one. In addition, it also lets you activate and deactivate each VPN gateway. To
access this screen, click Configuration > VPN > Network > IPSec VPN > VPN Gateway. The
following screen appears.
Figure 260 Configuration > VPN > IPSec VPN > VPN Gateway
Each field is discussed in the following table. See Section 22.3.1 on page 390 for more information.
Table 164 Configuration > VPN > IPSec VPN > VPN Gateway
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify
the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Object References
Select an entry and click Object References to open a screen that shows which settings
use the entry. See Section 9.3.2 on page 201 for an example.
#
This field is a sequential value, and it is not associated with a specific VPN gateway.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
Name
This field displays the name of the VPN gateway
My address
This field displays the interface or a domain name the ZyWALL/USG uses for the VPN
gateway.
Secure Gateway
This field displays the IP address(es) of the remote IPSec routers.
VPN Connection
This field displays VPN connections that use this VPN gateway.
ZyWALL/USG Series User’s Guide
389
Chapter 22 IPSec VPN
Table 164 Configuration > VPN > IPSec VPN > VPN Gateway (continued)
LABEL
DESCRIPTION
IKE Version
This field displays whether the gateway is using IKEv1 or IKEv2. IKEv1 applies to IPv4
traffic only. IKEv2 applies to both IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a
protocol used in setting up security associations that allows two parties to send data
securely. See Section 22.1 on page 376 for more information on IKEv1 and IKEv2.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
22.3.1 The VPN Gateway Add/Edit Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an
existing one. To access this screen, go to the VPN Gateway summary screen (see Section 22.3 on
page 389), and click either the Add icon or an Edit icon.
ZyWALL/USG Series User’s Guide
390
Chapter 22 IPSec VPN
Figure 261 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit
ZyWALL/USG Series User’s Guide
391
Chapter 22 IPSec VPN
Each field is described in the following table.
Table 165 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit
LABEL
DESCRIPTION
Show Advanced
Settings / Hide
Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Create New Object
Use to configure any new settings objects that you need to use in this screen.
General Settings
Enable
Select this to activate the VPN Gateway policy.
VPN Gateway
Name
Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.
IKE Version
IKEv1 / IKEv2
Select IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4
and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security
associations that allows two parties to send data securely. See Section 22.1 on page
376 for more information on IKEv1 and IKEv2.
Gateway Settings
My Address
Select how the IP address of the ZyWALL/USG in the IKE SA is defined.
If you select Interface, select the Ethernet interface, VLAN interface, virtual Ethernet
interface, virtual VLAN interface or PPPoE/PPTP interface. The IP address of the
ZyWALL/USG in the IKE SA is the IP address of the interface.
If you select Domain Name / IP, enter the domain name or the IP address of the
ZyWALL/USG. The IP address of the ZyWALL/USG in the IKE SA is the specified IP
address or the IP address corresponding to the domain name. 0.0.0.0 is not generally
recommended as it has the ZyWALL/USG accept IPSec requests destined for any
interface address on the ZyWALL/USG.
Peer Gateway
Address
Select how the IP address of the remote IPSec router in the IKE SA is defined.
Select Static Address to enter the domain name or the IP address of the remote IPSec
router. You can provide a second IP address or domain name for the ZyWALL/USG to try
if it cannot establish an IKE SA with the first one.
Fall back to Primary Peer Gateway when possible: When you select this, if the
connection to the primary address goes down and the ZyWALL/USG changes to
using the secondary connection, the ZyWALL/USG will reconnect to the primary
address when it becomes available again and stop using the secondary connection.
Users will lose their VPN connection briefly while the ZyWALL/USG changes back to
the primary connection. To use this, the peer device at the secondary address
cannot be set to use a nailed-up VPN connection. In the Fallback Check Interval
field, set how often to check if the primary address is available.
Select Dynamic Address if the remote IPSec router has a dynamic IP address (and
does not use DDNS).
Authentication
Note: The ZyWALL/USG and remote IPSec router must use the same authentication
method to establish the IKE SA.
ZyWALL/USG Series User’s Guide
392
Chapter 22 IPSec VPN
Table 165 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL
Pre-Shared Key
DESCRIPTION
Select this to have the ZyWALL/USG and remote IPSec router use a pre-shared key
(password) to identify each other when they negotiate the IKE SA. Type the pre-shared
key in the field to the right. The pre-shared key can be:
•
•
alphanumeric characters or ,;.|`[email protected]#$%^&*()_+\{}':./<>=-"
pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”.
Type “0x” at the beginning of a hexadecimal key. For example,
"0x0123456789ABCDEF" is in hexadecimal format; “0123456789ABCDEF” is in ASCII
format. If you use hexadecimal, you must enter twice as many characters since you
need to enter pairs.
The ZyWALL/USG and remote IPSec router must use the same pre-shared key.
Select unmasked to see the pre-shared key in readable plain text.
Certificate
Select this to have the ZyWALL/USG and remote IPSec router use certificates to
authenticate each other when they negotiate the IKE SA. Then select the certificate the
ZyWALL/USG uses to identify itself to the remote IPsec router.
This certificate is one of the certificates in My Certificates. If this certificate is selfsigned, import it into the remote IPsec router. If this certificate is signed by a CA, the
remote IPsec router must trust that CA.
Note: The IPSec routers must trust each other’s certificates.
The ZyWALL/USG uses one of its Trusted Certificates to authenticate the remote
IPSec router’s certificate. The trusted certificate can be a self-signed certificate or that
of a trusted CA that signed the remote IPSec router’s certificate.
User-based PSK
User-based PSK (IKEv1 only) generates and manages separate pre-shared keys for
every user. This enables multiple users, each with a unique key, to access the same
VPN gateway policy with one-to-one authentication and strong encryption. Access can
be denied on a per-user basis thus allowing VPN SA user-based policies. Click UserBased PSK then select a user or group object who is allowed VPN SA access using this
VPN gateway policy. This is for IKEv1 only.
Local ID Type
This field is read-only if the ZyWALL/USG and remote IPSec router use certificates to
identify each other. Select which type of identification is used to identify the ZyWALL/
USG during authentication. Choices are:
IPv4 or IPv6 - the ZyWALL/USG is identified by an IP address
DNS - the ZyWALL/USG is identified by a domain name
E-mail - the ZyWALL/USG is identified by the string specified in this field
Content
This field is read-only if the ZyWALL/USG and remote IPSec router use certificates to
identify each other. Type the identity of the ZyWALL/USG during authentication. The
identity depends on the Local ID Type.
IP - type an IP address; if you type 0.0.0.0, the ZyWALL/USG uses the IP address
specified in the My Address field. This is not recommended in the following situations:
•
•
There is a NAT router between the ZyWALL/USG and remote IPSec router.
You want the remote IPSec router to be able to distinguish between IPSec SA
requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Local ID Type.
DNS - type the fully qualified domain name (FQDN). This value is only used for
identification and can be any string that matches the peer ID string.
E-mail - the ZyWALL/USG is identified by the string you specify here; you can use up
to 63 ASCII characters including spaces, although trailing spaces are truncated. This
value is only used for identification and can be any string.
ZyWALL/USG Series User’s Guide
393
Chapter 22 IPSec VPN
Table 165 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL
Peer ID Type
DESCRIPTION
Select which type of identification is used to identify the remote IPSec router during
authentication. Choices are:
IP - the remote IPSec router is identified by an IP address
DNS - the remote IPSec router is identified by a domain name
E-mail - the remote IPSec router is identified by the string specified in this field
Any - the ZyWALL/USG does not check the identity of the remote IPSec router
If the ZyWALL/USG and remote IPSec router use certificates, there is one more choice.
Subject Name - the remote IPSec router is identified by the subject name in the
certificate
Content
This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec
router during authentication. The identity depends on the Peer ID Type.
If the ZyWALL/USG and remote IPSec router do not use certificates,
IP - type an IP address; see the note at the end of this description.
DNS - type the fully qualified domain name (FQDN). This value is only used for
identification and can be any string that matches the peer ID string.
E-mail - the remote IPSec router is identified by the string you specify here; you can
use up to 31 ASCII characters including spaces, although trailing spaces are truncated.
This value is only used for identification and can be any string.
If the ZyWALL/USG and remote IPSec router use certificates, type the following fields
from the certificate used by the remote IPSec router.
IP - subject alternative name field; see the note at the end of this description.
DNS - subject alternative name field
E-mail - subject alternative name field
Subject Name - subject name (maximum 255 ASCII characters, including spaces)
Note: If Peer ID Type is IP, please read the rest of this section.
If you type 0.0.0.0, the ZyWALL/USG uses the IP address specified in the Secure
Gateway Address field. This is not recommended in the following situations:
•
•
There is a NAT router between the ZyWALL/USG and remote IPSec router.
You want the remote IPSec router to be able to distinguish between IPSec SA
requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Peer ID Type.
Phase 1 Settings
SA Life Time
(Seconds)
Type the maximum number of seconds the IKE SA can last. When this time has passed,
the ZyWALL/USG and remote IPSec router have to update the encryption and
authentication keys and re-negotiate the IKE SA. This does not affect any existing
IPSec SAs, however.
Negotiation
Mode
Select the negotiation mode to use to negotiate the IKE SA. Choices are
Main - this encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes
more time to establish the IKE SA
Aggressive - this is faster but does not encrypt the identities
The ZyWALL/USG and the remote IPSec router must use the same negotiation mode.
Proposal
Use this section to manage the encryption algorithm and authentication algorithm pairs
the ZyWALL/USG accepts from the remote IPSec router for negotiating the IKE SA.
ZyWALL/USG Series User’s Guide
394
Chapter 22 IPSec VPN
Table 165 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This field is a sequential value, and it is not associated with a specific proposal. The
sequence of proposals should not affect performance significantly.
Encryption
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL/USG and the remote IPSec router must use the same key size and
encryption algorithm. Longer keys require more processing power, resulting in
increased latency and decreased throughput.
Authentication
Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger
than MD5, but it is also slower.
Key Group
Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.
Choices are:
The remote IPSec router must use the same authentication algorithm.
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
DH5 - use a 1536-bit random number
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
NAT Traversal
Select this if any of these conditions are satisfied.
•
•
This IKE SA might be used to negotiate IPSec SAs that use ESP as the active
protocol.
There are one or more NAT routers between the ZyWALL/USG and remote IPSec
router, and these routers do not support IPSec pass-thru or a similar feature.
The remote IPSec router must also enable NAT traversal, and the NAT routers have to
forward packets with UDP port 500 and UDP 4500 headers unchanged.
This field applies for IKEv1 only. NAT Traversal is always performed when you use
IKEv2.
Dead Peer
Detection (DPD)
Select this check box if you want the ZyWALL/USG to make sure the remote IPSec
router is there before it transmits data through the IKE SA. The remote IPSec router
must support DPD. If there has been no traffic for at least 15 seconds, the ZyWALL/
USG sends a message to the remote IPSec router. If the remote IPSec router responds,
the ZyWALL/USG transmits the data. If the remote IPSec router does not respond, the
ZyWALL/USG shuts down the IKE SA.
If the remote IPSec router does not support DPD, see if you can use the VPN connection
connectivity check (see Section 22.2.1 on page 382).
This field applies for IKEv1 only. Dead Peer Detection (DPD) is always performed when
you use IKEv2.
ZyWALL/USG Series User’s Guide
395
Chapter 22 IPSec VPN
Table 165 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL
DESCRIPTION
X Auth / Extended
Authentication
Protocol
This part of the screen displays X-Auth when using IKEv1 and Extended
Authentication Protocol when using IKEv2.
X-Auth
This displays when using IKEv1. When different users use the same VPN tunnel to
connect to the ZyWALL/USG (telecommuters sharing a tunnel for example), use X-auth
to enforce a user name and password check. This way even though telecommuters all
know the VPN tunnel’s security settings, each still has to provide a unique user name
and password.
Enable Extended
Authentication
Select this if one of the routers (the ZyWALL/USG or the remote IPSec router) verifies a
user name and password from the other router using the local user database and/or an
external server.
Server Mode
Select this if the ZyWALL/USG authenticates the user name and password from the
remote IPSec router. You also have to select the authentication method, which specifies
how the ZyWALL/USG authenticates this information.
Client Mode
Select this radio button if the ZyWALL/USG provides a username and password to the
remote IPSec router for authentication. You also have to provide the User Name and
the Password.
User Name
This field is required if the ZyWALL/USG is in Client Mode for extended authentication.
Type the user name the ZyWALL/USG sends to the remote IPSec router. The user name
can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
Password
This field is required if the ZyWALL/USG is in Client Mode for extended authentication.
Type the password the ZyWALL/USG sends to the remote IPSec router. The password
can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
Retype to
Confirm
Type the exact same password again here to make sure an error was not made when
typing it originally.
Extended
Authentication
Protocol
This displays when using IKEv2. EAP uses a certificate for authentication.
Enable Extended
Authentication
Select this if one of the routers (the ZyWALL/USG or the remote IPSec router) verifies a
user name and password from the other router using the local user database and/or an
external server or a certificate.
Server Mode
Select this if the ZyWALL/USG authenticates the user name and password from the
remote IPSec router. You also have to select an AAA method, which specifies how the
ZyWALL/USG authenticates this information and who may be authenticated (Allowed
User).
Client Mode
Select this radio button if the ZyWALL/USG provides a username and password to the
remote IPSec router for authentication. You also have to provide the User Name and
the Password.
User Name
This field is required if the ZyWALL/USG is in Client Mode for extended authentication.
Type the user name the ZyWALL/USG sends to the remote IPSec router. The user name
can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
Password
This field is required if the ZyWALL/USG is in Client Mode for extended authentication.
Type the password the ZyWALL/USG sends to the remote IPSec router. The password
can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
Retype to
Confirm
Type the exact same password again here to make sure an error was not made when
typing it originally.
OK
Click OK to save your settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.
ZyWALL/USG Series User’s Guide
396
Chapter 22 IPSec VPN
22.4 VPN Concentrator
A VPN concentrator combines several IPSec VPN connections into one secure network.
Figure 262 VPN Topologies (Fully Meshed and Hub and Spoke)
1
2
In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of
routers. In a hub-and-spoke VPN topology (2 in the figure), there is a VPN connection between
each spoke router (B, C, D, and E) and the hub router (A), which uses the VPN concentrator. The
VPN concentrator routes VPN traffic between the spoke routers and itself.
A VPN concentrator reduces the number of VPN connections that you have to set up and maintain in
the network. You might also be able to consolidate the policy routes in each spoke router,
depending on the IP addresses and subnets of each spoke.
However a VPN concentrator is not for every situation. The hub router is a single failure point, so a
VPN concentrator is not as appropriate if the connection between spoke routers cannot be down
occasionally (maintenance, for example). There is also more burden on the hub router. It receives
VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it,
and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is
a minimum amount of traffic between spoke routers.
22.4.1 VPN Concentrator Requirements and Suggestions
Consider the following when using the VPN concentrator.
• The local IP addresses configured in the VPN rules should not overlap.
• The concentrator must have at least one separate VPN rule for each spoke. In the local policy,
specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel.
This may require you to use more than one VPN rule for each spoke.
• To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules
in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
• Your security policies can still block VPN packets.
ZyWALL/USG Series User’s Guide
397
Chapter 22 IPSec VPN
22.4.2 VPN Concentrator Screen
The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL/USG. To
access this screen, click Configuration > VPN > IPSec VPN > Concentrator.
Figure 263 Configuration > VPN > IPSec VPN > Concentrator
Each field is discussed in the following table. See Section 22.4.3 on page 398 for more information.
Table 166 Configuration > VPN > IPSec VPN > Concentrator
LABEL
DESCRIPTION
IPv4/IPv6
Configuration
Choose to configure for IPv4 or IPv6 traffic.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This field is a sequential value, and it is not associated with a specific concentrator.
Name
This field displays the name of the VPN concentrator.
Group Members
These are the VPN connection policies that are part of the VPN concentrator.
22.4.3 The VPN Concentrator Add/Edit Screen
Use the VPN Concentrator Add/Edit screen to create or edit a VPN concentrator. To access this
screen, go to the VPN Concentrator summary screen (see Section 22.4 on page 397), and click
either the Add icon or an Edit icon.
ZyWALL/USG Series User’s Guide
398
Chapter 22 IPSec VPN
Figure 264 Configuration > VPN > IPSec VPN > Concentrator > Add/Edit
Each field is described in the following table.
Table 167 VPN > IPSec VPN > Concentrator > Add/Edit
LABEL
DESCRIPTION
Name
Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores(_),
or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Member
Select the concentrator’s IPSec VPN connection policies.
Note: You must disable policy enforcement in each member. See Section 22.2.1 on page 382.
IPSec VPN connection policies that do not belong to a VPN concentrator appear under Available.
Select any VPN connection policies that you want to add to the VPN concentrator and click the
right arrow button to add them.
The VPN concentrator’s member VPN connections appear under Member. Select any VPN
connections that you want to remove from the VPN concentrator, and click the left arrow button
to remove them.
OK
Click OK to save your changes in the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving.
22.5 ZyWALL/USG IPSec VPN Client Configuration
Provisioning
Use the Configuration > VPN > IPSec VPN > Configuration Provisioning screen to configure
who can retrieve VPN rule settings from the ZyWALL/USG using the ZyWALL/USG IPSec VPN Client.
In the ZyWALL/USG IPSec VPN Client, you just need to enter the IP address of the ZyWALL/USG to
get all the VPN rule settings automatically. You do not need to manually configure all rule settings in
the ZyWALL/USG IPSec VPN client.
VPN rules for the ZyWALL/USG IPSec VPN Client have certain restrictions. They must not contain
the following settings:
• AH active protocol
• NULL encryption
• SHA512 authentication
ZyWALL/USG Series User’s Guide
399
Chapter 22 IPSec VPN
• A subnet or range remote policy
In the ZyWALL/USG Quick Setup wizard, you can use the VPN Settings for Configuration
Provisioning wizard to create a VPN rule that will not violate these restrictions.
Figure 265 Configuration > VPN > IPSec VPN > Configuration Provisioning
Each field is discussed in the following table.
Table 168 Configuration > VPN > IPSec VPN > Configuration Provisioning
LABEL
DESCRIPTION
Enable
Configuration
Provisioning
Select this for users to be able to retrieve VPN rule settings using the ZyWALL/USG IPSec
VPN client.
Client
Authentication
Method
Choose how users should be authenticated. They can be authenticated using the local
database on the ZyWALL/USG or an external authentication database such as LDAP, Active
Directory or RADIUS. default is a method you configured in Object > Auth Method. You
may configure multiple methods there. If you choose the local database on the ZyWALL/
USG, then configure users using the Object > User/Group screen. If you choose LDAP,
Active Directory or RADIUS authentication servers, then configure users on the respective
server.
Configuration
When you add or edit a configuration provisioning entry, you are allowed to set the VPN
Connection and Allowed User fields.
Duplicate entries are not allowed. You cannot select the same VPN Connection and
Allowed User pair in a new entry if the same pair exists in a previous entry.
You can bind different rules to the same user, but the ZyWALL/USG will only allow VPN rule
setting retrieval for the first match found.
Add
Click Add to bind a configured VPN rule to a user or group. Only that user or group may
then retrieve the specified VPN rule settings.
If you click Add without selecting an entry in advance then the new entry appears as the
first entry. Entry order is important as the ZyWALL/USG searches entries in the order listed
here to find a match. After a match is found, the ZyWALL/USG stops searching. If you want
to add an entry as number three for example, then first select entry 2 and click Add. To
reorder an entry, use Move.
ZyWALL/USG Series User’s Guide
400
Chapter 22 IPSec VPN
Table 168 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued)
LABEL
DESCRIPTION
Edit
Select an existing entry and click Edit to change its settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate. Make sure that Enable Configuration
Provisioning is also selected.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
Use Move to reorder a selected entry. Select an entry, click Move, type the number where
the entry should be moved, press <ENTER>, then click Apply.
Status
This icon shows if the entry is active (yellow) or not (gray). VPN rule settings can only be
retrieved when the entry is activated (and Enable Configuration Provisioning is also
selected).
Priority
Priority shows the order of the entry in the list. Entry order is important as the ZyWALL/USG
searches entries in the order listed here to find a match. After a match is found the ZyWALL/
USG stops searching.
VPN Connection
Allowed User
This field shows all configured VPN rules that match the rule criteria for the ZyWALL/USG
IPSec VPN client. Select a rule to bind to the associated user or group.
Select which user or group of users is allowed to retrieve the associated VPN rule settings
using the ZyWALL/USG IPSec VPN client. A user may belong to a number of groups. If
entries are configured for different groups, the ZyWALL/USG will allow VPN rule setting
retrieval based on the first match found.
Users of type admin or limited-admin are not allowed.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
22.6 IPSec VPN Background Information
Here is some more detailed IPSec VPN background information.
IKE SA Overview
The IKE SA provides a secure connection between the ZyWALL/USG and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines how many. There
are two negotiation modes--main mode and aggressive mode. Main mode provides better security,
while aggressive mode is faster.
Note: Both routers must use the same negotiation mode.
These modes are discussed in more detail in Negotiation Mode on page 405. Main mode is used in
various examples in the rest of this section.
The ZyWALL/USG supports IKEv1 and IKEv2. See Section 22.1 on page 376 for more information.
ZyWALL/USG Series User’s Guide
401
Chapter 22 IPSec VPN
IP Addresses of the ZyWALL/USG and Remote IPSec Router
To set up an IKE SA, you have to specify the IP addresses of the ZyWALL/USG and remote IPSec
router. You can usually enter a static IP address or a domain name for either or both IP addresses.
Sometimes, your ZyWALL/USG might offer another alternative, such as using the IP address of a
port or interface, as well.
You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the
remote IPSec router can have any IP address. In this case, only the remote IPSec router can initiate
an IKE SA because the ZyWALL/USG does not know the IP address of the remote IPSec router. This
is often used for telecommuters.
IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and
Diffie-Hellman (DH) key group that the ZyWALL/USG and remote IPSec router use in the IKE SA. In
main mode, this is done in steps 1 and 2, as illustrated next.
Figure 266 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group
1
X
2
Y
The ZyWALL/USG sends one or more proposals to the remote IPSec router. (In some devices, you
can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication
algorithm, and DH key group that the ZyWALL/USG wants to use in the IKE SA. The remote IPSec
router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL/USG. If
the remote IPSec router rejects all of the proposals, the ZyWALL/USG and remote IPSec router
cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm,
and DH key group.
In most ZyWALL/USGs, you can select one of the following encryption algorithms for each proposal.
The algorithms are listed in order from weakest to strongest.
• Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit
key to each 64-bit block of data.
• Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively
tripling the strength of DES.
• Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a
secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.
ZyWALL/USG Series User’s Guide
402
Chapter 22 IPSec VPN
Some ZyWALL/USGs also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit
blocks of data.
In most ZyWALL/USGs, you can select one of the following authentication algorithms for each
proposal. The algorithms are listed in order from weakest to strongest.
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
• SHA256 (Secure Hash Algorithm) produces a 256-bit digest to authenticate packet data.
• SHA512 (Secure Hash Algorithm) produces a 512-bit digest to authenticate packet data.
See Diffie-Hellman (DH) Key Exchange on page 403 for more information about DH key groups.
Diffie-Hellman (DH) Key Exchange
The ZyWALL/USG and the remote IPSec router use DH public-key cryptography to establish a
shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec
SA. In main mode, this is done in steps 3 and 4, as illustrated next.
Figure 267 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange
Diffie-Hellman key exchange
3
X
4
Y
DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits
long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt
and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768
bits), but DH2 keys take longer to encrypt and decrypt.
Authentication
Before the ZyWALL/USG and remote IPSec router establish an IKE SA, they have to verify each
other’s identity. This process is based on pre-shared keys and router identities.
In main mode, the ZyWALL/USG and remote IPSec router authenticate each other in steps 5 and 6,
as illustrated below. The identities are also encrypted using the encryption algorithm and
encryption key the ZyWALL/USG and remote IPSec router selected in previous steps.
ZyWALL/USG Series User’s Guide
403
Chapter 22 IPSec VPN
Figure 268 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)
Step 5:
pre-shared key
ZyWALL/USG identity, consisting of
- ID type
- content
Step 6:
pre-shared key
Remote IPSec router identity, consisting of
- ID type
- content
5
X
Y
6
You have to create (and distribute) a pre-shared key. The ZyWALL/USG and remote IPSec router
use it in the authentication process, though it is not actually transmitted or exchanged.
Note: The ZyWALL/USG and the remote IPSec router must use the same pre-shared key.
Router identity consists of ID type and content. The ID type can be domain name, IP address, or email address, and the content is a (properly-formatted) domain name, IP address, or e-mail
address. The content is only used for identification. Any domain name or e-mail address that you
enter does not have to actually exist. Similarly, any domain name or IP address that you enter does
not have to correspond to the ZyWALL/USG’s or remote IPSec router’s properties.
The ZyWALL/USG and the remote IPSec router have their own identities, so both of them must
store two sets of information, one for themselves and one for the other router. Local ID type and
content refers to the ID type and content that applies to the router itself, and peer ID type and
content refers to the ID type and content that applies to the other router.
Note: The ZyWALL/USG’s local and peer ID type and content must match the remote
IPSec router’s peer and local ID type and content, respectively.
For example, in Table 169 on page 404, the ZyWALL/USG and the remote IPSec router authenticate
each other successfully. In contrast, in Table 170 on page 405, the ZyWALL/USG and the remote
IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA.
Table 169 VPN Example: Matching ID Type and Content
ZYWALL/USG
REMOTE IPSEC ROUTER
Local ID type: E-mail
Local ID type: IP
Local ID content: [email protected]
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: [email protected]
ZyWALL/USG Series User’s Guide
404
Chapter 22 IPSec VPN
Table 170 VPN Example: Mismatching ID Type and Content
ZYWALL/USG
REMOTE IPSEC ROUTER
Local ID type: E-mail
Local ID type: IP
Local ID content: [email protected]
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.20
Peer ID content: [email protected]
It is also possible to configure the ZyWALL/USG to ignore the identity of the remote IPSec router. In
this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if
your ZyWALL/USG provides another way to check the identity of the remote IPSec router (for
example, extended authentication) or if you are troubleshooting a VPN tunnel.
Additional Topics for IKE SA
This section provides more information about IKE SA.
Negotiation Mode
There are two negotiation modes--main mode and aggressive mode. Main mode provides better
security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The ZyWALL/USG sends its proposals to the remote IPSec router. The remote IPSec
router selects an acceptable proposal and sends it back to the ZyWALL/USG.
Steps 3 - 4: The ZyWALL/USG and the remote IPSec router exchange pre-shared keys for
authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key
group, to establish a shared secret.
Steps 5 - 6: Finally, the ZyWALL/USG and the remote IPSec router generate an encryption key
(from the shared secret), encrypt their identities, and exchange their encrypted identity
information for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does
not provide as much security because the identity of the ZyWALL/USG and the identity of the
remote IPSec router are not encrypted. It is usually used in remote-access situations, where the
address of the initiator is not known by the responder and both parties want to use pre-shared keys
for authentication. For example, the remote IPSec router may be a telecommuter who does not
have a static IP address.
VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 269 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and
router Y try to establish a VPN tunnel, the authentication fails because it depends on this
information. The routers cannot establish a VPN tunnel.
ZyWALL/USG Series User’s Guide
405
Chapter 22 IPSec VPN
X
A
Y
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A
recognize VPN packets and route them appropriately. If router A has this feature, router X and
router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on
page 407 for more information about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this
problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to
the IKE SA and IPSec SA packets. If you configure router A to forward these packets unchanged,
router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the ZyWALL/USG and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the field
description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the
ZyWALL/USG and remote IPSec router support.
X-Auth / Extended Authentication
X-Auth / Extended authentication is often used when multiple IPSec routers use the same VPN
tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the ZyWALL/USG or the remote IPSec router)
provides a user name and password to the other router, which uses a local user database and/or an
external server to verify the user name and password. If the user name or password is wrong, the
routers do not establish an IKE SA.
You can set up the ZyWALL/USG to provide a user name and password to the remote IPSec router,
or you can set up the ZyWALL/USG to check a user name and password that is provided by the
remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps
occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in
aggressive mode).
Certificates
It is possible for the ZyWALL/USG and remote IPSec router to authenticate each other with
certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote
identity because the certificates provide this information instead.
ZyWALL/USG Series User’s Guide
406
Chapter 22 IPSec VPN
• Instead of using the pre-shared key, the ZyWALL/USG and remote IPSec router check the
signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to
match.
• The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the ZyWALL/USG and remote IPSec router first.
IPSec SA Overview
Once the ZyWALL/USG and remote IPSec router have established the IKE SA, they can securely
negotiate an IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of an IPSec SA.
Local Network and Remote Network
In an IPSec SA, the local network, the one(s) connected to the ZyWALL/USG, may be called the
local policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may
be called the remote policy.
Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each packet is
protected by the encryption and authentication algorithms. IPSec VPN includes two active
protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC
2406).
Note: The ZyWALL/USG and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more
secure. Transport mode is only used when the IPSec SA is used for communication between the
ZyWALL/USG and remote IPSec router (for example, for remote management), not between
computers on the local and remote networks.
Note: The ZyWALL/USG and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
Figure 270 VPN: Transport and Tunnel Mode Encapsulation
Original Packet
IP Header
TCP
Header
Data
Transport Mode Packet
IP Header
AH/ESP
Header
TCP
Header
ZyWALL/USG Series User’s Guide
407
Data
Chapter 22 IPSec VPN
Figure 270 VPN: Transport and Tunnel Mode Encapsulation
Tunnel Mode Packet
IP Header
AH/ESP
Header
IP Header
TCP
Header
Data
In tunnel mode, the ZyWALL/USG uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the ZyWALL/USG or remote
IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL/
USG or remote IPSec router. The header for the active protocol (AH or ESP) appears between the
IP headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL/USG
includes part of the original IP header when it encapsulates the packet. With ESP, however, the
ZyWALL/USG does not include the IP header when it encapsulates the packet, so it is not possible
to verify the integrity of the source IP address.
IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal on page 402), except
that you also have the choice whether or not the ZyWALL/USG and remote IPSec router perform a
new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy
(PFS).
If you enable PFS, the ZyWALL/USG and remote IPSec router perform a DH key exchange every
time an IPSec SA is established, changing the root key from which encryption keys are generated.
As a result, if one encryption key is compromised, other encryption keys remain secure.
If you do not enable PFS, the ZyWALL/USG and remote IPSec router use the same root key that
was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not require
such security.
PFS is ignored in initial IKEv2 authentication but is used when reauthenticating.
Additional Topics for IPSec SA
This section provides more information about IPSec SA in your ZyWALL/USG.
Authentication and the Security Parameter Index (SPI)
For authentication, the ZyWALL/USG and remote IPSec router use the SPI, instead of pre-shared
keys, ID type and content. The SPI is an identification number.
Note: The ZyWALL/USG and remote IPSec router must use the same SPI.
NAT for Inbound and Outbound Traffic
The ZyWALL/USG can translate the following types of network addresses in IPSec SA.
ZyWALL/USG Series User’s Guide
408
Chapter 22 IPSec VPN
• Source address in outbound packets - this translation is necessary if you want the ZyWALL/USG
to route packets from computers outside the local network through the IPSec SA.
• Source address in inbound packets - this translation hides the source address of computers in the
remote network.
• Destination address in inbound packets - this translation is used if you want to forward packets
(for example, mail) from the remote network to a specific computer (like the mail server) in the
local network.
Each kind of translation is explained below. The following example is used to help explain each one.
Figure 271 VPN Example: NAT for Inbound and Outbound Traffic
Source Address in Outbound Packets (Outbound Traffic, Source NAT)
This translation lets the ZyWALL/USG route packets from computers that are not part of the
specified local network (local policy) through the IPSec SA. For example, in Figure 271 on page
409, you have to configure this kind of translation if you want computer M to establish a connection
with any computer in the remote network (B). If you do not configure it, the remote IPSec router
may not route messages for computer M through the IPSec SA because computer M’s IP address is
not part of its local policy.
To set up this NAT, you have to specify the following information:
• Source - the original source address; most likely, computer M’s network.
• Destination - the original destination address; the remote network (B).
• SNAT - the translated source address; the local network (A).
Source Address in Inbound Packets (Inbound Traffic, Source NAT)
You can set up this translation if you want to change the source address of computers in the remote
network. To set up this NAT, you have to specify the following information:
• Source - the original source address; the remote network (B).
ZyWALL/USG Series User’s Guide
409
Chapter 22 IPSec VPN
• Destination - the original destination address; the local network (A).
• SNAT - the translated source address; a different IP address (range of addresses) to hide the
original source address.
Destination Address in Inbound Packets (Inbound Traffic, Destination NAT)
You can set up this translation if you want the ZyWALL/USG to forward some packets from the
remote network to a specific computer in the local network. For example, in Figure 271 on page
409, you can configure this kind of translation if you want to forward mail from the remote network
to the mail server in the local network (A).
You have to specify one or more rules when you set up this kind of NAT. The ZyWALL/USG checks
these rules similar to the way it checks rules for a security policy. The first part of these rules define
the conditions in which the rule apply.
• Original IP - the original destination address; the remote network (B).
• Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection.
• Original Port - the original destination port or range of destination ports; in Figure 271 on page
409, it might be port 25 for SMTP.
The second part of these rules controls the translation when the condition is satisfied.
• Mapped IP - the translated destination address; in Figure 271 on page 409, the IP address of the
mail server in the local network (A).
• Mapped Port - the translated destination port or range of destination ports.
The original port range and the mapped port range must be the same size.
IPSec VPN Example Scenario
Here is an examplea site-to-site IPSec VPN scenario.
Figure 272 IPSec VPN Example
LAN
LAN
2.2.2.2
1.2.3.4
192.168.1.0/24
172.16.1.0/24
ZyWALL/USG Series User’s Guide
410
C HAPTER
23
SSL VPN
23.1 Overview
Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users
do not need a VPN router or VPN client software.
23.1.1 What You Can Do in this Chapter
• Use the VPN > SSL VPN > Access Privilege screens (see Section 23.2 on page 412) to
configure SSL access policies.
• Use the Click VPN > SSL VPN > Global Setting screen (see Section 23.3 on page 416) to set
the IP address of the ZyWALL/USG (or a gateway device) on your network for full tunnel mode
access, enter access messages or upload a custom logo to be displayed on the remote user
screen.
• Use the VPN > SSL VPN > SecuExtender screen ( see Section 23.4 on page 418) to update
and check the current and latest version of the Security Extender.
23.1.2 What You Need to Know
Full Tunnel Mode
In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the
same subnet as the local network. This allows them to access network resources in the same way
as if they were part of the internal network.
Figure 273 Network Access Mode: Full Tunnel Mode
SSL Access Policy
An SSL access policy allows the ZyWALL/USG to perform the following tasks:
• limit user access to specific applications or file sharing server on the network.
ZyWALL/USG Series User’s Guide
411
Chapter 23 SSL VPN
• allow user access to specific networks.
• assign private IP addresses and provide DNS/WINS server information to remote users to access
internal networks.
SSL Access Policy Objects
The SSL access policies reference the following objects. If you update this information, in response
to changes, the ZyWALL/USG automatically propagates the changes through the SSL policies that
use the object(s). When you delete an SSL policy, the objects are not removed.
Table 171 Objects
OBJECT
SCREEN
DESCRIPTION
User Accounts
User Account/
User Group
Configure a user account or user group to which you want to apply this SSL
access policy.
Application
SSL
Application
Configure an SSL application object to specify the type of application and
the address of the local computer, server, or web site SSL users are to be
able to access.
IP Pool
Address
Configure an address object that defines a range of private IP addresses to
assign to user computers so they can access the internal network through a
VPN connection.
Server
Addresses
Address
Configure address objects for the IP addresses of the DNS and WINS
servers that the ZyWALL/USG sends to the VPN connection users.
VPN Network
Address
Configure an address object to specify which network segment users are
allowed to access through a VPN connection.
OBJECT TYPE
You cannot delete an object that is referenced by an SSL access policy. To delete the object, you
must first unassociate the object from the SSL access policy.
23.2 The SSL Access Privilege Screen
Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL
access policies.
Figure 274 VPN > SSL VPN > Access Privilege
ZyWALL/USG Series User’s Guide
412
Chapter 23 SSL VPN
The following table describes the labels in this screen.
Table 172 VPN > SSL VPN > Access Privilege
LABEL
DESCRIPTION
Access Policy
Summary
This screen shows a summary of SSL VPN policies created.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the
selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To move an entry to a different number in the list, click the Move icon. In the field that
appears, specify the number to which you want to move the interface.
Object
References
Select an entry and click Object References to open a screen that shows which settings use
the entry. Click Refresh to update information on this screen.
#
This field displays the index number of the entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the descriptive name of the SSL access policy for identification purposes.
User/Group
This field displays the user account or user group name(s) associated to an SSL access policy.
Click on the VPN icon to go to the ZyXEL VPN Client product page at the ZyXEL website.
This field displays up to three names.
Access Policy
Summary
This field displays details about the SSL application object this policy uses including its name,
type, and address.
Apply
Click Apply to save the settings.
Reset
Click Reset to discard all changes.
23.2.1 The SSL Access Privilege Policy Add/Edit Screen
To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access
Privilege screen.
ZyWALL/USG Series User’s Guide
413
Chapter 23 SSL VPN
Figure 275 VPN > SSL VPN > Add/Edit
The following table describes the labels in this screen.
Table 173 VPN > SSL VPN > Access Privilege > Add/Edit
LABEL
DESCRIPTION
Create new
Object
Use to configure any new settings objects that you need to use in this screen.
Configuration
Enable Policy
Select this option to activate this SSL access policy.
ZyWALL/USG Series User’s Guide
414
Chapter 23 SSL VPN
Table 173 VPN > SSL VPN > Access Privilege > Add/Edit (continued)
LABEL
DESCRIPTION
Name
Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”,
A-Z”, “0-9”) with no spaces allowed.
Zone
Select the zone to which to add this SSL access policy. You use zones to apply security
settings such as security policy and remote management.
Description
Enter additional information about this SSL access policy. You can enter up to 60
characters ("0-9", "a-z", "A-Z", "-" and "_").
User/Group
The Selectable User/Group Objects list displays the name(s) of the user account and/
or user group(s) to which you have not applied an SSL access policy yet.
To associate a user or user group to this SSL access policy, select a user account or user
group and click the right arrow button to add to the Selected User/Group Objects list.
You can select more than one name.
To remove a user or user group, select the name(s) in the Selected User/Group
Objects list and click the left arrow button.
Note: Although you can select admin and limited-admin accounts in this screen, they are
reserved for device configuration only. You cannot use them to access the SSL VPN
portal.
SSL Application
List (Optional)
The Selectable Application Objects list displays the name(s) of the SSL application(s)
you can select for this SSL access policy.
To associate an SSL application to this SSL access policy, select a name and click the right
arrow button to add to the Selected Application Objects list. You can select more than
one application.
To remove an SSL application, select the name(s) in the Selected Application Objects
list and click the left arrow button.
Note: To allow access to shared files on a Windows 7 computer, within Windows 7 you must
enable sharing on the folder and also go to the Network and Sharing Center’s
Advanced sharing settings and turn on the current network profile’s file and printer
sharing.
Network Extension (Optional)
Enable Network
Extension
Select this option to create a VPN tunnel between the authenticated users and the internal
network. This allows the users to access the resources on the network as if they were on
the same local network. This includes access to resources not supported by SSL
application objects. For example this lets users Telnet to the internal network even though
the ZyWALL/USG does not have SSL application objects for Telnet.
Clear this option to disable this feature. Users can only access the applications as defined
by the VPN tunnel’s selected SSL application settings and the remote user computers are
not made to be a part of the local network.
Force all client
traffic to SSL VPN
tunnel
Select this to send all traffic from the SSL VPN clients through the SSL VPN tunnel. This
replaces the default gateway of the SSL VPN clients with the SSL VPN gateway.
NetBIOS
broadcast over
SSL VPN Tunnel
Select this to search for a remote computer and access its applications as if it was in a
Local Area Network. The user can find a computer not only by its IP adress but also by
computer name.
Assign IP Pool
Define a separate pool of IP addresses to assign to the SSL users. Select it here.
The SSL VPN IP pool should not overlap with IP addresses on the ZyWALL/USG's local
networks (LAN and DMZ for example), the SSL user's network, or the networks you
specify in the SSL VPN Network List.
DNS/WINS
Server 1..2
Select the name of the DNS or WINS server whose information the ZyWALL/USG sends to
the remote users. This allows them to access devices on the local network using domain
names instead of IP addresses.
ZyWALL/USG Series User’s Guide
415
Chapter 23 SSL VPN
Table 173 VPN > SSL VPN > Access Privilege > Add/Edit (continued)
LABEL
DESCRIPTION
Network List
To allow user access to local network(s), select a network name in the Selectable
Address Objects list and click the right arrow button to add to the Selected Address
Objects list. You can select more than one network.
To block access to a network, select the network name in the Selected Address Objects
list and click the left arrow button.
OK
Click OK to save the changes and return to the main Access Privilege screen.
Cancel
Click Cancel to discard all changes and return to the main Access Privilege screen.
23.3 The SSL Global Setting Screen
Click VPN > SSL VPN and click the Global Setting tab to display the following screen. Use this
screen to set the IP address of the ZyWALL/USG (or a gateway device) on your network for full
tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote
user screen.
Figure 276 VPN > SSL VPN > Global Setting
ZyWALL/USG Series User’s Guide
416
Chapter 23 SSL VPN
The following table describes the labels in this screen.
Table 174 VPN > SSL VPN > Global Setting
LABEL
DESCRIPTION
Global Setting
Network
Extension Local
IP
Specify the IP address of the ZyWALL/USG (or a gateway device) for full tunnel mode SSL
VPN access.
Leave this field to the default settings unless it conflicts with another interface.
SSL VPN Login Domain Name
SSL VPN Login
Domain Name 1/
2
Specify a full domain name for users to use for SSL VPN login. The domain name must be
registered to one of the ZyWALL/USG’s IP addresses or be one of the ZyWALL/USG’s
DDNS entries. You can specify up to two domain names so you could use one domain
name for each of two WAN ports. For example, www.zyxel.com is a fully qualified domain
name where “www” is the host.
The ZyWALL/USG displays the normal login screen without the button for logging into the
Web Configurator.
Message
Login Message
Specify a message to display on the screen when a user logs in and an SSL VPN
connection is established successfully. You can enter up to 60 characters (0-9, a-z, A-Z,
'()+,/:=?;!*#@$_%-") with spaces allowed.
Logout Message
Specify a message to display on the screen when a user logs out and the SSL VPN
connection is terminated successfully. You can enter up to 60 characters (0-9, a-z, A-Z,
'()+,/:=?;!*#@$_%-") with spaces allowed.
Update Client
Virtual Desktop
Logo
You can upload a graphic logo to be displayed on the web browser on the remote user
computer. The ZyXEL company logo is the default logo.
Specify the location and file name of the logo graphic or click Browse to locate it.
Note: The logo graphic must be GIF, JPG, or PNG format. The graphic should use a
resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL/USG
automatically resizes a graphic of a different resolution to 103 x 29 pixels. The file
size must be 100 kilobytes or less. Transparent background is recommended.
Browse
Click Browse to locate the graphic file on your computer.
Upload
Click Upload to transfer the specified graphic file from your computer to the ZyWALL/
USG.
Reset Logo to
Default
Click Reset Logo to Default to display the ZyXEL company logo on the remote user’s
web browser.
Apply
Click Apply to save the changes and/or start the logo file upload process.
Reset
Click Reset to return the screen to its last-saved settings.
23.3.1 How to Upload a Custom Logo
Follow the steps below to upload a custom logo to display on the remote user SSL VPN screens.
1
Click VPN > SSL VPN and click the Global Setting tab to display the configuration screen.
2
Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG format.
3
Click Apply to start the file transfer process.
4
Log in as a user to verify that the new logo displays properly.
ZyWALL/USG Series User’s Guide
417
Chapter 23 SSL VPN
The following shows an example logo on the remote user screen.
Figure 277 Example Logo Graphic Display
23.4 ZyWALL/USG SecuExtender
The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender client program to your
computer after a successful login to an SSL VPN tunnel with network extension support enabled.
The ZyWALL/USG SecuExtender lets you:
• Access servers, remote desktops and manage files as if you were on the local network.
• Use applications like e-mail, file transfer, and remote desktop programs directly without using a
browser. For example, you can use Outlook for e-mail instead of the ZyWALL/USG’s web-based email.
• Use applications, even proprietary applications, for which the ZyWALL/USG does not offer SSL
application objects.
The applications must be installed on your computer. For example, to use the VNC remote desktop
program, you must have the VNC client installed on your computer. Please refer to the
SecuExtender chapter for details.
Figure 278 Configuration > VPN > SSL VPN > SecuExtender.
ZyWALL/USG Series User’s Guide
418
Chapter 23 SSL VPN
The following table describes the labels in this screen.
Table 175 Configuration > VPN > SSL VPN > SecuExtender
LABEL
DESCRIPTION
Latest Version
This displays the latest version of the ZyWALL/USG Security SecuExtender that
is available.
Current Version
This displays the current version of SecuExtender that is installed in the
ZyWALL/USG.
Note:
You need to register first at portal.myzyxel.com to download the latest version of
SecuExtender.
Update Now
The ZyWALL/USG periodically checks if there’s a later version of SecuExtender at
the portal. The Update Now button is enabled when thre is.Click Update Now
to get the latest version of SecuExtender.
23.4.1 Example: Configure ZyWALL/USG for SecuExtender
Make these configurations on the ZyWALL/USG to allow the remote user to access resources behind
the ZyWALL/USG using SecuExtender. These steps can be performed in any order.
1
Create a user that can log into the ZyWALL/USG. Using the ZyWALL/USG web configurator, go to
Configuration > Object > User > Add and substitute your information for the information shown
in the following example.
Figure 279 Create a User
2
Next create an SSL VPN Access Privilege policy substituting your information for the information
shown in the following example. Using the ZyWALL/USG web configurator, go to Configuration >
VPN > SSL VPN > Access Privilege > Add.
ZyWALL/USG Series User’s Guide
419
Chapter 23 SSL VPN
Figure 280 Create an SSL VPN Access Privilege Policy
3
Then create File Sharing and Web Application SSL Application objects. Using the ZyWALL/USG
web configurator, go to Configuration > Object > SSL Application > Add and select the Type
accordingly. Substitute your information for the information shown in the following example.
Figure 281 Create a File Sharing SSL Application Object
ZyWALL/USG Series User’s Guide
420
Chapter 23 SSL VPN
Create a Web Application SSL Application Object
ZyWALL/USG Series User’s Guide
421
C HAPTER
24
SSL User Screens
24.1 Overview
This chapter introduces the remote user SSL VPN screens. The following figure shows a network
example where a remote user (A) logs into the ZyWALL/USG from the Internet to access the web
server (WWW) on the local network.
Figure 282 Network Example
Internet
A
WWW
24.1.1 What You Need to Know
The ZyWALL/USG can use SSL VPN to provide secure connections to network resources such as
applications, files, intranet sites or e-mail through a web-based interface and using Microsoft
Outlook Web Access (OWA).
Network Resource Access Methods
As a remote user, you can access resources on the local network using one of the following
methods.
• Using a supported web browser
Once you have successfully logged in through the ZyWALL/USG, you can access intranet sites,
web-based applications, or web-based e-mails using one of the supported web browsers.
• Using the ZyWALL/USG SecuExtender client
Once you have successfully logged into the ZyWALL/USG, if the SSL VPN access policy has
network extension enabled the ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender
client program to your computer. With the ZyWALL/USG SecuExtender, you can access network
resources, remote desktops and manage files as if you were on the local network. See Chapter
25 on page 435 for more on the ZyWALL/USG SecuExtender.
System Requirements
Here are the browser and computer system requirements for remote user access.
• Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit)
• Internet Explorer 7 and above or Firefox 1.5 and above
ZyWALL/USG Series User’s Guide
422
Chapter 24 SSL User Screens
• Using RDP requires Internet Explorer
• Sun’s Runtime Environment (JRE) version 1.6 or later installed and enabled.
Required Information
A remote user needs the following information from the network administrator to log in and access
network resources.
• the domain name or IP address of the ZyWALL/USG
• the login account user name and password
• if also required, the user name and/or password to access the network resource
Certificates
The remote user’s computer establishes an HTTPS connection to the ZyWALL/USG to access the
login screen. If instructed by your network administrator, you must install or import a certificate
(provided by the ZyWALL/USG or your network administrator).
Finding Out More
See Chapter 23 on page 411 for how to configure SSL VPN on the ZyWALL/USG.
24.2 Remote SSL User Login
This section shows you how to access and log into the network through the ZyWALL/USG. Example
screens for Internet Explorer are shown.
1
Open a web browser and enter the web site address or IP address of the ZyWALL/USG. For
example, “http://sslvpn.mycompany.com”.
Figure 283 Enter the Address in a Web Browser
2
Click OK or Yes if a security screen displays.
ZyWALL/USG Series User’s Guide
423
Chapter 24 SSL User Screens
Figure 284 Login Security Screen
3
A login screen displays. Enter the user name and password of your login account. If a token
password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and
establish an SSL VPN connection to the network to access network resources.
Figure 285 Login Screen
4
Your computer starts establishing a secure connection to the ZyWALL/USG after a successful login.
This may take up to two minutes. If you get a message about needing Java, download and install it
and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or
Continue.
Figure 286 Java Needed Message
5
The ZyWALL/USG tries to install the SecuExtender client. As shown next, you may have to click
some pop-ups to get your browser to allow the installation.
ZyWALL/USG Series User’s Guide
424
Chapter 24 SSL User Screens
Figure 287 ActiveX Object Installation Blocked by Browser
Figure 288 SecuExtender Blocked by Internet Explorer
6
The ZyWALL/USG tries to run the “ssltun” application. You may need to click something to get your
browser to allow this. In Internet Explorer, click Run.
Figure 289 SecuExtender Progress
7
Click Next to use the setup wizard to install the SecuExtender client on your computer.
ZyWALL/USG Series User’s Guide
425
Chapter 24 SSL User Screens
Figure 290 SecuExtender Progress
8
If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender
client on your computer.
Figure 291 Installation Warning
9
The Application screen displays showing the list of resources available to you. See Figure 292 on
page 427 for a screen example.
Note: Available resource links vary depending on the configuration your network
administrator made.
24.3 The SSL VPN User Screens
This section describes the main elements in the remote user screens.
ZyWALL/USG Series User’s Guide
426
Chapter 24 SSL User Screens
Figure 292 Remote User Screen
2
1
3
4
5
6
The following table describes the various parts of a remote user screen.
Table 176 Remote User Screen Overview
#
DESCRIPTION
1
Click on a menu tab to go to the Application or File Sharing screen.
2
Click this icon to log out and terminate the secure connection.
3
Click this icon to create a bookmark to the SSL VPN user screen in your web browser.
4
Click this icon to display the on-line help window.
5
Select your preferred language for the interface.
6
This part of the screen displays a list of the resources available to you.
In the Application screen, click on a link to access or display the access method.
In the File Sharing screen, click on a link to open a file or directory.
24.4 Bookmarking the ZyWALL/USG
You can create a bookmark of the ZyWALL/USG by clicking the Add to Favorite icon. This allows
you to access the ZyWALL/USG using the bookmark without having to enter the address every
time.
1
In any remote user screen, click the Add to Favorite icon.
ZyWALL/USG Series User’s Guide
427
Chapter 24 SSL User Screens
2
A screen displays. Accept the default name in the Name field or enter a descriptive name to
identify this link.
3
Click OK to create a bookmark in your web browser.
Figure 293 Add Favorite
24.5 Logging Out of the SSL VPN User Screens
To properly terminate a connection, click on the Logout icon in any remote user screen.
1
Click the Logout icon in any remote user screen.
2
A prompt window displays. Click OK to continue.
Figure 294 Logout: Prompt
24.6 SSL User Application Screen
Use the Application tab’s screen to access web-based applications (such as web sites and e-mail)
on the network through the SSL VPN connection. Which applications you can access depends on the
ZyWALL/USG’s configuration.
The Name field displays the descriptive name for an application. The Type field displays wether the
application is a web site (Web Server) or web-based e-mail using Microsoft Outlook Web Access
(OWA).
To access a web-based application, simply click a link in the Application screen to display the web
screen in a separate browser window.
ZyWALL/USG Series User’s Guide
428
Chapter 24 SSL User Screens
Figure 295 Application
24.7 SSL User File Sharing
The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use
it to display and access shared files/folders on a file server.
You can also perform the following actions:
• Access a folder.
• Open a file (if your web browser cannot open the file, you are prompted to download it).
• Save a file to your computer.
• Create a new folder.
• Rename a file or folder.
• Delete a file or folder.
• Upload a file.
Note: Available actions you can perform in the File Sharing screen vary depending on
the rights granted to you on the file server.
24.7.1 The Main File Sharing Screen
The first File Sharing screen displays the name(s) of the shared folder(s) available. The following
figure shows an example with one file share.
ZyWALL/USG Series User’s Guide
429
Chapter 24 SSL User Screens
Figure 296 File Sharing
24.7.2 Opening a File or Folder
You can open a file if the file extension is recognized by the web browser and the associated
application is installed on your computer.
1
Log in as a remote user and click the File Sharing tab.
2
Click on a file share icon.
3
If an access user name and password are required, a screen displays as shown in the following
figure. Enter the account information and click Login to continue.
Figure 297 File Sharing: Enter Access User Name and Password
ZyWALL/USG Series User’s Guide
430
Chapter 24 SSL User Screens
4
A list of files/folders displays. Double click a file to open it in a separate browser window or select a
file and click Download to save it to your computer. You can also click a folder to access it.
For this example, click on a .doc file to open the Word document.
Figure 298 File Sharing: Open a Word File
24.7.3 Downloading a File
You are prompted to download a file which cannot be opened using a web browser.
Follow the on-screen instructions to download and save the file to your computer. Then launch the
associated application to open the file.
24.7.4 Saving a File
After you have opened a file in a web browser, you can save a copy of the file by clicking File >
Save As and following the on-screen instructions.
ZyWALL/USG Series User’s Guide
431
Chapter 24 SSL User Screens
Figure 299 File Sharing: Save a Word File
24.7.5 Creating a New Folder
To create a new folder in the file share location, click the New Folder icon.
Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add.
Note: Make sure the length of the folder name does not exceed the maximum allowed on
the file server.
Figure 300 File Sharing: Create a New Folder
24.7.6 Renaming a File or Folder
To rename a file or folder, select a file or folder and click the Rename icon.
Figure 301 File Sharing: Rename
ZyWALL/USG Series User’s Guide
432
Chapter 24 SSL User Screens
A popup window displays. Specify the new name and/or file extension in the field provided. You can
enter up to 356 characters. Then click Apply.
Note: Make sure the length of the name does not exceed the maximum allowed on the
file server.
You may not be able to open a file if you change the file extension.
Figure 302 File Sharing: Rename
24.7.7 Deleting a File or Folder
Click the Delete icon next to a file or folder to remove it.
24.7.8 Uploading a File
Follow the steps below to upload a file to the file server.
1
Log into the remote user screen and click the File Sharing tab.
2
Click Upload and specify the location and/or name of the file you want to upload. Or click Browse
to locate it.
3
Click OK to send the file to the file server.
4
After the file is uploaded successfully, you should see the name of the file and a message in the
screen.
Figure 303 File Sharing: File Upload
ZyWALL/USG Series User’s Guide
433
Chapter 24 SSL User Screens
Note: Uploading a file with the same name and file extension replaces the existing file on
the file server. No warning message is displayed.
ZyWALL/USG Series User’s Guide
434
C HAPTER
25
ZyWALL/USG SecuExtender (Windows)
The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender for Windows client program
to your computer after a successful login to an SSL VPN tunnel with network extension support
enabled.
Note: For information on using the ZyWALL/USG SecuExtender for Mac client program,
please see its User’s Guide at the download library on the ZyXEL website.
The ZyWALL/USG SecuExtender (Windows) lets you:
• Access servers, remote desktops and manage files as if you were on the local network.
• Use applications like e-mail, file transfer, and remote desktop programs directly without using a
browser. For example, you can use Outlook for e-mail instead of the ZyWALL/USG’s web-based email.
• Use applications, even proprietary applications, for which the ZyWALL/USG does not offer SSL
application objects.
The applications must be installed on your computer. For example, to use the VNC remote desktop
program, you must have the VNC client installed on your computer.
25.1 The ZyWALL/USG SecuExtender Icon
The ZyWALL/USG SecuExtender icon color indicates the SSL VPN tunnel’s connection status.
Figure 304 ZyWALL/USG SecuExtender Icon
• Green: the SSL VPN tunnel is connected. You can connect to the SSL application and network
resources. You can also use another application to access resources behind the ZyWALL/USG.
• Gray: the SSL VPN tunnel’s connection is suspended. This means the SSL VPN tunnel is
connected, but the ZyWALL/USG SecuExtender will not send any traffic through it until you rightclick the icon and resume the connection.
• Red: the SSL VPN tunnel is not connected. You cannot connect to the SSL application and
network resources.
25.2 Status
Right-click the ZyWALL/USG SecuExtender icon in the system tray and select Status to open the
Status screen. Use this screen to view the ZyWALL/USG SecuExtender’s connection status and
activity statistics.
ZyWALL/USG Series User’s Guide
435
Chapter 25 ZyWALL/USG SecuExtender (Windows)
Figure 305 ZyWALL/USG SecuExtender Status
The following table describes the labels in this screen.
Table 177 ZyWALL/USG SecuExtender Status
LABEL
DESCRIPTION
Connection Status
SecuExtender IP
Address
This is the IP address the ZyWALL/USG assigned to this remote user computer for an SSL
VPN connection.
DNS Server 1/2
These are the IP addresses of the DNS server and backup DNS server for the SSL VPN
connection.
DNS (Domain Name System) maps a domain name to its corresponding IP address and
vice versa. The DNS server is extremely important because without it, you must know
the IP address of a computer before you can access it. Your computer uses the DNS
server specified here to resolve domain names for resources you access through the SSL
VPN connection.
WINS Server 1/2
These are the IP addresses of the WINS (Windows Internet Naming Service) and backup
WINS servers for the SSL VPN connection. The WINS server keeps a mapping table of
the computer names on your network and the IP addresses that they are currently using.
Network 1~8
These are the networks (including netmask) that you can access through the SSL VPN
connection.
Activity
Connected Time
This is how long the computer has been connected to the SSL VPN tunnel.
Transmitted
This is how many bytes and packets the computer has sent through the SSL VPN
connection.
Received
This is how many bytes and packets the computer has received through the SSL VPN
connection.
25.3 View Log
If you have problems with the ZyWALL/USG SecuExtender, customer support may request you to
provide information from the log. Right-click the ZyWALL/USG SecuExtender icon in the system tray
and select Log to open a notepad file of the ZyWALL/USG SecuExtender’s log.
ZyWALL/USG Series User’s Guide
436
Chapter 25 ZyWALL/USG SecuExtender (Windows)
Figure 306 ZyWALL/USG SecuExtender Log Example
##################################################################################
##############
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24 2009/
10:25:07
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk: C:\Documents and
Settings\11746\rasphone.pbk
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG]
SecuExtender.log:
C:\Documents and Settings\11746\SecuExtender.log
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Connect to 172.23.31.19:443/
10444
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Parameter is OK
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Checking System status...
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Checking service (first) ...
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] SecuExtender Helper is running
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] System is OK
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG]
Connect to 2887196435/443
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 0
[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] 611 bytes of handshake data
received
25.4 Suspend and Resume the Connection
When the ZyWALL/USG SecuExtender icon in the system tray is green, you can right-click the icon
and select Suspend Connection to keep the SSL VPN tunnel connected but not send any traffic
through it until you right-click the icon and resume the connection.
25.5 Stop the Connection
Right-click the icon and select Stop Connection to disconnect the SSL VPN tunnel.
25.6 Uninstalling the ZyWALL/USG SecuExtender
Do the following if you need to remove the ZyWALL/USG SecuExtender.
1
Click start > All Programs > ZyXEL > ZyWALL/USG SecuExtender > Uninstall ZyWALL
SecuExtender.
2
In the confirmation screen, click Yes.
ZyWALL/USG Series User’s Guide
437
Chapter 25 ZyWALL/USG SecuExtender (Windows)
Figure 307 Uninstalling the ZyWALL/USG SecuExtender Confirmation
3
Windows uninstalls the ZyWALL/USG SecuExtender.
Figure 308 ZyWALL/USG SecuExtender Uninstallation
ZyWALL/USG Series User’s Guide
438
C HAPTER
26
L2TP VPN
26.1 Overview
L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows
or Mac OS X operating systems for secure connections to the network behind the ZyWALL/USG. The
remote users do not need their own IPSec gateways or third-party VPN client software.
Figure 309 L2TP VPN Overview
26.1.1 What You Can Do in this Chapter
• Use the L2TP VPN screen (see Section 26.2 on page 440) to configure the ZyWALL/USG’s L2TP
VPN settings.
• Use the VPN Setup Wizard screen in Quick Setup (Chapter 4 on page 56) to configure the
ZyWALL/USG’s L2TP VPN settings.
26.1.2 What You Need to Know
The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic
between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel is
established first and then an L2TP tunnel is built inside it. See Chapter 22 on page 376 for
information on IPSec VPN.
IPSec Configuration Required for L2TP VPN
You must configure an IPSec VPN connection prior to proper L2TP VPN usage (see Chapter 26 on
page 439 for details). The IPSec VPN connection must:
• Be enabled.
• Use transport mode.
• Use Pre-Shared Key authentication.
• Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN
clients to connect from more than one IP address.
ZyWALL/USG Series User’s Guide
439
Chapter 26 L2TP VPN
Using the Quick Setup VPN Setup Wizard
The VPN Setup Wizard is an easy and convenient way to configure the L2TP VPN settings. Click
Configuration > Quick Setup > VPN Setup > VPN Settings for L2TP VPN Settings to get
started.
Policy Route
The Policy Route for return traffic (from LAN to L2TP clients) is automatically created when ZyWALL/
USG adds a new L2TP connection, allowing users access the resources on a network without
additional configuration. However, if some of the traffic from the L2TP clients needs to go to the
Internet, you will need to create a policy route to send that traffic from the L2TP tunnels out
through a WAN trunk. This task can be easily performed by clicking the Allow L2TP traffic through
WAN checkbox at Quick Setup > VPN Setup > Allow L2TP traffic through WAN.
Figure 310 Policy Route for L2TP VPN
L2TP_POOL
LAN_SUBNET
26.2 L2TP VPN Screen
Click Configuration > VPN > L2TP VPN to open the following screen. Use this screen to configure
the ZyWALL/USG’s L2TP VPN settings.
Note: Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings.
The remote users must make any needed matching configuration changes and reestablish the sessions using the new settings.
ZyWALL/USG Series User’s Guide
440
Chapter 26 L2TP VPN
Figure 311 Configuration > VPN > L2TP VPN
The following table describes the fields in this screen.
Table 178 Configuration > VPN > L2TP VPN
LABEL
DESCRIPTION
Show Advanced
Settings / Hide
Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Create new Object
Use to configure any new settings objects that you need to use in this screen.
Enable L2TP Over
IPSec
Use this field to turn the ZyWALL/USG’s L2TP VPN function on or off.
VPN Connection
Select the IPSec VPN connection the ZyWALL/USG uses for L2TP VPN. All of the
configured VPN connections display here, but the one you use must meet the
requirements listed in IPSec Configuration Required for L2TP VPN on page 439.
Note: Modifying this VPN connection (or the VPN gateway that it uses) disconnects any
existing L2TP VPN sessions.
IP Address Pool
Select the pool of IP addresses that the ZyWALL/USG uses to assign to the L2TP VPN
clients. Use Create new Object if you need to configure a new pool of IP addresses.
This should not conflict with any WAN, LAN, DMZ or WLAN subnet even if they are not in
use.
Authentication
Method
Select how the ZyWALL/USG authenticates a remote user before allowing access to the
L2TP VPN tunnel.
The authentication method has the ZyWALL/USG check a user’s user name and password
against the ZyWALL/USG’s local database, a remote LDAP, RADIUS, a Active Directory
server, or more than one of these.
Authentication
Server Certificate
Select the certificate to use to identify the ZyWALL/USG for L2TP VPN connections. You
must have certificates already configured in the My Certificates screen. The certificate is
used with the EAP, PEAP, and MSCHAPv2 authentication protocols.
Allowed User
The remote user must log into the ZyWALL/USG to use the L2TP VPN tunnel.
Select a user or user group that can use the L2TP VPN tunnel. Use Create new Object if
you need to configure a new user account. Otherwise, select any to allow any user with a
valid account and password on the ZyWALL/USG to log in.
ZyWALL/USG Series User’s Guide
441
Chapter 26 L2TP VPN
Table 178 Configuration > VPN > L2TP VPN (continued)
LABEL
DESCRIPTION
Keep Alive Timer
The ZyWALL/USG sends a Hello message after waiting this long without receiving any
traffic from the remote user. The ZyWALL/USG disconnects the VPN tunnel if the remote
user does not respond.
First DNS Server,
Second DNS
Server
Specify the IP addresses of DNS servers to assign to the remote users. You can specify
these IP addresses two ways.
Custom Defined - enter a static IP address.
From ISP - use the IP address of a DNS server that another interface received from its
DHCP server.
First WINS Server,
Second WINS
Server
The WINS (Windows Internet Naming Service) server keeps a mapping table of the
computer names on your network and the IP addresses that they are currently using.
Type the IP addresses of up to two WINS servers to assign to the remote users. You can
specify these IP addresses two ways.
Apply
Click Apply to save your changes in the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
26.2.1 Example: L2TP and ZyWALL/USG Behind a NAT Router
If the ZyWALL/USG (Z) is behind a NAT router (N), then do the following for remote clients (C) to
access the network behind the ZyWALL/USG (Z) using L2TP over IPv4.
1
Create an address object in Configuration > Object > Address for the WAN IP address of the
NAT router.
2
Go to Configuration > VPN > IPSec VPN > VPN Connection and click Add for IPv4
Configuration to create a new VPN connection.
3
Select Remote Access (Server Role) as the VPN scenario for the remote client.
4
Select the NAT router WAN IP address object as the Local Policy.
ZyWALL/USG Series User’s Guide
442
Chapter 26 L2TP VPN
5
Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured.
ZyWALL/USG Series User’s Guide
443
C HAPTER
27
BWM (Bandwidth Management)
27.1 Overview
Bandwidth management provides a convenient way to manage the use of various services on the
network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization
to enhance the performance of delay-sensitive applications like voice and video.
27.1.1 What You Can Do in this Chapter
Use the BWM screens (see Section 27.2 on page 448) to control bandwidth for services passing
through the ZyWALL/USG, and to identify the conditions that define the bandwidth control.
27.1.2 What You Need to Know
When you allow a service, you can restrict the bandwidth it uses. It controls TCP and UDP traffic.
Use policy routes to manage other types of traffic (like ICMP).
Note: Bandwidth management in policy routes has priority over TCP and UDP traffic
policies.
If you want to use a service, make sure both the security policy allow the service’s packets to go
through the ZyWALL/USG.
Note: The ZyWALL/USG checks security policies before it checks bandwidth management
rules for traffic going through the ZyWALL/USG.
Bandwidth management examines every TCP and UDP connection passing through the ZyWALL/
USG. Then, you can specify, by port, whether or not the ZyWALL/USG continues to route the
connection.
BWM Type
The ZyWALL/USG supports three types of bandwidth management: Shared, Per user and PerSource-IP.
The Shared BWM type is selected by default in a bandwidth management rule. All matched taffic
shares the bandwidth configured in the rule.
If the BWM type is set to Per user in a rule, each user that matches the rule can use up to the
configured bandwidth by his/her own.
Select the Per-Source-IP type when you want to set the maximum bandwidth for traffic from an
individual source IP address.
ZyWALL/USG Series User’s Guide
444
Chapter 27 BWM (Bandwidth Management)
In the following example, you configure a Per user bandwidth management rule for radius-users to
limit outgoing traffic to 300 kbs. Then all radius-users (A, B and C) can send 300 kbps of traffic.
DiffServ and DSCP Marking
QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given
the same priority. CoS (class of service) is a way of managing traffic in a network by grouping
similar types of traffic together and treating each type as a class. You can use CoS to give different
priorities to different packet types.
DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they
receive specific per-hop treatment at DiffServ-compliant network devices along the route based on
the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs)
indicating the level of service desired. This allows the intermediary DiffServ-compliant network
devices to handle the packets differently depending on the code points without the need to
negotiate paths or remember state information for every flow. In addition, applications do not have
to request a particular service or give advanced notice of where the traffic is going.
Connection and Packet Directions
Bandwidth management looks at the connection direction, that is, from which interface the
connection was initiated and to which interface the connection is going.
A connection has outbound and inbound packet flows. The ZyWALL/USG controls the bandwidth of
traffic of each flow as it is going out through an interface or VPN tunnel.
• The outbound traffic flows from the connection initiator to the connection responder.
• The inbound traffic flows from the connection responder to the connection initiator.
For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN.
• Outbound traffic goes from a LAN1 device to a WAN device. Bandwidth management is applied
before sending the packets out a WAN interface on the ZyWALL/USG.
• Inbound traffic comes back from the WAN device to the LAN1 device. Bandwidth management is
applied before sending the traffic out a LAN1 interface.
ZyWALL/USG Series User’s Guide
445
Chapter 27 BWM (Bandwidth Management)
Figure 312 LAN1 to WAN Connection and Packet Directions
LAN1
Connection
Outbound
BWM
Inbound
BWM
Outbound and Inbound Bandwidth Limits
You can limit an application’s outbound or inbound bandwidth. This limit keeps the traffic from using
up too much of the out-going interface’s bandwidth. This way you can make sure there is bandwidth
for other applications. When you apply a bandwidth limit to outbound or inbound traffic, each
member of the out-going zone can send up to the limit. Take a LAN1 to WAN policy for example.
• Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN1 so outbound
means the traffic traveling from the LAN1 to the WAN. Each of the WAN zone’s two interfaces can
send the limit of 200 kbps of traffic.
• Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means
the traffic traveling from the WAN to the LAN1.
Figure 313 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps
Outbound
200 kbps
Inbound
500 kbps
Bandwidth Management Priority
• The ZyWALL/USG gives bandwidth to higher-priority traffic first, until it reaches its configured
bandwidth rate.
• Then lower-priority traffic gets bandwidth.
• The ZyWALL/USG uses a fairness-based (round-robin) scheduler to divide bandwidth among
traffic flows with the same priority.
• The ZyWALL/USG automatically treats traffic with bandwidth management disabled as priority 7
(the lowest priority).
ZyWALL/USG Series User’s Guide
446
Chapter 27 BWM (Bandwidth Management)
Maximize Bandwidth Usage
Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to “borrow”
any unused bandwidth on the out-going interface.
After each application gets its configured bandwidth rate, the ZyWALL/USG uses the fairness- based
scheduler to divide any unused bandwidth on the out-going interface amongst applications that
need more bandwidth and have maximize bandwidth usage enabled.
Unused bandwidth is divided equally. Higher priority traffic does not get a larger portion of the
unused bandwidth.
Bandwidth Management Behavior
The following sections show how bandwidth management behaves with various settings. For
example, you configure DMZ to WAN policies for FTP servers A and B. Each server tries to send
1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A
for server A’s traffic and policy B for server B’s traffic.
Figure 314 Bandwidth Management Behavior
BWM
1000 kbps
1000 kbps
1000 kbps
Configured Rate Effect
In the following table the configured rates total less than the available bandwidth and maximize
bandwidth usage is disabled, both servers get their configured rate.
Table 179 Configured Rate Effect
POLICY
CONFIGURED RATE
MAX. B. U.
PRIORITY
ACTUAL RATE
A
300 kbps
No
1
300 kbps
B
200 kbps
No
1
200 kbps
Priority Effect
Here the configured rates total more than the available bandwidth. Because server A has higher
priority, it gets up to it’s configured rate (800 kbps), leaving only 200 kbps for server B.
Table 180 Priority Effect
POLICY
CONFIGURED RATE
MAX. B. U.
PRIORITY
ACTUAL RATE
A
800 kbps
Yes
1
800 kbps
B
1000 kbps
Yes
2
200 kbps
ZyWALL/USG Series User’s Guide
447
Chapter 27 BWM (Bandwidth Management)
Maximize Bandwidth Usage Effect
With maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the
available bandwidth is divided equally between the two. So server A gets its configured rate of 300
kbps and server B gets its configured rate of 200 kbps. Then the ZyWALL/USG divides the
remaining bandwidth (1000 - 500 = 500) equally between the two (500 / 2 = 250 kbps for each).
The priority has no effect on how much of the unused bandwidth each server gets.
So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B
gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps.
Table 181 Maximize Bandwidth Usage Effect
POLICY
CONFIGURED RATE
MAX. B. U.
PRIORITY
ACTUAL RATE
A
300 kbps
Yes
1
550 kbps
B
200 kbps
Yes
2
450 kbps
Priority and Over Allotment of Bandwidth Effect
Server A has a configured rate that equals the total amount of available bandwidth and a higher
priority. You should regard extreme over allotment of traffic with different priorities (as shown here)
as a configuration error. Even though the ZyWALL/USG still attempts to let all traffic get through
and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.
Table 182 Priority and Over Allotment of Bandwidth Effect
POLICY
CONFIGURED RATE
MAX. B. U.
PRIORITY
ACTUAL RATE
A
1000 kbps
Yes
1
999 kbps
B
1000 kbps
Yes
2
1 kbps
27.2 The Bandwidth Management Screen
The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic. You
can use source interface, destination interface, destination port, schedule, user, source, destination
information, DSCP code and service type as criteria to create a sequence of specific conditions,
similar to the sequence of rules used by firewalls, to specify how the ZyWALL/USG handles the
DSCP value and allocate bandwidth for the matching packets.
Click Configuration > BWM to open the following screen. This screen allows you to enable/disable
bandwidth management and add, edit, and remove user-defined bandwidth management policies.
The default bandwidth management policy is the one with the priority of “default”. It is the last
policy the ZyWALL/USG checks if traffic does not match any other bandwidth management policies
you have configured. You cannot remove, activate, deactivate or move the default bandwidth
management policy.
ZyWALL/USG Series User’s Guide
448
Chapter 27 BWM (Bandwidth Management)
Configuration > Bandwidth Management
Figure 315
The following table describes the labels in this screen. See Section 27.2.1 on page 451 for more
information as well.
Table 183
Configuration > Bandwidth Management
LABEL
Enable BWM
Enable Highest
Bandwidth Priority
for SIP Traffic
DESCRIPTION
Select this check box to activate management bandwidth.
Select this to maximize the throughput of SIP traffic to improve SIP-based VoIP call
sound quality. This has the ZyWALL/USG immediately send SIP traffic upon
identifying it. When this option is enabled the ZyWALL/USG ignores any other
application patrol rules for SIP traffic (so there is no bandwidth control for SIP traffic)
and does not record SIP traffic bandwidth usage statistics.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry
after the selected entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To change an entry’s position in the numbered list, select it and click Move to display
a field to type a number for where you want to put that entry and press [ENTER] to
move the entry to the number that you typed.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive. The status icon is not available for the default bandwidth
management policy.
Priority
This field displays a sequential value for each bandwidth management policy and it is
not associated with a specific setting.
Description
This field displays additional information about this policy.
BWM Type
This field displays the below types of BWM:
This field displays default for the default bandwidth management policy.
• Shared, when the policy is set for all matched traffic
• Per User, when the policy is set for an individual user or a user group
• Per-Source-IP, when the policy is set for a source IP
User
This is the type of user account to which the policy applies. If any displays, the policy
applies to all user accounts.
Schedule
This is the schedule that defines when the policy applies. none means the policy
always applies.
Incoming Interface
This is the source interface of the traffic to which this policy applies.
Outgoing Interface
This is the destination interface of the traffic to which this policy applies.
Source
This is the source address or address group for whom this policy applies. If any
displays, the policy is effective for every source.
ZyWALL/USG Series User’s Guide
449
Chapter 27 BWM (Bandwidth Management)
Table 183
Configuration > Bandwidth Management
LABEL
DESCRIPTION
Destination
This is the destination address or address group for whom this policy applies. If any
displays, the policy is effective for every destination.
DSCP Code
These are the DSCP code point values of incoming and outgoing packets to which this
policy applies. The lower the number the higher the priority with the exception of 0
which is usually given only best-effort treatment.
any means all DSCP value or no DSCP marker.
default means traffic with a DSCP value of 0. This is usually best effort traffic
The “af” options stand for Assured Forwarding. The number following the “af”
identifies one of four classes and one of three drop preferences.
Service Type
App and the service name displays if you selected Application Object for the
service type. An Application Object is a pre-defined service.
Obj and the service name displays if you selected Service Object for the service
type. A Service Object is a customized pre-defined service or another service.
Mouse over the service object name to view the corresponding IP protocol number.
BWM In/Pri/Out/Pri
This field shows the amount of bandwidth the traffic can use.
In - This is how much inbound bandwidth, in kilobits per second, this policy allows
the matching traffic to use. Inbound refers to the traffic the ZyWALL/USG sends to a
connection’s initiator. If no displays here, this policy does not apply bandwidth
management for the inbound traffic.
Out - This is how much outgoing bandwidth, in kilobits per second, this policy allows
the matching traffic to use. Outbound refers to the traffic the ZyWALL/USG sends out
from a connection’s initiator. If no displays here, this policy does not apply bandwidth
management for the outbound traffic.
Pri - This is the priority for the incoming (the first Pri value) or outgoing (the second
Pri value) traffic that matches this policy. The smaller the number, the higher the
priority. Traffic with a higher priority is given bandwidth before traffic with a lower
priority. The ZyWALL/USG ignores this number if the incoming and outgoing limits
are both set to 0. In this case the traffic is automatically treated as being set to the
lowest priority (7) regardless of this field’s configuration.
DSCP Marking
This is how the ZyWALL/USG handles the DSCP value of the incoming and outgoing
packets that match this policy.
In - Inbound, the traffic the ZyWALL/USG sends to a connection’s initiator.
Out - Outbound, the traffic the ZyWALL/USG sends out from a connection’s initiator.
If this field displays a DSCP value, the ZyWALL/USG applies that DSCP value to the
route’s outgoing packets.
preserve means the ZyWALL/USG does not modify the DSCP value of the route’s
outgoing packets.
default means the ZyWALL/USG sets the DSCP value of the route’s outgoing packets
to 0.
The “af” choices stand for Assured Forwarding. The number following the “af”
identifies one of four classes and one of three drop preferences.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
ZyWALL/USG Series User’s Guide
450
Chapter 27 BWM (Bandwidth Management)
27.2.1 The Bandwidth Management Add/Edit Screen
The Configuration > Bandwidth Management Add/Edit screen allows you to create a new
condition or edit an existing one.
802.1P Marking
Use 802.1P to prioritize outgoing traffic from a VLAN interface. The Priority Code is a 3-bit field
within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. "0" is the lowest
priority level and "7" is the highest.
Table 184 Single Tagged 802.1Q Frame Format
DA
SA
TPID
Priority
VID
Len/Etype
Data
FCS
IEEE 802.1Q
customer
tagged frame
Table 185 802.1Q Frame
DA
Destination Address
Priority
802.1p Priority
SA
Source Address
Len/Etype
Length and type of Ethernet frame
TPID
Tag Protocol IDentifier
Data
Frame data
VID
VLAN ID
FCS
Frame Check Sequence
The following table is a guide to types of traffic for the priority code.
Table 186 Priority Code and Types of Traffic
PRIORITY
TRAFFIC TYPES
0 (lowest)
Background
1
Best Effort
2
Excellent Effort
3
Critical Applications
4
Video, less than 100 ms latency and jitter
5
Voice, less than 10 ms latency and jitter
6
Internetwork Control
7 (highest)
Network Control
To access this screen, go to the Configuration > Bandwidth Management screen (see Section
27.2 on page 448), and click either the Add icon or an Edit icon.
Figure 316 Configuration > Bandwidth Management > Edit (For the Default Policy)
ZyWALL/USG Series User’s Guide
451
Chapter 27 BWM (Bandwidth Management)
Figure 317
Configuration > Bandwidth Management > Add/Edit
The following table describes the labels in this screen.
Table 187
Configuration > Bandwidth Management > Add/Edit
LABEL
DESCRIPTION
Create new Object
Use to configure any new settings objects that you need to use in this screen.
Configuration
Enable
Select this check box to turn on this policy.
Description
Enter a description of this policy. It is not used elsewhere. You can use alphanumeric
and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
Criteria
Use this section to configure the conditions of traffic to which this policy applies.
ZyWALL/USG Series User’s Guide
452
Chapter 27 BWM (Bandwidth Management)
Table 187
Configuration > Bandwidth Management > Add/Edit
LABEL
DESCRIPTION
BWM Type
This field displays the below types of BWM rule:
• Shared, when the policy is set for all users
• Per User, when the policy is set for an individual user or a user group
• Per Source IP, when the policy is set for a source IP
User
Select a user name or user group to which to apply the policy. Use Create new
Object if you need to configure a new user account. Select any to apply the policy for
every user.
Schedule
Select a schedule that defines when the policy applies or select Create Object to
configure a new one. Otherwise, select none to make the policy always effective.
Incoming Interface
Select the source interface of the traffic to which this policy applies.
Outgoing Interface
Select the destination interface of the traffic to which this policy applies.
Source
Select a source address or address group for whom this policy applies. Use Create
new Object if you need to configure a new one. Select any if the policy is effective for
every source.
Destination
Select a destination address or address group for whom this policy applies. Use
Create new Object if you need to configure a new one. Select any if the policy is
effective for every destination.
DSCP Code
Select a DSCP code point value of incoming packets to which this policy
route applies or select User Defined to specify another DSCP code point. The lower
the number the higher the priority with the exception of 0 which is usually given only
best-effort treatment.
any means all DSCP value or no DSCP marker.
default means traffic with a DSCP value of 0. This is usually best effort traffic
The “af” choices stand for Assured Forwarding. The number following the “af”
identifies one of four classes and one of three drop preferences.
User-Defined
DSCP Code
Use this field to specify a custom DSCP code point.
Service Type
Select Service Object or Application Object if you want a specific service (defined
in a service object) or application patrol service to which the policy applies.
Service Object
This field is available if you selected Service Object as the service type.
Select a service or service group to identify the type of traffic to which this policy
applies. any means all services.
Application Object
This field is available if you selected Application Object as the service type.
Select an application patrol service to identify the specific traffic to which this policy
applies.
DSCP Marking
Set how the ZyWALL/USG handles the DSCP value of the incoming and outgoing
packets that match this policy. Inbound refers to the traffic the ZyWALL/USG sends to
a connection’s initiator. Outbound refers to the traffic the ZyWALL/USG sends out from
a connection’s initiator.
Select one of the pre-defined DSCP values to apply or select User Defined to specify
another DSCP value. The “af” choices stand for Assured Forwarding. The number
following the “af” identifies one of four classes and one of three drop preferences.
Select preserve to have the ZyWALL/USG keep the packets’ original DSCP value.
Select default to have the ZyWALL/USG set the DSCP value of the packets to 0.
Bandwidth Shaping
Configure these fields to set the amount of bandwidth the matching traffic can use.
ZyWALL/USG Series User’s Guide
453
Chapter 27 BWM (Bandwidth Management)
Table 187
Configuration > Bandwidth Management > Add/Edit
LABEL
Inbound kbps
DESCRIPTION
Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic
to use. Inbound refers to the traffic the ZyWALL/USG sends to a connection’s initiator.
If you enter 0 here, this policy does not apply bandwidth management for the
matching traffic that the ZyWALL/USG sends to the initiator. Traffic with bandwidth
management disabled (inbound and outbound are both set to 0) is automatically
treated as the lowest priority (7).
If the sum of the bandwidths for routes using the same next hop is higher than the
actual transmission speed, lower priority traffic may not be sent if higher priority
traffic uses all of the actual bandwidth.
Outbound kbps
Type how much outbound bandwidth, in kilobits per second, this policy allows the
traffic to use. Outbound refers to the traffic the ZyWALL/USG sends out from a
connection’s initiator.
If you enter 0 here, this policy does not apply bandwidth management for the
matching traffic that the ZyWALL/USG sends out from the initiator. Traffic with
bandwidth management disabled (inbound and outbound are both set to 0) is
automatically treated as the lowest priority (7).
If the sum of the bandwidths for routes using the same next hop is higher than the
actual transmission speed, lower priority traffic may not be sent if higher priority
traffic uses all of the actual bandwidth.
Priority
This field displays when the inbound or outbound bandwidth management is not set to
0. Enter a number between 1 and 7 to set the priority for traffic that matches this
policy. The smaller the number, the higher the priority.
Traffic with a higher priority is given bandwidth before traffic with a lower priority.
The ZyWALL/USG uses a fairness-based (round-robin) scheduler to divide bandwidth
between traffic flows with the same priority.
The number in this field is ignored if the incoming and outgoing limits are both set to
0. In this case the traffic is automatically treated as being set to the lowest priority (7)
regardless of this field’s configuration.
Maximize
Bandwidth Usage
This field displays when the inbound or outbound bandwidth management is not set to
0 and the BWM Type is set to Shared. Enable maximize bandwidth usage to let the
traffic matching this policy “borrow” all unused bandwidth on the out-going interface.
After each application or type of traffic gets its configured bandwidth rate, the
ZyWALL/USG uses the fairness-based scheduler to divide any unused bandwidth on
the out-going interface among applications and traffic types that need more
bandwidth and have maximize bandwidth usage enabled.
Maximum
802.1P Marking
If you did not enable Maximize Bandwidth Usage, then type the maximium unused
bandwidth that traffic matching this policy is allowed to “borrow” on the out-going
interface (in Kbps), here.
Use 802.1P to prioritize outgoing traffic from a VLAN interface.
Priority Code
This is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated
outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. See Table
186 on page 451. The setting configured here overwrites existing priority settings.
Interface
Choose a VLAN interface to which to apply the priority level for matching frames.
Related Setting
Log
Select whether to have the ZyWALL/USG generate a log (log), log and alert (log
alert) or neither (no) when any traffic matches this policy.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User’s Guide
454
Chapter 27 BWM (Bandwidth Management)
27.2.1.1 Adding Objects for the BWM Policy
Objects are parameters to which the Policy rules are built upon. There are three kinds of objects
you can add/edit for the BWM policy, they are User, Schedule and Address objects. Click
Configuration > BWM > Add > Create New Object > Add User to see the following screen.
Figure 318 Configuration >BWM > Create New Object > Add User
The following table describes the fields in the above screen.
Table 188 Configuration > BWM > Create New Object > Add User
LABEL
DESCRIPTION
User Name
Type a user or user group object name of the rule.
User Type
Select a user type from the drop down menu. The user types are Admin, Limited
admin, User, Guest, Ext-user, Ext-group-user.
ZyWALL/USG Series User’s Guide
455
Chapter 27 BWM (Bandwidth Management)
Table 188 Configuration > BWM > Create New Object > Add User
LABEL
DESCRIPTION
Password
Type a password for the user object. The password can consist of alphanumeric
characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~
‘ \ () ), and it can be up to eight characters long.
Retype
Retype the password to confirm.
Description
Enter a description for this user object. It is not used elsewhere. You can use
alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60
characters long.
Authentication Timeout
Settings
Choose either Use Default setting option, which shows the default Lease Time
of 1,440 minutes and Reauthentication Time of 1,440 minutes or you can enter
them manually by choosing Use Manual Settings option.
Lease Time
This shows the Lease Time setting for the user, by default it is 1,440 minutes.
Reauthentication Time
This shows the Reauthentication Time for the user, by default it is 1,440
minutes.
OK
Click OK to save the setting.
Cancel
Click Cancel to abandon this screen.
ZyWALL/USG Series User’s Guide
456
Chapter 27 BWM (Bandwidth Management)
Figure 319
Configuration > BWM > Create New Object > Add Schedule
The following table describes the fields in the above screen.
Table 189 Configuration > BWM > Create New Object > Add Schedule
LABEL
DESCRIPTION
Name
Enter a name for the schedule object of the rule.
Type
Select an option from the drop down menu for the schedule object. It will show
One Time or Recurring.
Start Date
Click the icon menu on the right to choose a Start Date for the schedule object.
Start Time
Click the icon menu on the right to choose a Start Time for the schedule object.
Stop Date
Click the icon menu on the right to choose a Stop Date for schedule object.
Stop Time
Click the icon menu on the right to choose a Stop Time for the schedule object.
ZyWALL/USG Series User’s Guide
457
Chapter 27 BWM (Bandwidth Management)
Figure 320 Configuration > BWM > Create New Object > Add Address
The following table describes the fields in the above screen.
Table 190 Configuration > BWM > Create New Object > Add Address
LABEL
DESCRIPTION
Name
Enter a name for the Address object of the rule.
Address Type
Select an Address Type from the drop down menu on the right. The Address
Types are Host, Range, Subnet, Interface IP, Interface Subnet, and Interface
Gateway.
IP Address
Enter an IP address for the Address object.
OK
Click OK to save the setting.
Cancel
Click Cancel to abandon the setting.
ZyWALL/USG Series User’s Guide
458
C HAPTER
28
Application Patrol
28.1 Overview
Application patrol provides a convenient way to manage the use of various applications on the
network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM),
peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control
the use of a particular application’s individual features (like text messaging, voice, video
conferencing, and file transfers). You can also configure bandwidth management with application
patrol in the Configuration > BWM screen for traffic prioritization to enhance the performance of
delay-sensitive applications like voice and video.
28.1.1 What You Can Do in this Chapter
• Use the Profile summary screen (see Section 28.2 on page 460) to view license registration and
signature information.
• Use the Profile Add/Edit screens (see Section 28.2 on page 460) to set actions for application
categories and for specific applications within the category.
28.1.2 What You Need to Know
If you want to use a service, make sure both the Security Policy and application patrol allow the
service’s packets to go through the ZyWALL/USG.
Note: The ZyWALL/USG checks secure policies before it checks application patrol rules for
traffic going through the ZyWALL/USG.
Application patrol examines every TCP and UDP connection passing through the ZyWALL/USG and
identifies what application is using the connection. Then, you can specify whether or not the
ZyWALL/USG continues to route the connection. Traffic not recognized by the application patrol
signatures is ignored.
Application Profiles & Policies
An application patrol profile is a group of categories of application patrol signatures. For each
profile, you can specify the default action the ZyWALL/USG takes once a packet matches a
signature (forward, drop, or reject a service’s connections and/or create a log alert).
Use policies to link profiles to traffic flows based on criteria such as source zone, destination zone,
source address, destination address, schedule, user.
ZyWALL/USG Series User’s Guide
459
Chapter 28 Application Patrol
Classification of Applications
There are two ways the ZyWALL/USG can identify the application. The first is called auto. The
ZyWALL/USG looks at the IP payload (OSI level-7 inspection) and attempts to match it with known
patterns for specific applications. Usually, this occurs at the beginning of a connection, when the
payload is more consistent across connections, and the ZyWALL/USG examines several packets to
make sure the match is correct. Before confirnation, packets are forwarded by App Patrol with no
action taken. The number of packets inspected before confirmation varies by signature.
Note: The ZyWALL/USG allows the first eight packets to go through the security policy,
regardless of the application patrol policy for the application. The ZyWALL/USG
examines these first eight packets to identify the application.
The second approach is called service ports. The ZyWALL/USG uses only OSI level-4 information,
such as ports, to identify what application is using the connection. This approach is available in case
the ZyWALL/USG identifies a lot of “false positives” for a particular application.
Custom Ports for SIP and the SIP ALG
Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP
ALG to use the same port numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom
port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP
traffic.
Finding Out More
• You must configure services in Objects > Application.
• See Configuration > BWM chapter for detailed information on bandwidth management.
28.2 Application Patrol Profile
Use the application patrol Profile screens to customize action and log settings for a group of
application patrol signatures. You then link a profile to a policy.Use this screen to create an
application patrol profile, and view signature information. It also lists the registration status and
details about the signature set the ZyWALL/USG is using.
Note: You must register for the IDP/AppPatrol signature service (at least the trial) before
you can use it.
A profile is an application object(s) or application group(s) that has customized action and log
settings.
Click Configuration > UTM Profile > App Patrol > Profile to open the following screen.
ZyWALL/USG Series User’s Guide
460
Chapter 28 Application Patrol
Figure 321 Configuration > UTM Profile > App Patrol > Profile
The following table describes the labels in this screen.
Table 191 Configuration > UTM Profile > App Patrol > Profile
LABEL
DESCRIPTION
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after
the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
Select an entry and click Remove to delete the selected entry.
Object Reference
Select an entry and click Object References to open a screen that shows which settings
use the entry. Click Refresh to update information on this screen.
#
This field is a sequential value showing the number of the profile. The profile order is not
important.
Name
This displays the name of the profile created.
Description
This displays the description of the App Patrol Profile.
Scan Option
This field displays the scan options from the App Patrol profile.
Reference
This displays the number of times an object reference is used in a profile.
License
You need to create an account at myZyXEL.com, register your ZyWALL/USG and then
subscribe for App Patrol in order to be able to download new packet inspection signatures
from myZyXEL.com. There’s an initial free trial period for App Patrol after which you must
pay to subscribe to the service. See the Registration chapter for details.
License Status
Licensed, Not Licensed or Expired indicates whether you have subscribed for App Patrol
services or not or your registration has expired.
License Type
This field shows Trial, Standard or None depending on whether you subscribed to the
App Patrol trial, bought an iCard for App Patrol service or neither.
Signature
Information
The following fields display information on the current signature set that the ZyWALL/USG
is using.
Current Version
This field displays the App Patrol signature set version number. This number gets larger as
the set is enhanced.
ZyWALL/USG Series User’s Guide
461
Chapter 28 Application Patrol
Table 191 Configuration > UTM Profile > App Patrol > Profile
LABEL
DESCRIPTION
Released Date
This field displays the date and time the set was released.
Update
Signatures
Click this link to go to the screen you can use to download signatures from the update
server.
28.2.1 The Application Patrol Profile Add/Edit Screen
Use this screen to configure profile settings. Click Configuration > UTM Profile > App Patrol >
Profile, then click Add to create a new profile rule or click an existing profile and click Edit (or
double-click it) to open the following screen.
Figure 322 Configuration > UTM Profile > App Patrol > Profile > Add/Edit
The following table describes the labels in this screen.
Table 192 Configuration > UTM Profile > App Patrol > Profile > Add/Edit
LABEL
DESCRIPTION
General Settings
Name
Type the name of the profile. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive. These are valid, unique profile names:
•
•
•
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
•
•
•
•
Description
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
Type a description for the profile rule to help identify the purpose of rule. You may use
1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character
cannot be a number. This value is case-sensitive. This field is optional.
Profile Management
ZyWALL/USG Series User’s Guide
462
Chapter 28 Application Patrol
Table 192 Configuration > UTM Profile > App Patrol > Profile > Add/Edit (continued)
LABEL
DESCRIPTION
Add
Click this to create a new entry. Select an entry and click Add to create a new entry
after the selected entry.
Remove
Select an entry and click Remove to delete the selected entry.
#
This field is a sequential value showing the number of the profile. The profile order is
not important.
Application
Thie field displays the application name of the policy.
Action
Select the default action for all signatures in this category.
forward - the ZyWALL/USG routes packets that matches these signatures.
Drop - the ZyWALL/USG silently drops packets that matches these signatures without
notification.
Reject - the ZyWALL/USG drops packets that matches these signatures and sends
notification.
Log
Select whether to have the ZyWALL/USG generate a log (log), log and alert (log
alert) or neither (no) by default when traffic matches a signature in this category.
OK
A profile consists of separate category editing screens. If you want to configure just
one category for a profile, click OK to save your settings to the ZyWALL/USG,
complete the profile and return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
28.2.2 The Application Patrol Profile Rule Add Application Screen
Click Add or Edit under Profile Management in the previous screen to display the following
screen.
Figure 323 Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit
The following table describes the labels in this screen.
Table 193 Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit
LABEL
DESCRIPTION
General Settings
Application
Select an application to apply the policy.
ZyWALL/USG Series User’s Guide
463
Chapter 28 Application Patrol
Table 193 Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit
LABEL
Action
DESCRIPTION
Select the default action for all signatures in this category.
forward - the ZyWALL/USG routes packets that matches these signatures.
Drop - the ZyWALL/USG silently drops packets that matches these signatures without
notification.
Reject - the ZyWALL/USG drops packets that matches these signatures and sends
notification.
Log
Select whether to have the ZyWALL/USG generate a log (log), log and alert (log alert)
or neither (no) by default when traffic matches a signature in this category.
OK
Click OK to save your settings to the ZyWALL/USG.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
ZyWALL/USG Series User’s Guide
464
C HAPTER
29
Content Filtering
29.1 Overview
Use the content filtering feature to control access to specific web sites or web content.
29.1.1 What You Can Do in this Chapter
• Use the Filter Profile screens (Section Figure 325 on page 470) to set up content filtering
profiles.
• Use the Trusted Web Sites screens (Section 29.4 on page 480) to create a common list of good
(allowed) web site addresses.
• Use the Forbidden Web Sites screens (Section 29.5 on page 481) to create a common list of
bad (blocked) web site addresses.
29.1.2 What You Need to Know
Content Filtering
Content filtering allows you to block certain web features, such as cookies, and/or block access to
specific web sites. It can also block access to specific categories of web site content. You can create
different content filter policies for different addresses, schedules, users or groups and content filter
profiles. For example, you can configure one policy that blocks John Doe’s access to arts and
entertainment web pages during the workday and another policy that lets him access them after
work.
Content Filtering Policies
A content filtering policy allows you to do the following.
• Use schedule objects to define when to apply a content filter profile.
• Use address and/or user/group objects to define to whose web access to apply the content filter
profile.
• Apply a content filter profile that you have custom-tailored.
Content Filtering Profiles
A content filtering profile conveniently stores your custom settings for the following features.
• Category-based Blocking
The ZyWALL/USG can block access to particular categories of web site content, such as
pornography or racial intolerance.
ZyWALL/USG Series User’s Guide
465
Chapter 29 Content Filtering
• Restrict Web Features
The ZyWALL/USG can disable web proxies and block web features such as ActiveX controls, Java
applets and cookies.
• Customize Web Site Access
You can specify URLs to which the ZyWALL/USG blocks access. You can alternatively block access
to all URLs except ones that you specify. You can also have the ZyWALL/USG block access to
URLs that contain particular keywords.
Content Filtering Configuration Guidelines
When the ZyWALL/USG receives an HTTP request, the content filter searches for a policy that
matches the source address and time (schedule). The content filter checks the policies in order
(based on the policy numbers). When a matching policy is found, the content filter allows or blocks
the request depending on the settings of the filtering profile specified by the policy. Some requests
may not match any policy. The ZyWALL/USG allows the request if the default policy is not set to
block. The ZyWALL/USG blocks the request if the default policy is set to block.
External Web Filtering Service
When you register for and enable the external web filtering service, your ZyWALL/USG accesses an
external database that has millions of web sites categorized based on content. You can have the
ZyWALL/USG block, block and/or log access to web sites based on these categories.
Keyword Blocking URL Checking
The ZyWALL/USG checks the URL’s domain name (or IP address) and file path separately when
performing keyword blocking.
The URL’s domain name or IP address is the characters that come before the first slash in the URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php, the domain name is
www.zyxel.com.tw.
The file path is the characters that come after the first slash in the URL. For example, with the URL
www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php.
Since the ZyWALL/USG checks the URL’s domain name (or IP address) and file path separately, it
will not find items that go across the two. For example, with the URL www.zyxel.com.tw/news/
pressroom.php, the ZyWALL/USG would find “tw” in the domain name (www.zyxel.com.tw). It
would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”.
Finding Out More
• See Section 29.6 on page 482 for content filtering background/technical information.
29.1.3 Before You Begin
• You must configure an address object, a schedule object and a filtering profile before you can set
up a content security policy.
• You must have Content Filtering license in order to use the function.subscribe to use the external
database content filtering (see the Licensing > Registration screens).
ZyWALL/USG Series User’s Guide
466
Chapter 29 Content Filtering
29.2 Content Filter Profile Screen
Click Configuration > UTM Profile> Content Filter > Profile to open the Content Filter
Profile screen. Use this screen to enable content filtering, view and order your list of content filter
policies, create a denial of access message or specify a redirect URL and check your external web
filtering service registration status.
Figure 324 Configuration > UTM Profile > Content Filter > Profile
The following table describes the labels in this screen.
Table 194 Configuration > UTM Profile > Content Filter > Profile
LABEL
DESCRIPTION
General Settings
Enable Content Filter
Report Service
Select this check box to have the ZyWALL/USG collect category-based content
filtering statistics.
Report Server
Click this link to choose where your ZyWALL/USG is registered: myZyXEL.com or
myZyXEL.com 2.0. Choose myZyXEL.com 2.0 for a model in this series.
Content Filter Category
Service Timeout
Specify the allowable time period in seconds for accessing the external web
filtering service’s server.
Denied Access Message
Enter a message to be displayed when content filter blocks access to a web page.
Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,”). For example,
“Access to this web page is not allowed. Please contact the network
administrator”.
It is also possible to leave this field blank if you have a URL specified in the
Redirect URL field. In this case if the content filter blocks access to a web page,
the ZyWALL/USG just opens the web page you specified without showing a denied
access message.
ZyWALL/USG Series User’s Guide
467
Chapter 29 Content Filtering
Table 194 Configuration > UTM Profile > Content Filter > Profile (continued)
LABEL
DESCRIPTION
Redirect URL
Enter the URL of the web page to which you want to send users when their web
access is blocked by content filter. The web page you specify here opens in a new
frame below the denied access message.
Use “http://” or “https://” followed by up to 262 characters (0-9a-zA-Z;/
?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access.
Profile Management
Add
Click Add to create a new content filter rule.
Edit
Click Edit to make changes to a content filter rule.
Remove
Click Remove the delete a content filter rule.
Object Reference
Select an entry and click Object References to open a screen that shows which
settings use the entry. Click Refresh to update information on this screen.
#
This column lists the index numbers of the content filter profile.
Name
This column lists the names of the content filter profile rule.
Description
This column lists the description of the content filter profile rule.
Reference
This displays the number of times an Object Reference is used in a rule.
License Status
This read-only field displays the status of your content-filtering database service
registration.
Not Licensed displays if you have not successfully registered and activated the
service.
Expired displays if your subscription to the service has expired.
Licensed displays if you have successfully registered the ZyWALL/USG and
activated the service.
You can view content filter reports after you register the ZyWALL/USG and
activate the subscription service in the Registration screen.
License Type
This read-only field displays what kind of service registration you have for the
content-filtering database.
None displays if you have not successfully registered and activated the service.
Standard displays if you have successfully registered the ZyWALL/USG and
activated the service.
Trial displays if you have successfully registered the ZyWALL/USG and activated
the trial service subscription.
Expiration Date
This field displays the date your service license expires.
Register Now
This link appears if you have not registered for the service or the service has
expired. Click this link to go to the screen where you can register for the service.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
29.3 Content Filter Profile Add or Edit Screen
Click Configuration > UTM > Content Filter > Profile > Add or Edit to open the Add Filter
Profile screen. Configure Category Service and Custom Service tabs.
ZyWALL/USG Series User’s Guide
468
Chapter 29 Content Filtering
29.3.1 Content Filter Add Profile Category Service
ZyWALL/USG Series User’s Guide
469
Chapter 29 Content Filtering
Figure 325 Content Filter > Profile > Add Filter Profile > Category Service
ZyWALL/USG Series User’s Guide
470
Chapter 29 Content Filtering
The following table describes the labels in this screen.
Table 195 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service
LABEL
DESCRIPTION
License Status
This read-only field displays the status of your content-filtering database
service registration.
Not Licensed displays if you have not successfully registered and activated
the service.
Expired displays if your subscription to the service has expired.
Licensed displays if you have successfully registered the ZyWALL/USG and
activated the service.
You can view content filter reports after you register the ZyWALL/USG and
activate the subscription service in the Registration screen.
License Type
This read-only field displays what kind of service registration you have for the
content-filtering database.
None displays if you have not successfully registered and activated the
service.
Standard displays if you have successfully registered the ZyWALL/USG and
activated the standard content filtering service.
Trial displays if you have successfully registered the ZyWALL/USG and
activated the trial service subscription.
Name
Enter a descriptive name for this content filtering profile name. You may use
1-31 alphanumeric characters, underscores(_), or dashes (-), but the first
character cannot be a number. This value is case-sensitive.
Description
Enter a description for the content filtering profile rule to help identify the
purpose of rule. You may use 1-31 alphanumeric characters, underscores(_),
or dashes (-), but the first character cannot be a number. This value is casesensitive.
This field is optional.
Enable Content Filter
Category Service
Action for Unsafe Web
Pages
Enable external database content filtering to have the ZyWALL/USG check an
external database to find to which category a requested web page belongs.
The ZyWALL/USG then blocks or forwards access to the web page depending
on the configuration of the rest of this page.
Select Pass to allow users to access web pages that match the unsafe
categories that you select below.
Select Block to prevent users from accessing web pages that match the
unsafe categories that you select below. When external database content
filtering blocks access to a web page, it displays the denied access message
that you configured in the Content Filter General screen along with the
category of the blocked web page.
Select Warn to display a warning message before allowing users to access
web pages that match the unsafe categories that you select below.
Select Log to record attempts to access web pages that match the unsafe
categories that you select below.
ZyWALL/USG Series User’s Guide
471
Chapter 29 Content Filtering
Table 195 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service
LABEL
Action for Managed Web
Pages
DESCRIPTION
Select Pass to allow users to access web pages that match the other
categories that you select below.
Select Block to prevent users from accessing web pages that match the other
categories that you select below. When external database content filtering
blocks access to a web page, it displays the denied access message that you
configured in the Content Filter General screen along with the category of
the blocked web page.
Select Log to record attempts to access web pages that match the other
categories that you select below.
Action for Unrated Web
Pages
Select Pass to allow users to access web pages that the external web filtering
service has not categorized.
Select Block to prevent users from accessing web pages that the external web
filtering service has not categorized. When the external database content
filtering blocks access to a web page, it displays the denied access message
that you configured in the Content Filter General screen along with the
category of the blocked web page.
Select Warn to display a warning message before allowing users to access
web pages that the external web filtering service has not categorized.
Select Log to record attempts to access web pages that are not categorized.
Action When Category
Server Is Unavailable
Select Pass to allow users to access any requested web page if the external
content filtering database is unavailable.
Select Block to block access to any requested web page if the external
content filtering database is unavailable.
Select Warn to display a warning message before allowing users to access any
requested web page if the external content filtering database is unavailable.
The following are possible causes for the external content filtering server not
being available:
•
•
•
There is no response from the external content filtering server within the
time period specified in the Content Filter Server Unavailable Timeout
field.
The ZyWALL/USG is not able to resolve the domain name of the external
content filtering database.
There is an error response from the external content filtering database.
This can be caused by an expired content filtering registration (External
content filtering’s license key is invalid”).
Select Log to record attempts to access web pages that occur when the
external content filtering database is unavailable.
Select Categories
Select All Categories
Select this check box to restrict access to all site categories listed below.
Clear All Categories
Select this check box to clear the selected categories below.
Security Threat (unsafe)
Theese are the categories of web pages that are known to pose a threat to
users or their computers.
Anonymizers
Sites and proxies that act as an intermediary for surfing to other Web sites in
an anonymous fashion, whether to circumvent Web filtering or for other
reasons. For example, blog.go2.tw, anonymizer.com, www.qu365.com.
Botnets
Sites that use bots (zombies) including command-and-control sites.
Compromised
Sites that have been compromised by someone other than the site owner in
order to install malicious programs without the user's knowledge. Includes
sites that may be vulnerable to a particular high-risk attack. For example,
www.wokoo.net, movie.sx.zj.cn.
ZyWALL/USG Series User’s Guide
472
Chapter 29 Content Filtering
Table 195 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service
LABEL
DESCRIPTION
Malware
Sites that install unwanted software on a user's computer with the intent to
enable third-party monitoring or make system changes without the user's
consent. For example, www.tqlkg.com, aladel.net.
Network Errors
Sites that do not resolve to any IP address.
Parked Domains
Sites that are inactive, typically reserved for later use. They most often do not
contain their own content, may simply say "under construction," "purchase
this domain," or display advertisements. For example, www.moemoon.com,
artlin.net, img.sedoparking.com.
Phishing & Fraud
Sites that are used for deceptive or fraudulent purposes (e.g. phishing), such
as stealing financial or other user account information. These sites are most
often designed to appear as legitimate sites in order to mislead users into
entering their credentials. For example, optimizedby.rmxads.com,
218.1.71.226/.../e3b.
Spam Sites
Sites that have been promoted through spam techniques. For example,
img.tongji.linezing.com, banner.chinesegamer.net.
Managed Categories
These are categories of web pages based on their content. Select categories in
this section to control access to specific types of Internet content.
You must have the Category Service content filtering license to filter these
categories. See the next table for category details.
Test Web Site Category
URL to test
You can check which category a web page belongs to. Enter a web site URL in
the text box.
When the content filter is active, you should see the web page’s category. The
query fails if the content filter is not active.
If you think the category is
incorrect
Click this link to see the category recorded in the ZyWALL/USG’s content
filtering database for the web page you specified (if the database has an entry
for it).
Test Against Content Filter
Category Server
Click this button to see the category recorded in the external content filter
server’s database for the web page you specified.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
The following table describes the managed categories.
Table 196 Managed Category Descriptions
CATEGORY
DESCRIPTION
Advertisements & Pop-Ups
Sites that provide advertising graphics or other ad content files such as
banners and pop-ups. For example, pagead2.googlesyndication.com,
ad.yieldmanager.com.
Alcohol & Tobacco
Sites that promote or sell alcohol- or tobacco-related products or services. For
example, www.drinks.com.tw, www.p9.com.tw, beer.ttl.com.tw.
Arts
Sites with artistic content or relating to artistic institutions such as theaters,
museums, galleries, dance companies, photography, and digital graphic
resources. For example, www.npm.gov.tw, www.nmh.gov.tw.
Business
Sites that provide business related information such as corporate Web sites.
Information, services, or products that help businesses of all sizes to do their
day-to-day commercial activities. For example, www.kinkos.com,
www.proctorgamble.com, www.bbb.org.
Chat
Sites that enable web-based exchange of realtime messages through chat
services or chat rooms. For example, me.sohu.com, blufiles.storage.live.com.
ZyWALL/USG Series User’s Guide
473
Chapter 29 Content Filtering
Table 196 Managed Category Descriptions (continued)
Child Abuse Images
Sites that portray or discuss children in sexual or other abusive acts. For
example, a.uuzhijia.info.
Computers & Technology
Sites that contain information about computers, software, hardware, IT,
peripheral and computer services, such as product reviews, discussions, and IT
news. For example, www.informationsecurity.com.tw, blog.ithome.com.tw.
Criminal Activity
Sites that offer advice on how to commit illegal or criminal activities, or to
avoid detection. These can include how to commit murder, build bombs, pick
locks, etc. Also includes sites with information about illegal manipulation of
electronic devices, hacking, fraud and illegal distribution of software. For
example, www.hackbase.com, jia.hackbase.com, ad.adver.com.tw.
Cults
Sites relating to non-traditional religious practice typically known as "cults,"
that is, considered to be false, unorthodox, extremist, or coercive, with
members often living under the direction of a charismatic leader. For example,
www.churchofsatan.com, www.ccya.org.tw.
Dating & Personals
Sites that promote networking for interpersonal relationships such as dating
and marriage. Includes sites for match-making, online dating, spousal
introduction. For example, www.i-part.com.tw, www.imatchi.com.
Download Sites
Sites that contain downloadable software, whether shareware, freeware, or for
a charge. Includes peer-to-peer sites. For example, www.hotdl.com,
toget.pchome.com.tw, www.azroo.com.
Education
Sites sponsored by educational institutions and schools of all types including
distance education. Includes general educational and reference materials such
as dictionaries, encyclopedias, online courses, teaching aids and discussion
guides. For example, www.tfam.museum, www.lksf.org, www.1980.org.tw..
Entertainment
Sites related to television, movies, music and video (including video on
demand), such as program guides, celebrity sites, and entertainment news.
For example, www.ctitv.com.tw, www.hboasia.com, www.startv.com.tw.
Fashion & Beauty
Sites concerning fashion, jewelry, glamour, beauty, modeling, cosmetics or
related products or services. Includes product reviews, comparisons, and
general consumer information. For example, women.sohu.com,
baodian.women.sohu.com.
Finance
Sites related to banking, finance, payment or investment, including banks,
brokerages, online stock trading, stock quotes, fund management, insurance
companies, credit unions, credit card companies, and so on. For example,
www.concords.com.tw, www.polaris.com.tw, www.bochk.com.
Forums & Newsgroups
Sites for sharing information in the form of newsgroups, forums, bulletin
boards. For example, ck101.com, my.xuite.net, ptt.cc.
Gambling
Sites that offer or are related to online gambling, lottery, casinos and betting
agencies involving chance. For example, www.taiwanlottery.com.tw, www.iwin.com.tw, www.hkjc.com.
Games
Sites relating to computer or other games, information about game producers,
or how to obtain cheat codes. Game-related publication sites. For example,
www.gamer.com.tw, www.wowtaiwan.com.tw, tw.lineage.gamania.com.
General
Sites that do not clearly fall into other categories, for example, blank Web
pages. For example, bs.serving-sys.com, simg.sinajs.cn, i0.itc.cn.
Government
Sites run by governmental organizations, departments, or agencies, including
police departments, fire departments, customs bureaus, emergency services,
civil defense, counterterrorism organizations, military and hospitals. For
example, www.ey.gov.tw, www.whitehouse.gov, www.npa.gov.tw.
Greeting cards
Sites that allow people to send and receive greeting cards and postcards. For
example, www.e-card.com.tw, card.ivy.net.tw.
ZyWALL/USG Series User’s Guide
474
Chapter 29 Content Filtering
Table 196 Managed Category Descriptions (continued)
Hacking
Sites that promote or give advice about how to gain unauthorized access to
proprietary computer systems, for the purpose of stealing information,
perpetrating fraud, creating viruses, or committing other illegal activity related
to theft of digital information. For example, www.hackbase.com,
www.chinahacker.com.
Hate & Intolerance
Sites that promote a supremacist political agenda, encouraging oppression of
people or groups of people based on their race, religion, gender, age, disability,
sexual orientation or nationality. For example, www.racist-jokes.com, aryannations.org, whitepower.com.
Health & Medicine
Sites containing information pertaining to health, healthcare services, fitness
and well-being, including information about medical equipment, hospitals,
drugstores, nursing, medicine, procedures, prescription medications, etc. For
example, www.lksf.org, www.ohayo.com.tw.
Illegal Drug
Sites with information on the purchase, manufacture, and use of illegal or
recreational drugs and their paraphernalia, and misuse of prescription drugs
and other compounds For example, www.cannabis.net,
www.amphetamines.com.
Illegal Software
Sites that illegally distribute software or copyrighted materials such as movies
or music, software cracks, illicit serial numbers, illegal license key generators.
For example, www.zhaokey.com.cn, www.tiansha.net.
Image Sharing
Sites that host digital photographs and images, online photo albums and digital
photo exchanges. For example, photo.pchome.com.tw, photo.xuite.net,
photobucket.com.
Information Security
Sites that provide legitimate information about data protection, including
newly discovered vulnerabilities and how to block them. For example,
www.informationsecurity.com.tw, www.itis.tw.
Instant Messaging
Sites that enable logging in to instant messaging services such as ICQ, AOL
Instant Messenger, IRC, MSN, Jabber, Yahoo Messenger, and the like. For
example, www.meebo.com, www.aim.com, www. ebuddy.com.
Job Search
Sites containing job listings, career information, assistance with job searches
(such as resume writing, interviewing tips, etc.), employment agencies or
head hunters. For example, www.104.com.tw, www.1111.com.tw,
www.yes123.com.tw.
Leisure & Recreation
Sites relating to recreational activities and hobbies including zoos, public
recreation centers, pools, amusement parks, and hobbies such as gardening,
literature, arts & crafts, home improvement, home d?cor, family, etc. For
example, tpbg.tfri.gov.tw, tw.fashion.yahoo.com, www.relaxtimes.com.tw.
News
Sites covering news and current events such as newspapers, newswire
services, personalized news services, broadcasting sites, and magazines. For
example, www.tvbs.com.tw?Awww.ebc.net.tw?Awww.iset.com.tw.
Non-profits & NGOs
Sites devoted to clubs, communities, unions, and non-profit organizations.
Many of these groups exist for educational or charitable purposes. For
example, www.tzuchi.org.tw, web.redcross.org.tw, www.lksf.org.
Nudity
Sites that contain full or partial nudity that are not necessarily overtly sexual in
intent. Includes sites that advertise or sell lingerie, intimate apparel, or
swimwear. For example, www.easyshop.com.tw, www.faster-swim.com.tw,
image.baidu.com.
Peer-to-Peer
Sites that enable direct exchange of files between users without dependence
on a central server. For example, www.eyny.com.
Personal Sites
Sites about or hosted by personal individuals, including those hosted on
commercial sites. For example, blog.yam.com, www.wretch.cc, blog.xuite.net.
Politics
Sites that promote political parties or political advocacy, or provide information
about political parties, interest groups, elections, legislation or lobbying. Also
includes sites that offer legal information and advice. For example,
www.kmt.org.tw, www.dpp.org.tw, cpc.people.com.cn.
ZyWALL/USG Series User’s Guide
475
Chapter 29 Content Filtering
Table 196 Managed Category Descriptions (continued)
Pornography/Sexually
Explicit
Sites that contain explicit sexual content. Includes adult products such as sex
toys, CD-ROMs, and videos, adult services such as videoconferencing, escort
services, and strip clubs, erotic stories and textual descriptions of sexual acts.
For example, www.dvd888.com, www.18center.com, blog.sina.com.tw.
Private IP Addresses
Sites that are private IP addresses as defined in RFC 1918, that is, hosts that
do not require access to hosts in other enterprises (or require just limited
access) and whose IP address may be ambiguous between enterprises but are
well defined within a certain enterprise. For example, 172.21.20.123,
192.168.35.62.
Real Estate
Sites relating to commercial or residential real estate services, including
renting, purchasing, selling or financing homes, offices, etc. For example,
www.sinyi.com.tw, www.yungching.com.tw, house.focus.cn.
Religion
Sites that deal with faith, human spirituality or religious beliefs, including sites
of churches, synagogues, mosques and other houses of worship. For example,
www.fgs.org.tw, www.twtaoism.net, www.fhl.net.
Restaurants & Dining
Sites that list, review, promote or advertise food, dining or catering services.
Includes sites for recipes, cooking instruction and tips, food products, and wine
advisors. For example, www.jogoya.com.tw, www.dintaifung.com.tw,
www2.pizzahut.com.tw.
School Cheating
Sites that promote unethical practices such as cheating or plagiarism by
providing test answers, written essays, research papers, or term papers. For
example, www.zydk788.com, www.huafengksw.com.
Search Engines & Portals
Sites enabling the searching of the Web, newsgroups, images, directories, and
other online content. Includes portal and directory sites such as white/yellow
pages. For example, tw.yahoo.com, www.pchome.com.tw,
www.google.com.tw.
Sex Education
Sites relating to sex education, including subjects such as respect for partner,
abortion, gay and lesbian lifestyle, contraceptives, sexually transmitted
diseases, and pregnancy. For example, apps.rockyou.com,
www.howmama.com.tw, www.mombaby.com.tw.
Shopping
Sites for online shopping, catalogs, online ordering, auctions, classified ads.
Excludes shopping for products and services exclusively covered by another
category such as health & medicine. For example, shopping.pchome.com.tw,
buy.yahoo.com.tw, www.tkec.com.tw.
Social Networking
Sites that enable social networking for online communities of various topics,
for friendship, dating, or professional reasons. For example,
www.facebook.com, www.flickr.com, www.groups.google.com.
Sports
Sites relating to sports teams, fan clubs, scores and sports news. Relates to all
sports, whether professional or recreational. For example, www.yankees.com,
www.nba.com, mlb.mlb.com.
Streaming Media &
Downloads
Sites that deliver streaming content, such as Internet radio, Internet TV or
MP3 and live or archived media download sites. Includes fan sites, or official
sites run by musicians, bands, or record labels. For example,
www.youtube.com, pfp.sina.com.cn, my.xunlei.com.
Tasteless
Sites with offensive or tasteless content such as bathroom humor or profanity.
For example, comedycentral.com, dilbert.com.
Translators
Sites that translate Web pages or phrases from one language to another. These
sites may be used to attempt to bypass a filtering system. For example,
translate.google.com.tw, www.smartlinkcorp.com, translation.paralink.com.
Transportation
Sites that provide information about motor vehicles such as cars, motorcycles,
boats, trucks, RVs and the like. Includes manufacturer sites, dealerships,
review sites, pricing, , online purchase sites, enthusiasts clubs, etc. For
example, www.toyota.com.tw, www.ford.com.tw, www.sym.com.tw.
ZyWALL/USG Series User’s Guide
476
Chapter 29 Content Filtering
Table 196 Managed Category Descriptions (continued)
Travel
Sites that provide travel and tourism information or online booking of travel
services such as airlines, accommodations, car rentals. Includes regional or
city information sites. For example, www.startravel.com.tw,
taipei.grand.hyatt.com.tw, www.car-plus.com.tw.
Unknown
Unknown For example, www.669.com.tw, www.appleballoon.com.tw,
www.uimco.com.tw.
Violence
Sites that contain images or text depicting or advocating physical assault
against humans, animals, or institutions. Sites of a particularly gruesome
nature such as shocking depictions of blood or wounds, or cruel animal
treatment. For example, crimescene.com, deathnet.com, michiganmilitia.com.
Weapons
Sites that depict, sell, review or describe guns and weapons, including for
sport. For example, www.ak-47.net, warfare.ru.
Web-based Email
Sites that enable users to send and receive email through a web-accessible
email account. For example, mail.163.com, mail.google.com,
mail.yahoo.com.tw.
29.3.2 Content Filter Add Filter Profile Custom Service
Click Configuration > UTM Profile > Content Filter > Filter Profile > Add or Edit > Custom
Service to open the Custom Service screen. You can create a list of good (allowed) web site
addresses and a list of bad (blocked) web site addresses. You can also block web sites based on
whether the web site’s address contains a keyword. Use this screen to add or remove specific sites
or keywords from the filter list.
ZyWALL/USG Series User’s Guide
477
Chapter 29 Content Filtering
Figure 326 Configuration > UTM Profile > Content Filter > Filter Profile > Custom Service
The following table describes the labels in this screen.
Table 197 Configuration > UTM Profile > Content Filter > Profile > Custom Service
LABEL
DESCRIPTION
Name
Enter a descriptive name for this content filtering profile name. You may use
1-31 alphanumeric characters, underscores(_), or dashes (-), but the first
character cannot be a number. This value is case-sensitive.
Description
Enter a description for the content filtering profile rule to help identify the
purpose of rule. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.
This field is optional.
Enable Custom Service
Select this check box to allow trusted web sites and block forbidden web
sites. Content filter list customization may be enabled and disabled without
re-entering these site names.
ZyWALL/USG Series User’s Guide
478
Chapter 29 Content Filtering
Table 197 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued)
LABEL
DESCRIPTION
Allow Web traffic for trusted
web sites only
When this box is selected, the ZyWALL/USG blocks Web access to sites that
are not on the Trusted Web Sites list. If they are chosen carefully, this is
the most effective way to block objectionable material.
Check Common Trusted/
Forbidden List
Select this check box to check the common trusted and forbidden web sites
lists. See Section 29.4 on page 480 and Section 29.5 on page 481 for
information on configuring these lists.
Restricted Web Features
Select the check box(es) to restrict a feature. Select the check box(es) to
restrict a feature.
•
•
•
Block
When you download a page containing ActiveX or Java, that part of the
web page will be blocked with an X.
When you download a page coming from a Web Proxy, the whole web
page will be blocked.
When you download a page containing cookies, the cookies will be
removed, but the page will not be blocked.
ActiveX is a tool for building dynamic and active web pages and distributed
object applications. When you visit an ActiveX web site, ActiveX controls are
downloaded to your browser, where they remain in case you visit the site
again.
ActiveX
Java
Java is a programming language and development environment for building
downloadable Web components or Internet and intranet business
applications of all kinds.
Cookies
Cookies are files stored on a computer’s hard drive. Some web servers use
them to track usage and provide service based on ID.
Web Proxy
A server that acts as an intermediary between a user and the Internet to
provide security, administrative control, and caching service. When a proxy
server is located on the WAN it is possible for LAN users to circumvent
content filtering by pointing to this proxy server.
Allow Java/ActiveX/Cookies/
Web proxy to trusted web sites
When this box is selected, the ZyWALL/USG will permit Java, ActiveX and
Cookies from sites on the Trusted Web Sites list to the LAN. In certain
cases, it may be desirable to allow Java, ActiveX or Cookies from sites that
are known and trusted.
Trusted Web Sites
These are sites that you want to allow access to, regardless of their content
rating, can be allowed by adding them to this list.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This displays the index number of the trusted web sites.
Trusted Web Site
This column displays the trusted web sites already added.
Enter host names such as www.good-site.com into this text field. Do not
enter the complete URL of the site – that is, do not include “http://”. All
subdomains are allowed. For example, entering “*zyxel.com” also allows
“www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You
can also enter just a top level domain. For example, enter “*.com” to allow
all .com domains.
Use up to 127 characters (0-9a-z-). The casing does not matter. “*” can be
used as a wildcard to match any string. The entry must contain at least one
“.” or it will be invalid.
Forbidden Web Site List
Sites that you want to block access to, regardless of their content rating, can
be allowed by adding them to this list.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
ZyWALL/USG Series User’s Guide
479
Chapter 29 Content Filtering
Table 197 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued)
LABEL
DESCRIPTION
Remove
Select an entry and click this to delete it.
#
This displays the index number of the forbidden web sites.
Forbidden Web Sites
This list displays the forbidden web sites already added.
Enter host names such as www.bad-site.com into this text field. Do not
enter the complete URL of the site – that is, do not include “http://”. All
subdomains are also blocked. For example, entering “*bad-site.com” also
blocks “www.bad-site.com”, “partner.bad-site.com”, “press.bad-site.com”,
and do on. You can also enter just a top level domain. For example, enter
“*.com” to block all .com domains.
Use up to 127 characters (0-9a-z-). The casing does not matter. “*” can be
used as a wildcard to match any string. The entry must contain at least one
“.” or it will be invalid.
Blocked URL Keywords
This section allows you to block Web sites with URLs that contain certain
keywords in the domain name or IP address.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This displays the index number of the blocked URL keywords.
Blocked URL Keywords
This list displays the keywords already added.
Enter a keyword or a numerical IP address to block. You can also enter a
numerical IP address.
Use up to 127 case-insensitive characters (0-9a-zA-Z;/?:@&=+$\._!~*()%). “*” can be used as a wildcard to match any string. Use “|*” to
indicate a single wildcard character.
For example enter *Bad_Site* to block access to any web page that includes
the exact phrase Bad_Site. This does not block access to web pages that
only include part of the phrase (such as Bad for example).
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
29.4 Content Filter Trusted Web Sites Screen
Click Configuration > UTM Profile > Content Filter > Trusted Web Sites to open the Trusted
Web Sites screen. You can create a common list of good (allowed) web site addresses. When you
configure Filter Profiles, you can select the option to check the Common Trusted Web Sites list.
Use this screen to add or remove specific sites from the filter list.
ZyWALL/USG Series User’s Guide
480
Chapter 29 Content Filtering
Figure 327 Configuration > UTM Profile > Content Filter > Trusted Web Sites
The following table describes the labels in this screen.
Table 198 Configuration > UTM Profile > Content Filter > Trusted Web Sites
LABEL
DESCRIPTION
Common Trusted Web Sites
These are sites that you want to allow access to, regardless of their content
rating, can be allowed by adding them to this list.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This displays the index number of the trusted web sites.
Trusted Web Site
This column displays the trusted web sites already added.
Enter host names such as www.good-site.com into this text field. Do not
enter the complete URL of the site – that is, do not include “http://”. All
subdomains are allowed. For example, entering “zyxel.com” also allows
“www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You
can also enter just a top level domain. For example, enter .com to allow all
.com domains.
Use up to 127 characters (0-9a-z-). The casing does not matter.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
29.5 Content Filter Forbidden Web Sites Screen
Click Configuration > UTM Profile > Content Filter > Forbidden Web Sites to open the
Forbidden Web Sites screen. You can create a common list of bad (blocked) web site addresses.
When you configure Filter Profiles, you can select the option to check the Common Forbidden
Web Sites list. Use this screen to add or remove specific sites from the filter list.
ZyWALL/USG Series User’s Guide
481
Chapter 29 Content Filtering
Figure 328 Configuration > UTM Profile > Content Filter > Forbidden Web Sites
The following table describes the labels in this screen.
Table 199 Configuration > UTM Profile > Content Filter > Forbidden Web Sites
LABEL
DESCRIPTION
Forbidden Web Site List
Sites that you want to block access to, regardless of their content rating, can
be allowed by adding them to this list.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This displays the index number of the forbidden web sites.
Forbidden Web Sites
This list displays the forbidden web sites already added.
Enter host names such as www.bad-site.com into this text field. Do not
enter the complete URL of the site – that is, do not include “http://”. All
subdomains are also blocked. For example, entering “bad-site.com” also
blocks “www.bad-site.com”, “partner.bad-site.com”, “press.bad-site.com”,
and do on. You can also enter just a top level domain. For example, enter
.com to block all .com domains.
Use up to 127 characters (0-9a-z-). The casing does not matter.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Cancel
Click Reset to return the screen to its last-saved settings.
29.6 Content Filter Technical Reference
This section provides content filtering background information.
External Content Filter Server Lookup Procedure
The content filter lookup process is described below.
ZyWALL/USG Series User’s Guide
482
Chapter 29 Content Filtering
Figure 329 Content Filter Lookup Procedure
1
A computer behind the ZyWALL/USG tries to access a web site.
2
The ZyWALL/USG looks up the web site in its cache. If an attempt to access the web site was made
in the past, a record of that web site’s category will be in the ZyWALL/USG’s cache. The ZyWALL/
USG blocks, blocks and logs or just logs the request based on your configuration.
3
Use the Content Filter Cache screen to configure how long a web site address remains in the
cache as well as view those web site addresses. All of the web site address records are also cleared
from the local cache when the ZyWALL/USG restarts.
4
If the ZyWALL/USG has no record of the web site, it queries the external content filter database and
simultaneously sends the request to the web server.
5
The external content filter server sends the category information back to the ZyWALL/USG, which
then blocks and/or logs access to the web site based on the settings in the content filter profile. The
web site’s address and category are then stored in the ZyWALL/USG’s content filter cache.
ZyWALL/USG Series User’s Guide
483
C HAPTER
30
IDP
30.1 Overview
This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles,
binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system
can detect malicious or suspicious packets and respond instantaneously. IDP on the ZyWALL/USG
protects against network-based intrusions.
30.1.1 What You Can Do in this Chapter
• Use the UTM Profile > IDP > Profile screen (Section 30.2 on page 485) to view registration
and signature information. Click the Add or Edit icon in this screen to bind an IDP profile to a
traffic direction.
• Use the UTM Profile > IDP > Profile > Add screen (Section 30.2.2 on page 487) to add a new
profile, edit an existing profile or delete an existing profile.
• Use the UTM Profile > IDP > Custom Signature screens (Section 30.3 on page 496) to create
a new custom signature, edit an existing signature, delete existing signatures or save signatures
to your computer.
30.1.2 What You Need To Know
Packet Inspection Signatures
A signature identifies a malicious or suspicious packet and specifies an action to be taken. You can
change the action in the profile screens. Packet inspection signatures examine OSI (Open System
Interconnection) layer-4 to layer-7 packet contents for malicious data. Generally, packet inspection
signatures are created for known attacks while anomaly detection looks for abnormal behavior.
Applying Your IDP Configuration
Changes to the ZyWALL/USG’s IDP settings affect new sessions (not the sessions that already
existed before you applied the changed settings).
30.1.3 Before You Begin
• Register for a trial IDP subscription in the Registration screen. This gives you access to free
signature updates. This is important as new signatures are created as new attacks evolve. When
the trial subscription expires, purchase and enter a license key using the same screens to
continue the subscription.
ZyWALL/USG Series User’s Guide
484
Chapter 30 IDP
30.2 The IDP Profile Screen
An IDP profile is a set of packet inspection signatures.
Packet inspection signatures examine packet content for malicious data. Packet inspection applies
to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP
service in order to be able to download new signatures.
In general, packet inspection signatures are created for known attacks while anomaly detection
looks for abnormal behavior.
Click Configuration > UTM Profile > IDP > Profile to open this screen. Use this screen to view
registration and signature information.
Note: You must register in order to use packet inspection signatures. See the
Registration screens.
If you try to enable IDP when the IDP service has not yet been registered, a warning screen
displays and IDP is not enabled.
Figure 330 Configuration > UTM Profile > IDP > Profile
The following table describes the fields in this screen.
Table 200 Configuration > UTM Profile > IDP > Profile
LABEL
DESCRIPTION
Profile Management
Add
Click Add to create a new profile. Select from the options in the box.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Object Reference
Select an entry and click Object References to open a screen that shows which
settings use the entry. Click Refresh to update information on this screen.
Clone
Use Clone to create a new entry by modifying an existing one.
•
•
•
Select an existing entry.
Click Clone.
A configuration copy of the selected entry pops up. You must at least change the
name as duplicate entry names are not allowed.
ZyWALL/USG Series User’s Guide
485
Chapter 30 IDP
Table 200 Configuration > UTM Profile > IDP > Profile (continued)
LABEL
DESCRIPTION
#
This is the entry’s index number in the list.
Name
This displays the name of the IDP Profile.
Base Profile
This displays the base profile used to create the IDP profile.
Description
This displays the description of the IDP Profile.
Reference
This displays the number of times an object reference is used in a profile.
License
You need to create an account at myZyXEL.com, register your ZyWALL/USG and
then subscribe for IDP in order to be able to download new packet inspection
signatures from myZyXEL.com. There’s an initial free trial period for IDP after which
you must pay to subscribe to the service. See the Registration chapter for details.
License Status
Licensed, Not Licensed or Expired indicates whether you have subscribed for IDP
services or not or your registration has expired.
License Type
This field shows Trial, Standard or None depending on whether you subscribed to
the IDP trial, bought an iCard for IDP service or neither.
Signature Information
The following fields display information on the current signature set that the
ZyWALL/USG is using.
Current Version
This field displays the IDP signature set version number. This number gets larger as
the set is enhanced.
Signature Number
This field displays the number of IDP signatures in this set. This number usually gets
larger as the set is enhanced. Older signatures and rules may be removed if they are
no longer applicable or have been supplanted by newer ones.
Released Date
This field displays the date and time the set was released.
Update Signatures
Click this link to go to the screen you can use to download signatures from the
update server.
30.2.1 Base Profiles
The ZyWALL/USG comes with several base profiles. You use base profiles to create new profiles. In
the Configuration > UTM > IDP > Profile screen, click Add to display the following screen.
Figure 331 Base Profiles
ZyWALL/USG Series User’s Guide
486
Chapter 30 IDP
The following table describes this screen.
Table 201 Base Profiles
BASE PROFILE
DESCRIPTION
none
All signatures are disabled. No logs are generated nor actions are taken.
all
All signatures are enabled. Signatures with a high or severe severity level (greater than
three) generate log alerts and cause packets that trigger them to be dropped.
Signatures with a very low, low or medium severity level (less than or equal to three)
generate logs (not log alerts) and no action is taken on packets that trigger them.
wan
Signatures for all services are enabled. Signatures with a medium, high or severe
severity level (greater than two) generate logs (not log alerts) and no action is taken on
packets that trigger them. Signatures with a very low or low severity level (less than or
equal to two) are disabled.
lan
This profile is most suitable for common LAN network services. Signatures for common
services such as DNS, FTP, HTTP, ICMP, IM, IMAP, MISC, NETBIOS, P2P, POP3, RPC,
RSERVICE, SMTP, SNMP, SQL, TELNET, TFTP, MySQL are enabled. Signatures with a high
or severe severity level (greater than three) generate logs (not log alerts) and cause
packets that trigger them to be dropped. Signatures with a low or medium severity level
(two or three) generate logs (not log alerts) and no action is taken on packets that
trigger them. Signatures with a very low severity level (one) are disabled.
dmz
This profile is most suitable for networks containing your servers. Signatures for
common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC,
RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled. Signatures with a
high or severe severity level (greater than three) generate log alerts and cause packets
that trigger them to be dropped. Signatures with a low or medium severity level (two or
three) generate logs (not log alerts) and no action is taken on packets that trigger
them. Signatures with a very low severity level (one) are disabled.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.
30.2.2 Adding / Editing Profiles
You may want to create a new profile if not all signatures in a base profile are applicable to your
network. In this case you should disable non-applicable signatures so as to improve ZyWALL/USG
IDP processing efficiency.
You may also find that certain signatures are triggering too many false positives or false negatives.
A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is
wrongly allowed to pass through the ZyWALL/USG. As each network is different, false positives and
false negatives are common on initial IDP deployment.
You could create a new ‘monitor profile’ that creates logs but all actions are disabled. Observe the
logs over time and try to eliminate the causes of the false alarms. When you’re satisfied that they
have been reduced to an acceptable level, you could then create an ‘inline profile’ whereby you
configure appropriate actions to be taken when a packet matches a signature.
Packet inspection signatures examine the contents of a packet for malicious data. It operates at
layer-4 to layer-7. An IDP profile is a group of IDP signatures that have the same log and action
settings. In ‘group view’ you can configure the same log and action settings for all IDP signatures
by severity level in the Add Profile screen. You may also configure signature exceptions in the
sameview.
ZyWALL/USG Series User’s Guide
487
Chapter 30 IDP
30.2.3 Profile > Group View Screen
Select Configuration > UTM Profile > IDP > Profile and then click Add to create a new profile
or select an existing profile, then click a group in the base profile box (or double-click the existing
profile) to modify it. Group view is displayed first by default.
Figure 332 Configuration > UTM Profile > IDP > Profile > Add > Edit: Group View
The following table describes the fields in this screen.
Table 202 Configuration > UTM Profile> IDP > Profile > Add > Group View
LABEL
DESCRIPTION
Name
This is the name of the profile. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive. These are valid, unique profile names:
• MyProfile
• mYProfile
• Mymy12_3-4
These are invalid profile names:
• 1mYProfile
• My Profile
• MyProfile?
• Whatalongprofilename123456789012
Description
Enter additional information about this IDP rule. You can enter up to 60 characters ("0-9",
"a-z", "A-Z", "-" and "_").
ZyWALL/USG Series User’s Guide
488
Chapter 30 IDP
Table 202 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued)
LABEL
DESCRIPTION
Switch to query
view
Click this button to go to a screen where you can search for signatures by criteria such as
name, ID, severity, attack type, vulnerable attack platforms, service category, log options
or actions.
Severity Level
Select a severity level and these use the icons to enable/disable and configure logs and
actions for all signatures of that level.
Signature
Group
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Log
To edit an item’s log option, select it and use the Log icon. These are the log options:
no: Select this option on an individual signature or a complete service group to have the
ZyWALL/USG create no log when a packet matches a signature(s).
log: Select this option on an individual signature or a complete service group to have the
ZyWALL/USG create a log when a packet matches a signature(s).
log alert: An alert is an e-mailed log for more serious events that may need more
immediate attention. They also appear in red in the Monitor > Log screen. Select this
option to have the ZyWALL/USG send an alert when a packet matches a signature(s).
Action
To edit what action the ZyWALL/USG takes when a packet matches a signature, select the
signature and use the Action icon.
none: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG take no action when a packet matches the signature(s).
drop: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG silently drop a packet that matches the signature(s). Neither sender nor
receiver are notified.
reject-sender: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to the sender when a packet matches the signature. If
it is a TCP attack packet, the ZyWALL/USG will send a packet with a ‘RST’ flag. If it is an
ICMP or UDP attack packet, the ZyWALL/USG will send an ICMP unreachable packet.
reject-receiver: Select this action on an individual signature or a complete service group
to have the ZyWALL/USG send a reset to the receiver when a packet matches the
signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with an a ‘RST’
flag. If it is an ICMP or UDP attack packet, the ZyWALL/USG will do nothing.
reject-both: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to both the sender and receiver when a packet matches
the signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with a ‘RST’
flag to the receiver and sender. If it is an ICMP or UDP attack packet, the ZyWALL/USG will
send an ICMP unreachable packet.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
Message
This displays the message of the violation of IDP Profile rule.
SID
This displays the Signature ID number. The SID is a numerical field in the 9000000 to
9999999 range.
ZyWALL/USG Series User’s Guide
489
Chapter 30 IDP
Table 202 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued)
LABEL
DESCRIPTION
Severity
These are the severities as defined in the ZyWALL/USG. The number in brackets is the
number you use if using commands.
Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.
High (4): These denote known serious vulnerabilities or attacks that are probably not false
alarms.
Medium (3): These denote medium threats, access control attacks or attacks that could be
false alarms.
Low (2): These denote mild threats or attacks that could be false alarms.
Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route,
ICMP queries etc.
Policy Type
This displays the application of the IDP profile.
Log
These are the log options. To edit this, select an item and use the Log icon.
Action
This is the action the ZyWALL/USG should take when a packet matches a signature here. To
edit this, select an item and use the Action icon.
Excepted
Signatures
Use the icons to enable/disable and configure logs and actions for individual signatures that
are different to the general settings configured for the severity level to which the signatures
belong. Signatures configured in Query View will appear in Group View.
Add
Click this to configure settings to a signature that are different to the severity level to which
it belongs.
Remove
Select an existing signature exception and then click this to delete the exception.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Log
To edit an item’s log option, select it and use the Log icon. These are the log options:
no: Select this option on an individual signature or a complete service group to have the
ZyWALL/USG create no log when a packet matches a signature(s).
log: Select this option on an individual signature or a complete service group to have the
ZyWALL/USG create a log when a packet matches a signature(s).
log alert: An alert is an e-mailed log for more serious events that may need more
immediate attention. Select this option to have the ZyWALL/USG send an alert when a
packet matches a signature(s).
ZyWALL/USG Series User’s Guide
490
Chapter 30 IDP
Table 202 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued)
LABEL
Action
DESCRIPTION
To edit what action the ZyWALL/USG takes when a packet matches a signature, select the
signature and use the Action icon.
none: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG take no action when a packet matches the signature(s).
drop: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG silently drop a packet that matches the signature(s). Neither sender nor
receiver are notified.
reject-sender: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to the sender when a packet matches the signature. If
it is a TCP attack packet, the ZyWALL/USG will send a packet with a ‘RST’ flag. If it is an
ICMP or UDP attack packet, the ZyWALL/USG will send an ICMP unreachable packet.
reject-receiver: Select this action on an individual signature or a complete service group
to have the ZyWALL/USG send a reset to the receiver when a packet matches the
signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with an a ‘RST’
flag. If it is an ICMP or UDP attack packet, the ZyWALL/USG will do nothing.
reject-both: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to both the sender and receiver when a packet matches
the signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with a ‘RST’
flag to the receiver and sender. If it is an ICMP or UDP attack packet, the ZyWALL/USG will
send an ICMP unreachable packet.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
SID
Type the exact signature ID (identification) number that uniquely identifies a ZyWALL/USG
IDP signature.
Log
These are the log options. To edit this, select an item and use the Log icon.
Action
This is the action the ZyWALL/USG should take when a packet matches a signature here. To
edit this, select an item and use the Action icon.
OK
A profile consists of three separate screens. If you want to configure just one screen for an
IDP profile, click OK to save your settings to the ZyWALL/USG, complete the profile and
return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
If you want to configure more than one screen for an IDP profile, click Save to save the
configuration to the ZyWALL/USG, but remain in the same page. You may then go to
another profile screen (tab) in order to complete the profile. Click OK in the final profile
screen to complete the profile.
30.2.4 Add Profile > Query View
In the group view screen, click Switch to query view to search for signatures by criteria such as
Name, ID, Severity, Policy Type, Platform, Service, Platforms, or actions.
ZyWALL/USG Series User’s Guide
491
Chapter 30 IDP
Policy Types
This table describes Policy Types as categorized in the ZyWALL/USG.
Table 203 Policy Types
POLICY TYPE
DESCRIPTION
Access Control
Access control refers to procedures and controls that limit or detect access. Access
control attacks try to bypass validation checks in order to access network resources
such as servers, directories, and files.
Any
Any attack includes all other kinds of attacks that are not specified in the policy such
as password, spoof, hijack, phishing, and close-in.
Backdoor/Trojan
Horse
A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that
can be triggered to gain access to a program, online service or an entire computer
system. A Trojan horse is a harmful program that is hidden inside apparently
harmless programs or data.
Although a virus, a worm and a Trojan are different types of attacks, they can be
blended into one attack. For example, W32/Blaster and W32/Sasser are blended
attacks that feature a combination of a worm and a Trojan.
BotNet
A Botnet is a number of Internet computers that have been set up to forward
transmissions including spam or viruses to other computers on the Internet though
their owners are unaware of it. It is also a collection of Internet-connected programs
communicating with other similar programs in order to perform tasks and participate
in distributed Denial-Of-Service attacks.
Buffer Overflow
A buffer overflow occurs when a program or process tries to store more data in a
buffer (temporary data storage area) than it was intended to hold. The excess
information can overflow into adjacent buffers, corrupting or overwriting the valid
data held in them.
Intruders could run codes in the overflow buffer region to obtain control of the
system, install a backdoor or use the victim to launch attacks on other devices.
DoS/DDoS
The goal of Denial of Service (DoS) attacks is not to steal information, but to disable
a device or network on the Internet.
A Distributed Denial of Service (DDoS) attack is one in which multiple compromised
systems attack a single target, thereby causing denial of service for users of the
targeted system.
Instant Messenger
IM (Instant Messenger) refers to chat applications. Chat is real-time, text-based
communication between two or more users via networks-connected computers. After
you enter a chat (or chat room), any room member can type a message that will
appear on the monitors of all the other participants.
Mail
A Mail or E-mail bombing attack involves sending several thoursand identical
messages to an electronic mailbox in order to overflow it, making it unusable.
Misc
Miscellaneous attacks takes advantage of vulnerable computer networks and web
servers by forcing cache servers or web browsers into disclosing user-specific
information that might be sensitive and confidential. The most common type of Misc.
attacks are HTTP Response Smuggling, HTTP Response Splitting and JSON Hijacking.
P2P
Peer-to-peer (P2P) is where computing devices link directly to each other and can
directly initiate communication with each other; they do not need an intermediary. A
device can be both the client and the server. In the ZyWALL/USG, P2P refers to peerto-peer applications such as e-Mule, e-Donkey, BitTorrent, iMesh, etc.
ZyWALL/USG Series User’s Guide
492
Chapter 30 IDP
Table 203 Policy Types (continued)
POLICY TYPE
DESCRIPTION
Scan
A scan describes the action of searching a network for an exposed service. An attack
may then occur once a vulnerability has been found. Scans occur on several network
levels.
A network scan occurs at layer-3. For example, an attacker looks for network devices
such as a router or server running in an IP network.
A scan on a protocol is commonly referred to as a layer-4 scan. For example, once an
attacker has found a live end system, he looks for open ports.
A scan on a service is commonly referred to a layer-7 scan. For example, once an
attacker has found an open port, say port 80 on a server, he determines that it is a
HTTP service run by some web server application. He then uses a web vulnerability
scanner (for example, Nikto) to look for documented vulnerabilities.
SPAM
Spam is unsolicited “junk” e-mail sent to large numbers of people to promote
products or services.
Stream Media
A Stream Media attack occurs when a malicious network node downloads an
overwhelming amount of media stream data that could potentially exhaust the entire
system. This method allows users to send small requests messges that result in the
streaming of large media objects, providing an oportunity for malicious users to
exhaust resources in the system with little efffort expended on their part.
Tunnel
A Tunneling attack involves sending IPv6 traffic over IPv4, slipping viruses, worms
and spyware through the network using secret tunnels. This method infiltrates
standard security measures through IPv6 tunnels, passing through IPv4 undetected.
An external signal then triggers the malware to spring to life and wreak havoc from
inside the network.
Virus/Worm
A computer virus is a small program designed to corrupt and/or alter the operation of
other legitimate programs. A worm is a program that is designed to copy itself from
one computer to another on a network. A worm’s uncontrolled replication consumes
system resources, thus slowing or stopping other tasks.
Web Attack
Web attacks refer to attacks on web servers such as IIS (Internet Information
Services).
IDP Service Groups
An IDP service group is a set of related packet inspection signatures.
Table 204 IDP Service Groups
WEB_PHP
WEB_MISC
WEB_IIS
WEB_FRONTPAGE
WEB_CGI
WEB_ATTACKS
TFTP
TELNET
SQL
SNMP
SMTP
RSERVICES
RPC
POP3
POP2
P2P
ORACLE
NNTP
NETBIOS
MYSQL
MISC_EXPLOIT
MISC_DDOS
MISC_BACKDOOR
MISC
IMAP
IM
ICMP
FTP
FINGER
DNS
n/a
The n/a service group is for signatures that are not for a specific service.
ZyWALL/USG Series User’s Guide
493
Chapter 30 IDP
Figure 333 Configuration > UTM Profile> IDP > Profile: Query View
The following table describes the fields specific to this screen’s query view.
Table 205 Configuration > UTM Profile > IDP > Profile: Query View
LABEL
DESCRIPTION
Name
This is the name of the profile that you created in the IDP > Profiles > Group View
screen.
Switch to query
view
Click this button to go to the IDP profile group view screen where IDP signatures are
grouped by service and you can configure activation, logs and/or actions.
Query Signatures
Select the criteria on which to perform the search.
Search all
custom
signatures
Select this check box to include signatures you created or imported in the Custom
Signatures screen in the search. You can search for specific signatures by name or ID.
If the name and ID fields are left blank, then all signatures are searched according to
the criteria you select.
Name
Type the name or part of the name of the signature(s) you want to find.
Signature ID
Type the ID or part of the ID of the signature(s) you want to find.
ZyWALL/USG Series User’s Guide
494
Chapter 30 IDP
Table 205 Configuration > UTM Profile > IDP > Profile: Query View (continued)
LABEL
Severity
DESCRIPTION
Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make
multiple selections.
These are the severities as defined in the ZyWALL/USG. The number in brackets is the
number you use if using commands.
Severe (5): These denote attacks that try to run arbitrary code or gain system
privileges.
High (4): These denote known serious vulnerabilities or attacks that are probably not
false alarms.
Medium (3): These denote medium threats, access control attacks or attacks that could
be false alarms.
Low (2): These denote mild threats or attacks that could be false alarms.
Very-Low (1): These denote possible attacks caused by traffic such as Ping, trace
route, ICMP queries etc.
Attack Type
Search for signatures by attack type(s) (see Table 203 on page 492). Attack types are
known as policy types in the group view screen. Hold down the [Ctrl] key if you want to
make multiple selections.
Platform
Search for signatures created to prevent intrusions targeting specific operating
system(s). Hold down the [Ctrl] key if you want to make multiple selections.
Service
Search for signatures by IDP service group(s). See Table 203 on page 492 for group
details. Hold down the [Ctrl] key if you want to make multiple selections.
Action
Search for signatures by the response the ZyWALL/USG takes when a packet matches a
signature. See Table 202 on page 488 for action details. Hold down the [Ctrl] key if you
want to make multiple selections.
Activation
Search for activated and/or inactivated signatures here.
Log
Search for signatures by log option here. See Table 202 on page 488 for option details.
Search
Click this button to begin the search. The results display at the bottom of the screen.
Results may be spread over several pages depending on how broad the search criteria
selected were. The tighter the criteria selected, the fewer the signatures returned.
Query Result
The results are displayed in a table showing the SID, Name, Severity, Attack Type,
Platform, Service, Activation, Log, and Action criteria as selected in the search.
Click the SID column header to sort search results by signature ID.
OK
Click OK to save your settings to the ZyWALL/USG, complete the profile and return to
the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
Click Save to save the configuration to the ZyWALL/USG, but remain in the same page.
You may then go to the another profile screen (tab) in order to complete the profile.
Click OK in the final profile screen to complete the profile.
30.2.5 Query Example
This example shows a search with these criteria:
• Severity: high
• Policy Type: DoS
• Platform: Windows
• Service: Any
• Actions: Any
ZyWALL/USG Series User’s Guide
495
Chapter 30 IDP
Figure 334 Query Example Search
30.3 IDP Custom Signatures
Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures
can also be saved to/from your computer so as to share with others.
You need some knowledge of packet headers and attack types to create your own custom
signatures.
IP Packet Header
These are the fields in an Internet Protocol (IP) version 4 packet header.
ZyWALL/USG Series User’s Guide
496
Chapter 30 IDP
Figure 335 IP v4 Packet Headers
The header fields are discussed in the following table.
Table 206 IP v4 Packet Headers
HEADER
DESCRIPTION
Version
The value 4 indicates IP version 4.
IHL
IP Header Length is the number of 32 bit words forming the total length of the
header (usually five).
Type of Service
The Type of Service, (also known as Differentiated Services Code Point (DSCP)) is
usually set to 0, but may indicate particular quality of service needs from the
network.
Total Length
This is the size of the datagram in bytes. It is the combined length of the header
and the data.
Identification
This is a 16-bit number, which together with the source address, uniquely
identifies this packet. It is used during reassembly of fragmented datagrams.
Flags
Flags are used to control whether routers are allowed to fragment a packet and to
indicate the parts of a packet to the receiver.
Fragment Offset
This is a byte count from the start of the original sent packet.
Time To Live
This is a counter that decrements every time it passes through a router. When it
reaches zero, the datagram is discarded. It is used to prevent accidental routing
loops.
Protocol
The protocol indicates the type of transport packet being carried, for example, 1 =
ICMP; 2= IGMP; 6 = TCP; 17= UDP.
Header Checksum
This is used to detect processing errors introduced into the packet inside a router
or bridge where the packet is not protected by a link layer cyclic redundancy
check. Packets with an invalid checksum are discarded by all nodes in an IP
network.
Source IP Address
This is the IP address of the original sender of the packet.
Destination IP Address
This is the IP address of the final destination of the packet.
Options
IP options is a variable-length list of IP options for a datagram that define IP
Security Option, IP Stream Identifier, (security and handling restrictions for
the military), Record Route (have each router record its IP address), Loose
Source Routing (specifies a list of IP addresses that must be traversed by the
datagram), Strict Source Routing (specifies a list of IP addresses that must
ONLY be traversed by the datagram), Timestamp (have each router record its IP
address and time), End of IP List and No IP Options.
Padding
Padding is used as a filler to ensure that the IP packet is a multiple of 32 bits.
ZyWALL/USG Series User’s Guide
497
Chapter 30 IDP
Select Configuration > UTM Profile > IDP > Custom Signatures. The first screen shows a
summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add
icon to create a new signature or click the Edit icon to edit an existing signature. You can also
delete custom signatures here or save them to your computer.
Note: The ZyWALL/USG checks all signatures and continues searching even after a match
is found. If two or more rules have conflicting actions for the same packet, then the
ZyWALL/USG applies the more restrictive action (reject-both, reject-receiver or
reject-sender, drop, none in this order). If a packet matches a rule for rejectreceiver and it also matches a rule for reject-sender, then the ZyWALL/USG will
reject-both.
Figure 336 Configuration > UTM Profile > IDP > Custom Signatures
The following table describes the fields in this screen.
Table 207 Configuration > UTM Profile> IDP > Custom Signatures
LABEL
DESCRIPTION
Custom Signature
Rules
Use this part of the screen to create, edit, delete or export (save to your computer)
custom signatures.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Export
To save an entry or entries as a file on your computer, select them and click Export. Click
Save in the file download dialog box and then select a location and name for the file.
Custom signatures must end with the ‘rules’ file name extension, for example,
MySig.rules.
#
This is the entry’s index number in the list.
SID
SID is the signature ID that uniquely identifies a signature. Click the SID header to sort
signatures in ascending or descending order. It is automatically created when you click
the Add icon to create a new signature. You can edit the ID, but it cannot already exist
and it must be in the 9000000 to 9999999 range.
Name
This is the name of your custom signature. Duplicate names can exist, but it is advisable
to use unique signature names that give some hint as to intent of the signature and the
type of attack it is supposed to prevent.
ZyWALL/USG Series User’s Guide
498
Chapter 30 IDP
Table 207 Configuration > UTM Profile> IDP > Custom Signatures (continued)
LABEL
DESCRIPTION
Customer
Signature Rule
Importing
Use this part of the screen to import custom signatures (previously saved to your
computer) to the ZyWALL/USG.
Note: The name of the complete custom signature file on the ZyWALL/USG is
‘custom.rules’. If you import a file named ‘custom.rules’, then all custom signatures
on the ZyWALL/USG are overwritten with the new file. If this is not your intention,
make sure that the files you import are not named ‘custom.rules’.
File Path
Type the file path and name of the custom signature file you want to import in the text
box (or click Browse to find it on your computer) and then click Importing to transfer
the file to the ZyWALL/USG.
New signatures then display in the ZyWALL/USG IDP > Custom Signatures screen.
30.3.1 Add / Edit Custom Signatures
Click the Add icon to create a new signature or click the Edit icon to edit an existing signature in
the screen as shown in Figure 336 on page 498.
A packet must match all items you configure in this screen before it matches the signature. The
more specific your signature (including packet contents), then the fewer false positives the
signature will trigger.
Try to write signatures that target a vulnerability, for example a certain type of traffic on certain
operating systems, instead of a specific exploit.
ZyWALL/USG Series User’s Guide
499
Chapter 30 IDP
Figure 337 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit
ZyWALL/USG Series User’s Guide
500
Chapter 30 IDP
The following table describes the fields in this screen.
Table 208 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit
LABEL
DESCRIPTION
Name
Type the name of your custom signature. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a
number. This value is case-sensitive.
Duplicate names can exist but it is advisable to use unique signature names that give
some hint as to intent of the signature and the type of attack it is supposed to
prevent. Refer to (but do not copy) the packet inspection signature names for hints
on creating a naming convention.
Signature ID
A signature ID is automatically created when you click the Add icon to create a new
signature. You can edit the ID to create a new one (in the 9000000 to 9999999
range), but you cannot use one that already exists. You may want to do that if you
want to order custom signatures by SID.
Information
Use the following fields to set general information about the signature as denoted
below.
Severity
The severity level denotes how serious the intrusion is. Categorize the seriousness of
the intrusion here. See Table 202 on page 488 as a reference.
Platform
Some intrusions target specific operating systems only. Select the operating systems
that the intrusion targets, that is, the operating systems you want to protect from
this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multiuser Unix workstations that run the IRIX operating system (SGI's version of UNIX). A
router is an example of a network device.
Service
Select the IDP service group that the intrusion exploits or targets. See Table 204 on
page 493 for a list of IDP service groups. The custom signature then appears in that
group in the IDP > Profile > Group View screen.
Policy Type
Categorize the attack type here. See Table 203 on page 492 as a reference.
Frequency
Threshold
Recurring packets of the same type may indicate an attack. Use the following field to
indicate how many packets per how many seconds constitute an intrusion
Select Threshold and then type how many packets (that meet the criteria in this
signature) per how many seconds constitute an intrusion.
Header Options
Network Protocol
Configure signatures for IP version 4.
Type Of Service
Type of service in an IP header is used to specify levels of speed and/or reliability.
Some intrusions use an invalid Type Of Service number. Select the check box, then
select Equal or Not-Equal and then type in a number.
Identification
The identification field in a datagram uniquely identifies the datagram. If a datagram
is fragmented, it contains a value that identifies the datagram to which the fragment
belongs. Some intrusions use an invalid Identification number. Select the check
box and then type in the invalid number that the intrusion uses.
Fragmentation
A fragmentation flag identifies whether the IP datagram should be fragmented, not
fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select
the check box and then select the flag that the intrusion uses.
Fragment Offset
When an IP datagram is fragmented, it is reassembled at the final destination. The
fragmentation offset identifies where the fragment belongs in a set of fragments.
Some intrusions use an invalid Fragment Offset number. Select the check box,
select Equal, Smaller or Greater and then type in a number
Time to Live
Time to Live is a counter that decrements every time it passes through a router.
When it reaches zero, the datagram is discarded. Usually it’s used to set an upper
limit on the number of routers a datagram can pass through. Some intrusions can be
identified by the number in this field. Select the check box, select Equal, Smaller or
Greater and then type in a number.
ZyWALL/USG Series User’s Guide
501
Chapter 30 IDP
Table 208 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued)
LABEL
DESCRIPTION
IP Options
IP options is a variable-length list of IP options for a datagram that define IP
Security Option, IP Stream Identifier, (security and handling restrictions for the
military), Record Route (have each router record its IP address), Loose Source
Routing (specifies a list of IP addresses that must be traversed by the datagram),
Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed
by the datagram), Timestamp (have each router record its IP address and time),
End of IP List and No IP Options. IP Options can help identify some intrusions.
Select the check box, then select an item from the list box that the intrusion uses
Same IP
Select the check box for the signature to check for packets that have the same
source and destination IP addresses.
Transport Protocol
The following fields vary depending on whether you choose TCP, UDP or ICMP.
Transport Protocol:
TCP
Port
Select the check box and then enter the source and destination TCP port numbers
that will trigger this signature.
Flow
If selected, the signature only applies to certain directions of the traffic flow and only
to clients or servers. Select Flow and then select the identifying options.
Established: The signature only checks for established TCP connections
Stateless: The signature is triggered regardless of the state of the stream processor
(this is useful for packets that are designed to cause devices to crash)
To Client: The signature only checks for server responses from A to B.
To Server: The signature only checks for client requests from B to A.
From Client: The signature only checks for client requests from B to A.
From Servers: The signature only checks for server responses from A to B.
No Stream: The signature does not check rebuilt stream packets.
Only Stream: The signature only checks rebuilt stream packets.
Flags
Select what TCP flag bits the signature should check.
Sequence Number
Use this field to check for a specific TCP sequence number.
Ack Number
Use this field to check for a specific TCP acknowledgement number.
Window Size
Use this field to check for a specific TCP window size.
Transport Protocol:
UDP
Port
Select the check box and then enter the source and destination UDP port numbers
that will trigger this signature.
Transport Protocol:
ICMP
Type
Use this field to check for a specific ICMP type value.
Code
Use this field to check for a specific ICMP code value.
ID
Use this field to check for a specific ICMP ID value. This is useful for covert channel
programs that use static ICMP fields when they communicate.
Sequence Number
Use this field to check for a specific ICMP sequence number. This is useful for covert
channel programs that use static ICMP fields when they communicate.
Payload Options
The longer a payload option is, the more exact the match, the faster the signature
processing. Therefore, if possible, it is recommended to have at least one payload
option in your signature.
ZyWALL/USG Series User’s Guide
502
Chapter 30 IDP
Table 208 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued)
LABEL
Payload Size
DESCRIPTION
This field may be used to check for abnormally sized packets or for detecting buffer
overflows.
Select the check box, then select Equal, Smaller or Greater and then type the
payload size.
Stream rebuilt packets are not checked regardless of the size of the payload.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry’s index number in the list.
Offset
This field specifies where to start searching for a pattern within a packet. For
example, an offset of 5 would start looking for the specified pattern after the first
five bytes of the payload.
Content
Type the content that the signature should search for in the packet payload.
Hexadecimal code entered between pipes is converted to ASCII. For example, you
could represent the ampersand as either & or |26| (26 is the hexadecimal code for
the ampersand).
Case-insensitive
Select Yes if content casing does NOT matter.
Decode as URI
A Uniform Resource Identifier (URI) is a string of characters for identifying an
abstract or physical resource (RFC 2396). A resource can be anything that has
identity, for example, an electronic document, an image, a service (“today's weather
report for Taiwan”), a collection of other resources. An identifier is an object that can
act as a reference to something that has identity. Example URIs are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services
http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for
Hypertext Transfer Protocol services
mailto:[email protected]; mailto scheme for electronic mail addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET
Protocol
Select Yes for the signature to search for normalized URI fields. This means that if
you are writing signatures that includes normalized content, such as %2 for directory
traversals, these signatures will not be triggered because the content is normalized
out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
OK
Click this button to save your changes to the ZyWALL/USG and return to the
summary screen.
Cancel
Click this button to return to the summary screen without saving any changes.
30.3.2 Custom Signature Example
Before creating a custom signature, you must first clearly understand the vulnerability.
ZyWALL/USG Series User’s Guide
503
Chapter 30 IDP
30.3.2.1 Understand the Vulnerability
Check the ZyWALL/USG logs when the attack occurs. Use web sites such as Google or Security
Focus to get as much information about the attack as you can. The more specific your signature,
the less chance it will cause false positives.
As an example, say you want to check if your router is being overloaded with DNS queries so you
create a signature to detect DNS query traffic.
30.3.2.2 Analyze Packets
Use the packet capture screen and a packet analyzer (also known as a network or protocol
analyzer) such as Wireshark or Ethereal to investigate some more.
Figure 338 DNS Query Packet Details
ZyWALL/USG Series User’s Guide
504
Chapter 30 IDP
From the details about DNS query you see that the protocol is UDP and the port is 53. The type of
DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as
the first pattern.
The final custom signature should look like as shown in the following figure.
Figure 339 Example Custom Signature
30.3.3 Applying Custom Signatures
After you create your custom signature, it becomes available in an IDP profile (Configuration >
UTM Profile > IDP > Profile > Edit) screen. Custom signatures have an SID from 9000000 to
9999999.
Search for, then activate the signature, configure what action to take when a packet matches it and
if it should generate a log or alert in a profile. Then bind the profile to a zone.
ZyWALL/USG Series User’s Guide
505
Chapter 30 IDP
30.3.4 Verifying Custom Signatures
Configure the signature to create a log when traffic matches the signature. (You may also want to
configure an alert if it is for a serious attack and needs immediate attention.) After you apply the
signature to a zone, you can see if it works by checking the logs (Monitor > Log).
The Priority column shows warn for signatures that are configured to generate a log only. It
shows critical for signatures that are configured to generate a log and alert. All IDP signatures
come under the IDP category. The Note column displays ACCESS FORWARD when no action is
configured for the signature. It displays ACCESS DENIED if you configure the signature action to
drop the packet. The destination port is the service port (53 for DNS in this case) that the attack
tries to exploit.
Figure 340 Custom Signature Log
30.4 IDP Technical Reference
This section contains some background information on IDP.
Host Intrusions
The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the
goal of accessing confidential information or destroying information on a computer.
You must install a host IDP directly on the system being protected. It works closely with the
operating system, monitoring and intercepting system calls to the kernel or APIs in order to prevent
attacks as well as log them.
Disadvantages of host IDPs are that you have to install them on each device (that you want to
protect) in your network and due to the necessarily tight integration with the host operating
system, future operating system upgrades could cause problems.
Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks by attacking
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then
ZyWALL/USG Series User’s Guide
506
Chapter 30 IDP
the whole LAN is compromised. Host-based intrusions may be used to cause network-based
intrusions when the goal of the host virus is to propagate attacks on the network, or attack
computer/server operating system vulnerabilities with the goal of bringing down the computer/
server. Typical “network-based intrusions” are SQL slammer, Blaster, Nimda MyDoom etc.
Snort Signatures
You may want to refer to open source Snort signatures when creating custom ZyWALL/USG ones.
Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the
rule header and the rule options as shown in the following example:
alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 a5|”; msg:”mountd access”;)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis
contains the rule options. The words before the colons in the rule options section are the option
keywords.
The rule header contains the rule's:
• Action
• Protocol
• Source and destination IP addresses and netmasks
• Source and destination ports information.
The rule option section contains alert messages and information on which parts of the packet
should be inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the ZyWALL/USG.
Table 209 ZyWALL/USG - Snort Equivalent Terms
ZYWALL/USG TERM
SNORT EQUIVALENT TERM
Type Of Service
tos
Identification
id
Fragmentation
fragbits
Fragmentation Offset
fragoffset
Time to Live
ttl
IP Options
ipopts
Same IP
sameip
Transport Protocol
Transport Protocol: TCP
Port
(In Snort rule header)
Flow
flow
Flags
flags
Sequence Number
seq
Ack Number
ack
Window Size
Transport Protocol: UDP
Port
window
(In Snort rule header)
(In Snort rule header)
ZyWALL/USG Series User’s Guide
507
Chapter 30 IDP
Table 209 ZyWALL/USG - Snort Equivalent Terms (continued)
ZYWALL/USG TERM
SNORT EQUIVALENT TERM
Transport Protocol: ICMP
Type
itype
Code
icode
ID
icmp_id
Sequence Number
icmp_seq
Payload Options
(Snort rule options)
Payload Size
dsize
Offset (relative to start of payload)
offset
Relative to end of last match
distance
Content
content
Case-insensitive
nocase
Decode as URI
uricontent
Note: Not all Snort functionality is supported in the ZyWALL/USG.
ZyWALL/USG Series User’s Guide
508
C HAPTER
31
Anti-Virus
31.1 Overview
Use the ZyWALL/USG’s anti-virus feature to protect your connected network from virus/spyware
infection. The ZyWALL/USG checks traffic going in the direction(s) you specify for signature
matches. In the following figure the ZyWALL/USG is set to check traffic coming from the WAN zone
(which includes two interfaces) to the LAN zone.
Figure 341 ZyWALL/USG Anti-Virus Example
31.1.1 What You Can Do in this Chapter
• Use the Profile screens (Section 31.2 on page 511) to turn anti-virus on or off, set up anti-virus
policies and custom service port rules. You can also check the anti-virus engine type and the antivirus license and signature status.
• Use the Black/White List screen (Section 31.3 on page 515) to set up anti-virus black
(blocked) and white (allowed) lists of virus file patterns.
• Use the Signature screen (Section 31.4 on page 518) to search for particular signatures and get
more information about them.
ZyWALL/USG Series User’s Guide
509
Chapter 31 Anti-Virus
31.1.2 What You Need to Know
Anti-Virus Engines
Subscribe to signature files for Kaspersky’s anti-virus engine. After the trial expires, you need to
purchase an iCard for the anti-virus engine you want to use and register it in the Registration >
Service screen. You must use the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine.
Virus and Worm
A computer virus is a small program designed to corrupt and/or alter the operation of other
legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates
itself. The effect of a virus attack varies from doing so little damage that you are unaware your
computer is infected to wiping out the entire contents of a hard drive to rendering your computer
inoperable.
ZyWALL/USG Anti-Virus Scanner
The ZyWALL/USG has a built-in signature database. Setting up the ZyWALL/USG between your local
network and the Internet allows the ZyWALL/USG to scan files transmitting through the enabled
interfaces into your network. As a network-based anti-virus scanner, the ZyWALL/USG helps stop
threats at the network edge before they reach the local host computers.
You can set the ZyWALL/USG to examine files received through the following protocols:
• FTP (File Transfer Protocol)
• HTTP (Hyper Text Transfer Protocol)
• SMTP (Simple Mail Transfer Protocol)
• POP3 (Post Office Protocol version 3)
• IMAP4 (Internet Message Access Protocol version 4)
How the ZyWALL/USG Anti-Virus Scanner Works
The following describes the virus scanning process on the ZyWALL/USG.
1
The ZyWALL/USG first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports.
2
If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL/
USG records the sequence of the packets.
3
The scanning engine checks the contents of the packets for virus.
4
If a virus pattern is matched, the ZyWALL/USG removes the infected portion of the file along with
the rest of the file. The un-infected portion of the file before a virus pattern was matched still goes
through.
Note: If a virus pattern is matched, the ZyWALL/USG removes the infected portion of the file along
with the rest of the file. The un-infected portion of the file before a virus pattern was
matched still goes through. Since the ZyWALL/USG erases the infected portion of the
file before sending it, you may not be able to open the file.
ZyWALL/USG Series User’s Guide
510
Chapter 31 Anti-Virus
Notes About the ZyWALL/USG Anti-Virus
The following lists important notes about the anti-virus scanner:
1
The ZyWALL/USG anti-virus scanner can detect polymorphic viruses.
2
When a virus is detected, an alert message is displayed in Microsoft Windows computers.
3
Changes to the ZyWALL/USG’s anti-virus settings affect new sessions (not the sessions that already
existed before you applied the changed settings).
4
The ZyWALL/USG does not scan the following file/traffic types:
• Simultaneous downloads of a file using multiple connections. For example, when you use
FlashGet to download sections of a file simultaneously.
• Encrypted traffic. This could be password-protected files or VPN traffic where the ZyWALL/USG
is not the endpoint (pass-through VPN traffic).
• Traffic through custom (non-standard) ports. The only exception is FTP traffic. The ZyWALL/
USG scans whatever port number is specified for FTP in the ALG screen.
• ZIP file(s) within a ZIP file.
• Traffic a server or client compressed or encoded using a method the ZyWALL/USG does not
support.
Finding Out More
• See Section 31.5 on page 519 for anti-virus background information.
31.2 Anti-Virus Profile Screen
Click Configuration > UTM Profile > Anti-Virus to display the configuration screen as shown
next.
ZyWALL/USG Series User’s Guide
511
Chapter 31 Anti-Virus
Figure 342 Configuration > UTM Profile > Anti-Virus > Profile
The following table describes the labels in this screen.
Table 210 Configuration > UTM Profile > Anti-Virus > Profile
LABEL
DESCRIPTION
General Setting
Scan and detect
EICAR test virus
Select this option to have the ZyWALL/USG check for the EICAR test file and treat it in
the same way as a real virus file. The EICAR test file is a standardized test file for
signature based anti-virus scanners. When the virus scanner detects the EICAR file, it
responds in the same way as if it found a real virus. Besides straightforward detection,
the EICAR file can also be compressed to test whether the anti-virus software can
detect it in a compressed file. The test string consists of the following human-readable
ASCII characters.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Profile Management
Add
Click this to create a new entry. Select an entry and click Add to create a new entry
after the selected entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Object Reference
Select an entry and click this to delete it.
Select an entry and click Object References to open a screen that shows which
settings use the entry. Click Refresh to update information in this screen.
#
This displays the index number of the rule.
Name
This displays the name for the anti-virus rule.
Description
This displays the description of the anti-virus rule.
Reference
This displays the number of times an Object Reference is used in a rule.
License
The following fields display information about the current state of your subscription for
virus signatures.
License Status
This field displays whether a service is activated (Licensed) or not (Not Licensed) or
expired (Expired).
ZyWALL/USG Series User’s Guide
512
Chapter 31 Anti-Virus
Table 210 Configuration > UTM Profile > Anti-Virus > Profile (continued)
LABEL
License Type
DESCRIPTION
This field displays whether you applied for a trial application (Trial) or registered a
service with your iCard’s PIN number (Standard). None displays when the service is
not activated.
Denied Access
Message
Write a message that will display when a web site is blocked.
Redirect URL
Type the URL of the web site to go to when a web site is blocked.
License Status
This field displays whether a service is activated (Licensed) or not (Not Licensed) or
expired (Expired).
License Type
This field displays whether you applied for a trial application (Trial) or registered a
service with your iCard’s PIN number (Standard). None displays when the service is
not activated.
Signature
Information
The following fields display information on the current signature set that the ZyWALL/
USG is using.
Current Version
This field displays the anti-virus signature set version number. This number gets larger
as the set is enhanced.
Signature
Number
This field displays the number of anti-virus signatures in this set.
Released Date
This field displays the date and time the set was released.
Update
Signatures
Click this link to go to the screen you can use to download signatures from the update
server.
Apply
Click Apply to save your changes.
Reset
Click Reset to return the screen to its last-saved settings.
31.2.1 Anti-Virus Profile Add or Edit
Click the Add or Edit icon in the Configuration > UTM Profile > Anti-Virus > Profile screen to
display the configuration screen as shown next.
Figure 343 Configuration > UTM Profile > Anti-Virus > Profile: Profile Management > Add
ZyWALL/USG Series User’s Guide
513
Chapter 31 Anti-Virus
The following table describes the labels in this screen.
Table 211 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add
LABEL
DESCRIPTION
Configuration
Name
Enter a descriptive name for this anti-virus rule. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.Enter the name of the anti-virus policy.
Description
Enter a descriptive name for this anti-virus rule. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.
Actions When
Matched
Destroy infected file
When you select this check box, if a virus pattern is matched, the ZyWALL/USG
overwrites the infected portion of the file (and the rest of the file) with zeros. The uninfected portion of the file before a virus pattern was matched goes through
unmodified.
Log
These are the log options:
no: Do not create a log when a packet matches a signature(s).
log: Create a log on the ZyWALL/USG when a packet matches a signature(s).
log alert: An alert is an e-mailed log for more serious events that may need more
immediate attention. Select this option to have the ZyWALL/USG send an alert when
a packet matches a signature(s).
Check White List
Select this check box to check files against the white list.
Check Black List
Select this check box to check files against the black list.
File decompression
Enable file
decompression (ZIP
and RAR)
Select this check box to have the ZyWALL/USG scan a ZIP file (the file does not have
to have a “zip” or “rar” file extension). The ZyWALL/USG first decompresses the ZIP
file and then scans the contents for viruses.
Note: The ZyWALL/USG decompresses a ZIP file once. The ZyWALL/USG does NOT
decompress any ZIP file(s) within a ZIP file.
Destroy
compressed files
that could not be
decompressed
Note: When you select this option, the ZyWALL/USG deletes ZIP files that use
password encryption.
Select this check box to have the ZyWALL/USG delete any ZIP files that it is not
able to unzip. The ZyWALL/USG cannot unzip password protected ZIP files or a ZIP
file within another ZIP file. There are also limits to the number of ZIP files that the
ZyWALL/USG can concurrently unzip.
Note: The ZyWALL/USG’s firmware package cannot go through the ZyWALL/USG
with this option enabled. The ZyWALL/USG classifies the firmware package
as not being able to be decompressed and deletes it.
You can upload the firmware package to the ZyWALL/USG with the option enabled,
so you only need to clear this option while you download the firmware package.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User’s Guide
514
Chapter 31 Anti-Virus
31.3 Anti-Virus Black List
Click Configuration > UTM Profile > Anti-Virus > Black/White List to display the screen
shown next. Use the Black List screen to set up the Anti-Virus black (blocked) list of virus file
patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the
heading cell again to reverse the sort order.
Figure 344 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List
The following table describes the labels in this screen.
Table 212 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List
LABEL
DESCRIPTION
Enable Black List
Select this check box to log and delete files with names that match the black list
patterns. Use the black list to log and delete files with names that match the black list
patterns.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry
is inactive.
#
This is the entry’s index number in the list.
File Pattern
This is the file name pattern. If a file’s name that matches this pattern, the ZyWALL/
USG logs and deletes the file.
Source
This is the source address or address group for whom this policy applies.
Destination
This is the destination address or address group for whom this policy applies.
Apply
Click Apply to save your changes.
Reset
Click Reset to return the screen to its last-saved settings.
31.3.1 Anti-Virus Black List or White List Add/Edit
From the Configuration > UTM Profile > Anti-Virus > Black/White List > Black List (or
White List) screen, click the Add icon or an Edit icon to display the following screen.
• For a black list entry, enter a file pattern that should cause the ZyWALL/USG to log and delete a
file.
ZyWALL/USG Series User’s Guide
515
Chapter 31 Anti-Virus
• For a white list entry, enter a file pattern that should cause the ZyWALL/USG to allow a file.
Figure 345 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List (or White List)
> Add
The following table describes the labels in this screen.
Table 213 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List (or White List) >
Add
LABEL
DESCRIPTION
Enable
If this is a black list entry, select this option to have the ZyWALL/USG apply this entry
when using the black list.
If this is a white list entry, select this option to have the ZyWALL/USG apply this entry
when using the white list.
File Pattern
For a black list entry, specify a pattern to identify the names of files that the ZyWALL/
USG should log and delete.
For a white list entry, specify a pattern to identify the names of files that the ZyWALL/
USG should not scan for viruses.
•
•
•
•
•
•
Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-),
question marks (?) and asterisks (*) are allowed.
A question mark (?) lets a single character in the file name vary. For example, use
“a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on.
Wildcards (*) let multiple files match the pattern. For example, use “*a.zip”
(without the quotation marks) to specify any file that ends with “a.zip”. A file named
“testa.zip would match. There could be any number (of any type) of characters in
front of the “a.zip” at the end and the file name would still match. A file named
“test.zipa” for example would not match.
A * in the middle of a pattern has the ZyWALL/USG check the beginning and end of
the file name and ignore the middle. For example, with “abc*.zip”, any file starting
with “abc” and ending in “.zip” matches, no matter how many characters are in
between.
The whole file name has to match if you do not use a question mark or asterisk.
If you do not use a wildcard, the ZyWALL/USG checks up to the first 80 characters
of a file name.
Source
Select a source address or address group for whom this policy applies. You can
configure a new one in the Object > Address > Add screen. Select any if the policy is
effective for every source.
Destination
Select a destination address or address group for whom this policy applies. You can
configure a new one in the Object > Address > Add screen. Select any if the policy is
effective for every destination.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User’s Guide
516
Chapter 31 Anti-Virus
31.3.2 Anti-Virus White List
Click Configuration > UTM Profile > Anti-Virus > Black/White List > White List to display
the screen shown next. Use the Black/White List screen to set up Anti-Virus black (blocked) and
white (allowed) lists of virus file patterns. Click a column’s heading cell to sort the table entries by
that column’s criteria. Click the heading cell again to reverse the sort order.
Figure 346 Configuration > UTM Profile > Anti-Virus > Black/White List > White List
The following table describes the labels in this screen.
Table 214 Configuration > UTM Profile > Anti-Virus > Black/White List > White List
LABEL
DESCRIPTION
Enable White List
Select this check box to have the ZyWALL/USG not perform the anti-virus check on files
with names that match the white list patterns.
Use the white list to have the ZyWALL/USG not perform the anti-virus check on files
with names that match the white list patterns.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry
is inactive.
#
This is the entry’s index number in the list.
File Pattern
This is the file name pattern. If a file’s name matches this pattern, the ZyWALL/USG
does not check the file for viruses.
Source
This is the source address or address group for whom this policy applies.
Destination
This is the destination address or address group for whom this policy applies.
Apply
Click Apply to save your changes.
Reset
Click Reset to return the screen to its last-saved settings.
ZyWALL/USG Series User’s Guide
517
Chapter 31 Anti-Virus
31.4 AV Signature Searching
Click Configuration > UTM Profile > Anti-Virus > Signature to display this screen. Use this
screen to locate signatures and display details about them.
If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and
the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading
cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort
order.
Figure 347 Configuration > UTM Profile > Anti-Virus > Signature
The following table describes the labels in this screen.
Table 215 Configuration > UTM > Anti-Virus > Signature
LABEL
DESCRIPTION
Signatures Search
Enter the name,part of the name or keyword of the signature(s) you want to find. This
search is not case-sensitive and accepts numerical strings.
Query all
signatures and
export
Click Export to have the ZyWALL/USG save all of the anti-virus signatures to your
computer in a .txt file.
Query Result
#
This is the entry’s index number in the list.
Name
This is the name of the anti-virus signature. Click the Name column heading to sort
your search results in ascending or descending order according to the signature name.
Click a signature’s name to see details about the virus.
ZyWALL/USG Series User’s Guide
518
Chapter 31 Anti-Virus
31.5 Anti-Virus Technical Reference
Types of Computer Viruses
The following table describes some of the common computer viruses.
Table 216 Common Computer Virus Types
TYPE
DESCRIPTION
File Infector
This is a small program that embeds itself in a legitimate program. A file infector is able
to copy and attach itself to other programs that are executed on an infected computer.
Boot Sector Virus
This type of virus infects the area of a hard drive that a computer reads and executes
during startup. The virus causes computer crashes and to some extend renders the
infected computer inoperable.
Macro Virus
Macro viruses or Macros are small programs that are created to perform repetitive
actions. Macros run automatically when a file to which they are attached is opened.
Macros spread more rapidly than other types of viruses as data files are often shared on
a network.
E-mail Virus
E-mail viruses are malicious programs that spread through e-mail.
Polymorphic Virus
A polymorphic virus (also known as a mutation virus) tries to evade detection by
changing a portion of its code structure after each execution or self replication. This
makes it harder for an anti-virus scanner to detect or intercept it.
A polymorphic virus can also belong to any of the virus types discussed above.
Computer Virus Infection and Prevention
The following describes a simple life cycle of a computer virus.
1
A computer gets a copy of a virus from a source such as the Internet, e-mail, file sharing or any
removable storage media. The virus is harmless until the execution of an infected program.
2
The virus spreads to other files and programs on the computer.
3
The infected files are unintentionally sent to another computer thus starting the spread of the virus.
4
Once the virus is spread through the network, the number of infected networked computers can
grow exponentially.
Types of Anti-Virus Scanner
The section describes two types of anti-virus scanner: host-based and network-based.
A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in
the network. It inspects files for virus patterns as they are moved in and out of the hard drive.
However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons:
• HAV scanners are slow in stopping virus threats through real-time traffic (such as from the
Internet).
• HAV scanners may reduce computing performance as they also share the resources (such as CPU
time) on the computer for file inspection.
• You have to update the virus signatures and/or perform virus scans on all computers in the
network regularly.
ZyWALL/USG Series User’s Guide
519
Chapter 31 Anti-Virus
A network-based anti-virus (NAV) scanner is often deployed as a dedicated security device (such as
your ZyWALL/USG) on the network edge. NAV scanners inspect real-time data traffic (such as Email messages or web) that tends to bypass HAV scanners. The following lists some of the benefits
of NAV scanners.
• NAV scanners stops virus threats at the network edge before they enter or exit a network.
• NAV scanners reduce computing loading on computers as the read-time data traffic inspection is
done on a dedicated security device.
ZyWALL/USG Series User’s Guide
520
C HAPTER
32
Anti-Spam
32.1 Overview
The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the
white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL/USG
can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are
suspected of being used by spammers.
32.1.1 What You Can Do in this Chapter
• Use the GeneralProfile screens (Section 32.3 on page 523) to turn anti-spam on or off and
manage anti-spam policies.
• Use the Mail Scan screen (Section 32.4 on page 526) to enable and configure the mail scan
functions.
• Use the Black/White List screens (Section 32.5 on page 528) to set up a black list to identify
spam and a white list to identify legitimate e-mail.
• Use the DNSBL screens (Section 32.7 on page 533) to have the ZyWALL/USG check e-mail
against DNS Black Lists.
32.1.2 What You Need to Know
White List
Configure white list entries to identify legitimate e-mail. The white list entries have the ZyWALL/
USG classify any e-mail that is from a specified sender or uses a specified header field and header
value as being legitimate (see E-mail Headers on page 522 for more on mail headers). The antispam feature checks an e-mail against the white list entries before doing any other anti-spam
checking. If the e-mail matches a white list entry, the ZyWALL/USG classifies the e-mail as
legitimate and does not perform any more anti-spam checking on that individual e-mail. A properly
configured white list helps keep important e-mail from being incorrectly classified as spam. The
white list can also increases the ZyWALL/USG’s anti-spam speed and efficiency by not having the
ZyWALL/USG perform the full anti-spam checking process on legitimate e-mail.
Black List
Configure black list entries to identify spam. The black list entries have the ZyWALL/USG classify
any e-mail that is from or forwarded by a specified IP address or uses a specified header field and
header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL/
USG checks it against the black list entries. The ZyWALL/USG classifies an e-mail that matches a
black list entry as spam and immediately takes the configured action for dealing with spam. If an email matches a blacklist entry, the ZyWALL/USG does not perform any more anti-spam checking on
ZyWALL/USG Series User’s Guide
521
Chapter 32 Anti-Spam
that individual e-mail. A properly configured black list helps catch spam e-mail and increases the
ZyWALL/USG’s anti-spam speed and efficiency.
SMTP and POP3
Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the
sending of e-mail messages between servers. E-mail clients (also called e-mail applications) then
use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access
Protocol) to retrieve e-mail. E-mail clients also generally use SMTP to send messages to a mail
server. The older POP2 requires SMTP for sending messages while the newer POP3 can be used with
or without it. This is why many e-mail applications require you to specify both the SMTP server and
the POP or IMAP server (even though they may actually be the same server).
The ZyWALL/USG’s anti-spam feature checks SMTP (TCP port 25) and POP3 (TCP port 110) e-mails
by default. You can also specify custom SMTP and POP3 ports for the ZyWALL/USG to check.
E-mail Headers
Every email has a header and a body. The header is structured into fields and includes the
addresses of the recipient and sender, the subject, and other information about the e-mail and its
journey. The body is the actual message text and any attachments. You can have the ZyWALL/USG
check for specific header fields with specific values.
E-mail programs usually only show you the To:, From:, Subject:, and Date: header fields but there
are others such as Received: and Content-Type:. To see all of an e-mail’s header, you can select an
e-mail in your e-mail program and look at its properties or details. For example, in Microsoft’s
Outlook Express, select a mail and click File > Properties > Details. This displays the e-mail’s
header. Click Message Source to see the source for the entire mail including both the header and
the body.
E-mail Header Buffer Size
The ZyWALL/USG has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer
than 5 K, the ZyWALL/USG only checks up to the first 5 K.
DNSBL
A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having
sent or forwarded spam. A DNSBL is also known as a DNS spam blocking list. The ZyWALL/USG can
check the routing addresses of e-mail against DNSBLs and classify an e-mail as spam if it was sent
or forwarded by a computer with an IP address in the DNSBL.
Finding Out More
See Section 32.8 on page 535 for more background information on anti-spam.
32.2 Before You Begin
• Before using the Anti-Spam features (IP Reputation, Mail Content Analysis and Virus Outbreak
Detection) you must activate your Anti-Spam Service license.
ZyWALL/USG Series User’s Guide
522
Chapter 32 Anti-Spam
• Configure your zones before you configure anti-spam.
32.3 The Anti-Spam Profile Screen
Click Configuration > UTM Profile > Anti-Spam to open the Anti-Spam Profile screen. Use
this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also
select the action the ZyWALL/USG takes when the mail sessions threshold is reached.
Figure 348 Configuration > UTM Profile > Anti-Spam > Profilel
The following table describes the labels in this screen.
Table 217 Configuration > UTM Profile > Anti-Spam > Profile
LABEL
DESCRIPTION
General Settings
Action taken when
mail sessions
threshold is
reached
An e-mail session is when an e-mail client and e-mail server (or two e-mail servers)
connect through the ZyWALL/USG. Select how to handle concurrent e-mail sessions that
exceed the maximum number of concurrent e-mail sessions that the anti-spam feature
can handle. See the chapter of product specifications for the threshold.
Select Forward Session to have the ZyWALL/USG allow the excess e-mail sessions
without any spam filtering.
Select Drop Session to have the ZyWALL/USG drop mail connections to stop the excess
e-mail sessions. The e-mail client or server will have to re-attempt to send or receive email later when the number of e-mail sessions is under the threshold.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after
the selected entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
ZyWALL/USG Series User’s Guide
523
Chapter 32 Anti-Spam
Table 217 Configuration > UTM Profile > Anti-Spam > Profile
LABEL
DESCRIPTION
Object
Reference
Select an entry and click Object References to open a screen that shows which settings
use the entry. Click Refresh to update information in this screen.
Priority
This is the index number of the anti-spam rule. Antis-spam rules are applied in turn.
Name
The name identifies the anti-spam rule.
Description
This is some optional extra information on the rule.
Scan Options
This shows which types (protocols) of traffic to scan for spam.
Reference
This shows how many objects are referenced in the rule.
License
License Status
This read-only field displays the status of your anti-spam scanning service registration.
Not Licensed displays if you have not successfully registered and activated the service.
Expired displays if your subscription to the service has expired.
Licensed displays if you have successfully registered the ZyWALL/USG and activated the
service.
License Type
This read-only field displays what kind of service registration you have for the anti-spam
scanning.
None displays if you have not successfully registered and activated the service.
Standard displays if you have successfully registered the ZyWALL/USG and activated
the service with your iCard’s PIN number.
Trial displays if you have successfully registered the ZyWALL/USG and activated the trial
service subscription.
Expiration
Date
This field displays the date your service license expires.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
32.3.1 The Anti-Spam Profile Add or Edit Screen
Click the Add or Edit icon in the Configuration > UTM Profile > Anti-Spam > Profile screen to
display the configuration screen as shown next. Use this screen to configure an anti-spam policy
that controls what traffic direction of e-mail to check, which e-mail protocols to scan, the scanning
options, and the action to take on spam traffic.
ZyWALL/USG Series User’s Guide
524
Chapter 32 Anti-Spam
Figure 349 Configuration > UTM Profile > Anti-Spam > Profile > Add
The following table describes the labels in this screen.
Table 218 Configuration > UTM Profile > Anti-Spam > Profile > Add
LABEL
DESCRIPTION
General Settings
Name
Enter a descriptive name for this anti-spam rule. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.
Description
Enter a description for the anti-spam rule to help identify the purpose of rule. You may
use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first
character cannot be a number. This value is case-sensitive.
This field is optional.
Log
Select how the ZyWALL/USG is to log the event when the DNSBL times out or an e-mail
matches the white list, black list, or DNSBL.
no: Do not create a log.
log: Create a log on the ZyWALL/USG.
log alert: An alert is an e-mailed log for more serious events that may need more
immediate attention. Select this option to have the ZyWALL/USG send an alert.
Scan Options
Check White
List
Select this check box to check e-mail against the white list. The ZyWALL/USG classifies
e-mail that matches a white list entry as legitimate (not spam).
Check Black List
Select this check box to check e-mail against the black list. The ZyWALL/USG classifies
e-mail that matches a black list entry as spam.
Check IP
Reputation
(SMTP Only)
Select this to use IP reputation to identify Spam or Unwanted Bulk Email by the
sender’s IP address.
ZyWALL/USG Series User’s Guide
525
Chapter 32 Anti-Spam
Table 218 Configuration > UTM Profile > Anti-Spam > Profile > Add (continued)
LABEL
DESCRIPTION
Check Mail
Content
Select this to identify Spam Email by content, such as malicious content.
Check Virus
Outbreak
Select this to scan emails for attached viruses.
Check DNSBL
Select this check box to check e-mail against the ZyWALL/USG’s configured DNSBL
domains. The ZyWALL/USG classifies e-mail that matches a DNS black list as spam.
Actions for Spam
Mail
SMTP
Use this section to set how the ZyWALL/USG is to handle spam mail.
Select how the ZyWALL/USG is to handle spam SMTP mail.
Select drop to discard spam SMTP mail.
Select forward to allow spam SMTP mail to go through.
Select forward with tag to add a spam tag to an SMTP spam mail’s mail subject and
send it on to the destination.
POP3
Select how the ZyWALL/USG is to handle spam POP3 mail.
Select forward to allow spam POP3 mail to go through.
Select forward with tag to add a spam tag to an POP3 spam mail’s mail subject and
send it on to the destination.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.
32.4 The Mail Scan Screen
Click Configuration > UTM Profile > Anti-Spam > Mail Scan to open the Mail Scan screen.
Use this screen to enable and configure the Mail Scan functions. You must first enable the Mail Scan
functions on this screen before selecting them in the Configuration > UTM Profile > Anti-Spam
> Profile > Add/Edit screen.
ZyWALL/USG Series User’s Guide
526
Chapter 32 Anti-Spam
Figure 350 Configuration > UTM Profile > Anti-Spam > Mail Scan
The following table describes the labels in this screen.
Table 219 Configuration > UTM Profile > Anti-Spam > Mail Scan
LABEL
DESCRIPTION
Sender Reputation
Enable Sender
Reputation
Checking (SMTP
only)
Select this to have the ZyWALL/USG scan for spam e-mail by IP Reputation. Spam or
Unwanted Bulk Email is determined by the sender’s IP address.
Mail Content Analysis
Enable Mail
Content Analysis
Select this to identify Spam Email by content, such as malicious content.
Mail Content Spam
Tag
Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail
subject of e-mails that are determined to spam based on the mail content analysis.
This tag is only added if the anti-spam policy is configured to forward spam mail with a
spam tag.
Mail Content XHeader
Specify the name and value for the X-Header to be added when an email is determined
to be spam by mail content.
Virus Outbreak Detection
ZyWALL/USG Series User’s Guide
527
Chapter 32 Anti-Spam
Table 219 Configuration > UTM Profile > Anti-Spam > Mail Scan
LABEL
DESCRIPTION
Enable Virus
Outbreak
Detection
This scans emails for attached viruses.
Virus Outbreak
Tag
Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail
subject of e-mails that are determined have an attached viruses.
This tag is only added if the anti-spam policy is configured to forward spam mail with a
spam tag.
Virus Outbreak XHeader
Specify the name and value for the X-Header to be added when an email is determined
to have an attached virus.
Query Timeout Settings
SMTP
Select how the ZyWALL/USG is to handle SMTP mail query timeout.
Select drop to discard SMTP mail.
Select forward to allow SMTP mail to go through.
Select forward with tag to add a tag to an SMTP query timeout mail’s mail subject and
send it on to the destination.
POP3
Select how the ZyWALL/USG is to handle POP3 mail query timeout.
Select forward to allow POP3 mail to go through.
Select forward with tag to add a tag to an POP3 query timeout mail’s mail subject and
send it on to the destination.
Timeout Value
Set how long the ZyWALL/USG waits for a reply from the mail scan server. If there is no
reply before this time period expires, the ZyWALL/USG takes the action defined in the
relevant Actions when Query Timeout field.
Timeout Tag
Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that the ZyWALL/USG forwards if queries to the mail scan servers time out.
Timeout X-Header
Specify the name and value for the X-Header to be added when queries to the mail scan
servers time out.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
32.5 The Anti-Spam Black List Screen
Click Configuration > UTM Profile > Anti-Spam > Black /White List to display the Anti-Spam
Black List screen.
Configure the black list to identify spam e-mail. You can create black list entries based on the
sender’s or relay server’s IP address or e-mail address. You can also create entries that check for
particular e-mail header fields with specific values or specific subject text. Click a column’s heading
cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort
order.
ZyWALL/USG Series User’s Guide
528
Chapter 32 Anti-Spam
Figure 351 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List
The following table describes the labels in this screen.
Table 220 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List
LABEL
DESCRIPTION
General Settings
Enable Black List
Checking
Select this check box to have the ZyWALL/USG treat e-mail that matches (an active)
black list entry as spam.
Black List Spam Tag
Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that match the ZyWALL/USG’s spam black list.
Black List X-Header
Specify the name and value for the X-Header to be added to e-mails that match the
ZyWALL/USG’s spam black list.
Rule Summary
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive.
#
This is the entry’s index number in the list.
Type
This field displays whether the entry is based on the e-mail’s subject, source or relay
IP address, source e-mail address, or header.
Content
This field displays the subject content, source or relay IP address, source e-mail
address, or header value for which the entry checks.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
ZyWALL/USG Series User’s Guide
529
Chapter 32 Anti-Spam
32.5.1 The Anti-Spam Black or White List Add/Edit Screen
In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the
following screen.
Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create
entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address. You
can also create entries that check for particular header fields and values.
Figure 352 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List (or White List)
> Add
The following table describes the labels in this screen.
Table 221 Configuration > UTM Profile > Anti-Spam > Black/White List > Black/White List > Add
LABEL
DESCRIPTION
Enable Rule
Select this to have the ZyWALL/USG use this entry as part of the black or white list.
To actually use the entry, you must also turn on the use of the list in the corresponding
list screen, enable the anti-spam feature in the anti-spam general screen, and configure
an anti-spam policy to use the list.
Type
Use this field to base the entry on the e-mail’s subject, source or relay IP address,
source e-mail address, or header.
Select Subject to have the ZyWALL/USG check e-mail for specific content in the subject
line.
Select IP Address to have the ZyWALL/USG check e-mail for a specific source or relay
IP address.
Select IPv6 Address to have the ZyWALL/USG check e-mail for a specific source or
relay IPv6 address.
Select E-Mail Address to have the ZyWALL/USG check e-mail for a specific source email address or domain name.
Select Mail Header to have the ZyWALL/USG check e-mail for specific header fields and
values. Configure black list header entries to check for e-mail from bulk mail programs
or with content commonly used in spam. Configure white list header entries to allow
certain header values that identify the e-mail as being from a trusted source.
Mail Subject
Keyword
This field displays when you select the Subject type. Enter up to 63 ASCII characters of
text to check for in e-mail headers. Spaces are not allowed, although you could
substitute a question mark (?). See Section 32.5.2 on page 531 for more details.
Sender or Mail
Relay IP Address
This field displays when you select the IP Address type. Enter an IP address in dotted
decimal notation.
Sender or Mail
Relay IPv6 Address
This field displays when you select the IPv6 Address type. Enter an IPv6 address with
prefix.
Netmask
This field displays when you select the IP type. Enter the subnet mask here, if
applicable.
ZyWALL/USG Series User’s Guide
530
Chapter 32 Anti-Spam
Table 221 Configuration > UTM Profile > Anti-Spam > Black/White List > Black/White List > Add
LABEL
DESCRIPTION
Sender E-Mail
Address
This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII
characters). See Section 32.5.2 on page 531 for more details.
Mail Header Field
Name
This field displays when you select the Mail Header type.
Type the name part of an e-mail header (the part that comes before the colon). Use up
to 63 ASCII characters.
For example, if you want the entry to check the “Received:” header for a specific mail
server’s domain, enter “Received” here.
Field Value
Keyword
This field displays when you select the Mail Header type.
Type the value part of an e-mail header (the part that comes after the colon). Use up to
63 ASCII characters.
For example, if you want the entry to check the “Received:” header for a specific mail
server’s domain, enter the mail server’s domain here.
See Section 32.5.2 on page 531 for more details.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.
32.5.2 Regular Expressions in Black or White List Entries
The following applies for a black or white list entry based on an e-mail subject, e-mail address, or
e-mail header value.
• Use a question mark (?) to let a single character vary. For example, use “a?c” (without the
quotation marks) to specify abc, acc and so on.
• You can also use a wildcard (*). For example, if you configure *def.com, any e-mail address that
ends in def.com matches. So “mail.def.com” matches.
• The wildcard can be anywhere in the text string and you can use more than one wildcard. You
cannot use two wildcards side by side, there must be other characters between them.
• The ZyWALL/USG checks the first header with the name you specified in the entry. So if the email has more than one “Received” header, the ZyWALL/USG checks the first one.
32.6 The Anti-Spam White List Screen
Click Configuration > UTM Profile > Anti-Spam > Black/White List and then the White List
tab to display the Anti-Spam White List screen.
Configure the white list to identify legitimate e-mail. You can create white list entries based on the
sender’s or relay’s IP address or e-mail address. You can also create entries that check for
particular header fields and values or specific subject text.
ZyWALL/USG Series User’s Guide
531
Chapter 32 Anti-Spam
Figure 353 Configuration > UTM Profile > Anti-Spam > Black/White List > White List
The following table describes the labels in this screen.
Table 222 Configuration > UTM Profile > Anti-Spam > Black/White List > White List
LABEL
DESCRIPTION
General Settings
Enable White List
Checking
Select this check box to have the ZyWALL/USG forward e-mail that matches (an
active) white list entry without doing any more anti-spam checking on that individual
e-mail.
White List X-Header
Specify the name and value for the X-Header to be added to e-mails that match the
ZyWALL/USG’s spam white list.
Rule Summary
Add
Click this to create a new entry. See Section 32.5.1 on page 530 for details.
Edit
Select an entry and click this to be able to modify it. See Section 32.5.1 on page 530
for details.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive.
#
This is the entry’s index number in the list.
Type
This field displays whether the entry is based on the e-mail’s subject, source or relay
IP address, source e-mail address, or a header.
Content
This field displays the subject content, source or relay IP address, source e-mail
address, or header value for which the entry checks.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
ZyWALL/USG Series User’s Guide
532
Chapter 32 Anti-Spam
32.7 The DNSBL Screen
Click Configuration > UTM Profile > Anti-Spam > DNSBL to display the anti-spam DNSBL
screen. Use this screen to configure the ZyWALL/USG to check the sender and relay IP addresses in
e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs).
Figure 354 Configuration > UTM Profile > Anti-Spam > DNSBL
ZyWALL/USG Series User’s Guide
533
Chapter 32 Anti-Spam
The following table describes the labels in this screen.
Table 223 Configuration > UTM Profile > Anti-Spam > DNSBL
LABEL
DESCRIPTION
Show Advanced
Settings / Hide
Advanced Settings
Click this button to display a greater or lesser number of configuration fields.
Enable DNS Black List
(DNSBL) Checking
Select this to have the ZyWALL/USG check the sender and relay IP addresses in email headers against the DNSBL servers maintained by the DNSBL domains listed in
the ZyWALL/USG.
DNSBL Spam Tag
Enter a message or label (up to 15 ASCII characters) to add to the beginning of the
mail subject of e-mails that have a sender or relay IP address in the header that
matches a black list maintained by one of the DNSBL domains listed in the ZyWALL/
USG.
This tag is only added if the anti-spam policy is configured to forward spam mail with
a spam tag.
DSBNL X-Header
Specify the name and value for the X-Header to be added to e-mails that have a
sender or relay IP address in the header that matches a black list maintained by one
of the DNSBL domains listed in the ZyWALL/USG.
Max. IPs Checking Per
Mail
Set the maximum number of sender and relay server IP addresses in the mail header
to check against the DNSBL domain servers.
IP Selection Per Mail
Select first N IPs to have the ZyWALL/USG start checking from the first IP address in
the mail header. This is the IP of the sender or the first server that forwarded the
mail.
Select last N IPs to have the ZyWALL/USG start checking from the last IP address in
the mail header. This is the IP of the last server that forwarded the mail.
Query Timeout
Setting
SMTP
Select how the ZyWALL/USG is to handle SMTP mail (mail going to an e-mail server)
if the queries to the DNSBL domains time out.
Select drop to discard SMTP mail.
Select forward to allow SMTP mail to go through.
Select forward with tag to add a DNSBL timeout tag to the mail subject of an SMTP
mail and send it.
POP3
Select how the ZyWALL/USG is to handle POP3 mail (mail coming to an e-mail client)
if the queries to the DNSBL domains time out.
Select forward to allow POP3 mail to go through.
Select forward with tag to add a DNSBL timeout tag to the mail subject of an POP3
mail and send it.
Timeout Value
Set how long the ZyWALL/USG waits for a reply from the DNSBL domains listed
below. If there is no reply before this time period expires, the ZyWALL/USG takes the
action defined in the relevant Actions when Query Timeout field.
Timeout Tag
Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that the ZyWALL/USG forwards if queries to the DNSBL domains time out.
Timeout X-Header
Specify the name and value for the X-Header to be added to e-mails that the
ZyWALL/USG forwards if queries to the DNSBL domains time out.
DNSBL Domain List
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
ZyWALL/USG Series User’s Guide
534
Chapter 32 Anti-Spam
Table 223 Configuration > UTM Profile > Anti-Spam > DNSBL (continued)
LABEL
DESCRIPTION
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive.
#
This is the entry’s index number in the list.
DNSBL Domain
This is the name of a domain that maintains DNSBL servers. Enter the domain that is
maintaining a DNSBL.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
32.8 Anti-Spam Technical Reference
Here is more detailed anti-spam information.
DNSBL
• The ZyWALL/USG checks only public sender and relay IP addresses, it does not check private IP
addresses.
• The ZyWALL/USG sends a separate query (DNS lookup) for each sender or relay IP address in the
e-mail’s header to each of the ZyWALL/USG’s DNSBL domains at the same time.
• The DNSBL servers send replies as to whether or not each IP address matches an entry in their
list. Each IP address has a separate reply.
• As long as the replies are indicating the IP addresses do not match entries on the DNSBL lists,
the ZyWALL/USG waits until it receives at least one reply for each IP address.
• If the ZyWALL/USG receives a DNSBL reply that one of the IP addresses is in the DNSBL list, the
ZyWALL/USG immediately classifies the e-mail as spam and takes the anti-spam policy’s
configured action for spam. The ZyWALL/USG does not wait for any more DNSBL replies.
• If the ZyWALL/USG receives at least one non-spam reply for each of an e-mail’s routing IP
addresses, the ZyWALL/USG immediately classifies the e-mail as legitimate and forwards it.
• Any further DNSBL replies that come after the ZyWALL/USG classifies an e-mail as spam or
legitimate have no effect.
• The ZyWALL/USG records DNSBL responses for IP addresses in a cache for up to 72 hours. The
ZyWALL/USG checks an e-mail’s sender and relay IP addresses against the cache first and only
sends DNSBL queries for IP addresses that are not in the cache.
Here is an example of an e-mail classified as spam based on DNSBL replies.
ZyWALL/USG Series User’s Guide
535
Chapter 32 Anti-Spam
Figure 355 DNSBL Spam Detection Example
DNSBL A
IPs: a.a.a.a
b.b.b.b
1
4
a?
. a. ?
a
.
a
b
m
.b .
pa
ts
b .b
o
N
.a
a
.
a.a
2
a.a.a.a?
b.b.b.b?
DNSBL B
a .a
.
b . b a .a ?
.b .
b?
b .b
.b .
DNSBL C
bS
pa
m
3
1
The ZyWALL/USG receives an e-mail that was sent from IP address a.a.a.a and relayed by an email server at IP address b.b.b.b. The ZyWALL/USG sends a separate query to each of its DNSBL
domains for IP address a.a.a.a. The ZyWALL/USG sends another separate query to each of its
DNSBL domains for IP address b.b.b.b.
2
DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not spam).
3
DNSBL C replies that IP address b.b.b.b matches an entry in its list.
4
The ZyWALL/USG immediately classifies the e-mail as spam and takes the action for spam that you
defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to
drop the mail. The ZyWALL/USG does not wait for any more DNSBL replies.
Here is an example of an e-mail classified as legitimate based on DNSBL replies.
ZyWALL/USG Series User’s Guide
536
Chapter 32 Anti-Spam
Figure 356 DNSBL Legitimate E-mail Detection Example
DNSBL A
IPs: c.c.c.c
d.d.d.d
c?
.c . ?
c
.
c
d
.d .
d .d
1
c.c.c.c?
d.d.d.d?
d.d.d.d Not spam
c .c
4
d. d
c.c
DNSBL B
2
.c .
c?
.d .
d?
DNSBL C
.c.
c
No
t
sp
am
3
1
The ZyWALL/USG receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail
server at IP address d.d.d.d. The ZyWALL/USG sends a separate query to each of its DNSBL
domains for IP address c.c.c.c. The ZyWALL/USG sends another separate query to each of its
DNSBL domains for IP address d.d.d.d.
2
DNSBL B replies that IP address d.d.d.d does not match any entries in its list (not spam).
3
DNSBL C replies that IP address c.c.c.c does not match any entries in its list (not spam).
4
Now that the ZyWALL/USG has received at least one non-spam reply for each of the e-mail’s
routing IP addresses, the ZyWALL/USG immediately classifies the e-mail as legitimate and forwards
it. The ZyWALL/USG does not wait for any more DNSBL replies.
If the ZyWALL/USG receives conflicting DNSBL replies for an e-mail routing IP address, the
ZyWALL/USG classifies the e-mail as spam. Here is an example.
ZyWALL/USG Series User’s Guide
537
Chapter 32 Anti-Spam
Figure 357 Conflicting DNSBL Replies Example
DNSBL A
IPs: a.b.c.d
w.x.y.z
d?
. c. ?
b
.
a
.y.z
w.x
1
4
a.b
.c.
dN
am
sp
t
o
2
a.b.c.d?
w.x.y.z?
a.b.c.d Spam!
a .b
DNSBL B
3
.
w.x c.d?
.y.z
?
DNSBL C
1
The ZyWALL/USG receives an e-mail that was sent from IP address a.b.c.d and relayed by an email server at IP address w.x.y.z. The ZyWALL/USG sends a separate query to each of its DNSBL
domains for IP address a.b.c.d. The ZyWALL/USG sends another separate query to each of its
DNSBL domains for IP address w.x.y.z.
2
DNSBL A replies that IP address a.b.c.d does not match any entries in its list (not spam).
3
While waiting for a DNSBL reply about IP address w.x.y.z, the ZyWALL/USG receives a reply from
DNSBL B saying IP address a.b.c.d is in its list.
4
The ZyWALL/USG immediately classifies the e-mail as spam and takes the action for spam that you
defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to
drop the mail. The ZyWALL/USG does not wait for any more DNSBL replies.
ZyWALL/USG Series User’s Guide
538
C HAPTER
33
SSL Inspection
33.1 Overview
Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs,
etc. is encrypted, and cannot be inspected using Unified Threat Management (UTM) profiles such as
App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Virus. The ZyWALL/
USG uses SSL Inspection to decrypt SSL traffic, sends it to the UTM engines for inspection, then
encrypts traffic that passes inspection and forwards it to the destination server, such as Google.
An example process is shown in the following figure. User U sends a HTTPS request (SSL) to
destination server D, via the ZyWALL/USG, Z. The traffic matches an SSL Inspection profile in a
security policy, so the ZyWALL/USG decrypts the traffic using SSL Inspection. The decrypted traffic
is then inspected by the UTM profiles in the same security profile that matched the SSL Inspection
profile. If all is OK, then the ZyWALL/USG re-encrypts the traffic using SSL Inspection and forwards
it to the destination server D. SSL traffic could be in the opposite direction for other examples.
Figure 358 SSL Inspection Overview
Note: Anti-Spam cannot be applied to traffic decrypted by SSL Inspection.
33.1.1 What You Can Do in this Chapter
• Use the UTM Profile > SSL Inspection > Profile screen (Section 33.2 on page 540) to view
SSL Inspection profiles. Click the Add or Edit icon in this screen to configure the CA certificate,
action and log in an SSL Inspection profile.
• Use the UTM Profile > SSL Inspection > Exclude List screens (Section 33.3 on page 543) to
create a whitelist of destination servers to which traffic is passed through uninspected.
33.1.2 What You Need To Know
• Supported Cipher Suite
ZyWALL/USG Series User’s Guide
539
Chapter 33 SSL Inspection
• RC4 (Rivest Cipher 4)
• DES (Data Encryption Standard)
• 3DES
• AES (Advanced Encryption Standard)
• SSLv3/TLS1.0 (Transport Layer Security) Support
• SSLv3/TLS1.0 is currently supported with option to pass or block SSLv2 traffic
• Traffic using TLS1.1 (Transport Layer Security) or TLS1.2 is downgraded to TLS1.0 for SSL
Inspection
• No Compression Support Now
• No Client Authentication Request Support Now
• Finding Out More
• See Configuration > Object > Certificate > My Certificates for information on creating
certificates on the ZyWALL/USG.
• See Monitor > UTM Statistics > SSL Inspection to get usage data and easily add a
destination server to the whitelist of exclusion servers.
• See Configuration > Security Policy > Policy Control > Policy to bind an SSL Inspection
profile to a traffic flow(s).
33.1.3 Before You Begin
• If you don’t want to use the default ZyWALL/USG certificate, then create a new certificate in
Object > Certificate > My Certificates.
• Decide what destination servers to which traffic is sent directly without inspection. This may be a
matter of privacy and legality regarding inspecting an individual’s encrypted session, such as
financial websites. This may vary by locale.
33.2 The SSL Inspection Profile Screen
An SSL Inspection profile is a template with pre-configured certificate, action and log.
Click Configuration > UTM Profile > SSL Inspection > Profile to open this screen.
Figure 359 Configuration > UTM Profile > SSL Inspection > Profile
The following table describes the fields in this screen.
Table 224 Configuration > UTM Profile > SSL Inspection > Profile
LABEL
DESCRIPTION
Profile Management
Add
Click Add to create a new profile.
ZyWALL/USG Series User’s Guide
540
Chapter 33 SSL Inspection
Table 224 Configuration > UTM Profile > SSL Inspection > Profile (continued)
LABEL
DESCRIPTION
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Object Reference
Select an entry and click Object References to open a screen that shows which
settings use the entry. Click Refresh to update information on this screen.
#
This is the entry’s index number in the list.
Name
This displays the name of the profile.
Description
This displays the description of the profile.
CA Certificate
This displays the CA certificate being used in this profile.
Reference
This displays the number of times an object reference is used in a profile.
33.2.1 Add / Edit SSL Inspection Profiles
Click Configuration > UTM Profile > SSL Inspection > Profile > Add to create a new profile or
select an existing profile and click Edit to change its settings.
Figure 360 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit
The following table describes the fields in this screen.
Table 225 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit
LABEL
DESCRIPTION
Name
This is the name of the profile. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive. These are valid, unique profile names:
• MyProfile
• mYProfile
• Mymy12_3-4
These are invalid profile names:
• 1mYProfile
• My Profile
• MyProfile?
• Whatalongprofilename123456789012
Description
Enter additional information about this SSL Inspection entry. You can enter up to 60
characters ("0-9", "a-z", "A-Z", "-" and "_").
ZyWALL/USG Series User’s Guide
541
Chapter 33 SSL Inspection
Table 225 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued)
LABEL
DESCRIPTION
CA Certificate
This contains the default certificate and the certificates created in Object > Certificate >
My Certificates. Choose the certificate for this profile.
Severity Level
Select a severity level and these use the icons to enable/disable and configure logs and
actions for all signatures of that level.
Action for
connection with
SSL v2
SSL Inspection supports SSLv3 and TLS1.0. Select to pass or block SSLv2 traffic that
matches traffic bound to this policy here.
Log
These are the log options for SSLv2 traffic that matches traffic bound to this policy:
•
•
•
Action for
Connection with
unsupported
suit
no: Select this option to have the ZyWALL/USG create no log for SSLv2 traffic that
matches traffic bound to this policy.
log: Select this option to have the ZyWALL/USG create a log for SSLv2 traffic that
matches traffic bound to this policy.
log alert: An alert is an e-mailed log for more serious events that may need more
immediate attention. They also appear in red in the Monitor > Log screen. Select this
option to have the ZyWALL/USG send an alert for SSLv2 traffic that matches traffic
bound to this policy.
SSL Inspection supports these cipher suites:
•
•
•
•
RC4
DES
3DES
AES
Select to pass or block unsupported traffic (such as other cipher suites, compressed
traffic, client authentication requests, and so on) that matches traffic bound to this policy
here.
Log
These are the log options for unsupported traffic that matches traffic bound to this policy:
•
•
•
no: Select this option to have the ZyWALL/USG create no log for unsupported traffic
that matches traffic bound to this policy.
log: Select this option to have the ZyWALL/USG create a log for unsupported traffic
that matches traffic bound to this policy
log alert: An alert is an e-mailed log for more serious events that may need more
immediate attention. They also appear in red in the Monitor > Log screen. Select this
option to have the ZyWALL/USG send an alert for unsupported traffic that matches
traffic bound to this policy.
Excepted
Signatures
Use the icons to enable/disable and configure logs and actions for individual signatures that
are different to the general settings configured for the severity level to which the signatures
belong. Signatures configured in Query View will appear in Group View.
Add
Click this to configure settings to a signature that are different to the severity level to which
it belongs.
Remove
Select an existing signature exception and then click this to delete the exception.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Log
To edit an item’s log option, select it and use the Log icon. These are the log options:
no: Select this option on an individual signature or a complete service group to have the
ZyWALL/USG create no log when a packet matches a signature(s).
log: Select this option on an individual signature or a complete service group to have the
ZyWALL/USG create a log when a packet matches a signature(s).
log alert: An alert is an e-mailed log for more serious events that may need more
immediate attention. Select this option to have the ZyWALL/USG send an alert when a
packet matches a signature(s).
ZyWALL/USG Series User’s Guide
542
Chapter 33 SSL Inspection
Table 225 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued)
LABEL
Action
DESCRIPTION
To edit what action the ZyWALL/USG takes when a packet matches a signature, select the
signature and use the Action icon.
none: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG take no action when a packet matches the signature(s).
drop: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG silently drop a packet that matches the signature(s). Neither sender nor
receiver are notified.
reject-sender: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to the sender when a packet matches the signature. If
it is a TCP attack packet, the ZyWALL/USG will send a packet with a ‘RST’ flag. If it is an
ICMP or UDP attack packet, the ZyWALL/USG will send an ICMP unreachable packet.
reject-receiver: Select this action on an individual signature or a complete service group
to have the ZyWALL/USG send a reset to the receiver when a packet matches the
signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with an a ‘RST’
flag. If it is an ICMP or UDP attack packet, the ZyWALL/USG will do nothing.
reject-both: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to both the sender and receiver when a packet matches
the signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with a ‘RST’
flag to the receiver and sender. If it is an ICMP or UDP attack packet, the ZyWALL/USG will
send an ICMP unreachable packet.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
SID
Type the exact signature ID (identification) number that uniquely identifies a ZyWALL/USG
IDP signature.
Log
These are the log options. To edit this, select an item and use the Log icon.
Action
This is the action the ZyWALL/USG should take when a packet matches a signature here. To
edit this, select an item and use the Action icon.
OK
Click OK to save your settings to the ZyWALL/USG, and return to the profile summary
page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
33.3 Exclude List Screen
There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal
issues may vary by locale, so it's important to check with your legal department to make sure that
it’s OK to intercept SSL traffic from your ZyWALL/USG users.
To ensure individual privacy and meet legal requirements, you can configure an exclusion list to
exclude matching sessions to destination servers. This traffic is not intercepted and is passed
through uninspected.
Click Configuration > UTM Profile > SSL Inspection > Exclude List to display the following
screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to
delete an existing entry.
ZyWALL/USG Series User’s Guide
543
Chapter 33 SSL Inspection
Figure 361 Configuration > UTM Profile > SSL Inspection > Exclude List (> Add/Edit)
The following table describes the fields in this screen.
Table 226 Configuration > UTM Profile > SSL Inspection > Exclude List
LABEL
DESCRIPTION
General Settings
Enable Logs
for Exclude
List
Exclude List
Settings
Click this to create a log for traffic that bypasses SSL Inspection.
Use this part of the screen to create, edit, or delete items in the SSL Inspection exclusion
list.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry’s index number in the list.
Exclude List of
Certificate
Identity
SSL traffic to a server to be excluded from SSL Inspection is identified by its certificate.
Identify the certificate in one of the following ways:
•
•
•
•
•
•
The Common Name (CN) of the certificate. The common name of the certificate can
be created in the Object > Certificate > My Certificates screen.
Type an IPv4 or IPv6 address. For example, type 192.168.1.35, or
2001:7300:3500::1
Type an IPv4/IPv6 in CIDR notation. For example, type 192.168.1.1/24, or
2001:7300:3500::1/64
Type an IPv4/IPv6 address range. For example, type 192.168.1.1-192.168.1.35, or
2001:7300:3500::1-2001:7300:3500::35
Type an email address. For example, type [email protected]
Type a DNS name or a common name (wildcard char: '*', escape char: '\'). Use up to
127 case-insensitive characters (0-9a-zA-Z`[email protected]#$%^&*()-_=+[]{}\|;:',.<>/?). ‘*’
can be used as a wildcard to match any string. Use ‘\*’ to indicate a single wildcard
character.
Alternatively, to automatically add an entry for existing SSL traffic to a destination server,
go to Monitor > UTM Statistics > SSL Inspection > Certificate Cache List, select an
item and then click Add to Exclude List. The item will then appear here.
Apply
Click Apply to save your settings to the ZyWALL/USG.
Reset
Click Reset to return to the profile summary page without saving any changes.
ZyWALL/USG Series User’s Guide
544
Chapter 33 SSL Inspection
33.4 Certificate Update Screen
Use this screen to update the latest certificates of servers using SSL connections to the ZyWALL/
USG network. User U sends an SSL request to destination server D (1), via the ZyWALL/USG, Z . D
replies (2); Z intercepts the response from D and checks if the certificate has been previously
signed. Z then replies to D (3) and also to U (4). D’s latest certificate is stored at myZyXEL.com
(M) along with other server certificates and can be downloaded to the ZyWALL/USG.
Figure 362 SSL Inspection Certificate Update Overview
Click Configuration > UTM Profile > SSL Inspection > Certificate Update to display the
following screen.
Figure 363 Configuration > UTM Profile > SSL Inspection > Certificate Update
The following table describes the fields in this screen.
Table 227 Configuration > UTM Profile > SSL Inspection > Certificate Update
LABEL
DESCRIPTION
Certificate Information
Current Version
Certificate Update
This displays the current certificate set version.
You should have Internet access and have activated SSL Inspection on the
ZyWALL/USG at myZyXEL.com.
ZyWALL/USG Series User’s Guide
545
Chapter 33 SSL Inspection
Table 227 Configuration > UTM Profile > SSL Inspection > Certificate Update (continued)
LABEL
DESCRIPTION
Update Now
Click this button to download the latest certificate set from the myZyXEL.com and
update it on the ZyWALL/USG.
Auto Update
Select this to automatically have the ZyWALL/USG update the certificate set when
a new one becomes available on myZyXEL.com.
Apply
Click Apply to save your settings to the ZyWALL/USG.
Reset
Click Reset to return to the profile summary page without saving any changes.
33.5 Install a CA Certificate in a Browser
Certificates used in SSL Inspection profiles should be installed in user web browsers. Do the
following steps to install a certificate in a computer with a Windows operating system (PC). First,
save the certificate to your computer.
1
Run the certificate manager using certmgr.msc.
2
Go to Trusted Root Certification Authorities > Certificates.
3
From the main menu, select Action > All Tasks > Import and run the Certificate Import
Wizard to install the certificate on the PC.
ZyWALL/USG Series User’s Guide
546
Chapter 33 SSL Inspection
33.5.0.1 Firefox Browser
If you’re using a Firefox browser, in addition to the above you need to do the following to import a
certificate into the browser.
Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter
the filename of the certificate you want to import. See the browser's help for further information.
ZyWALL/USG Series User’s Guide
547
C HAPTER
34
Device HA
34.1 Overview
Device HA lets a backup ZyWALL/USG (B) automatically take over if the master ZyWALL/USG (A)
fails.
Figure 364 Device HA Backup Taking Over for the Master
A
B
34.1.1 What You Can Do in this Chapter
• Use the General screen (Section 34.2 on page 549) to configure device HA global settings, and
see the status of each interface monitored by device HA.
• Use the Active-Passive Mode screens (Section 34.3 on page 550) to use active-passive mode
device HA. You can configure general active-passive mode device HA settings, view and manage
the list of monitored interfaces, and synchronize backup ZyWALL/USGs.
34.1.2 What You Need to Know
Active-Passive Mode
• Active-passive mode lets a backup ZyWALL/USG take over if the master ZyWALL/USG fails.
• The ZyWALL/USGs must be set to use the same device HA mode (active-passive).
Management Access
You can configure a separate management IP address for each interface. You can use it to access
the ZyWALL/USG for management whether the ZyWALL/USG is the master or a backup. The
management IP address should be in the same subnet as the interface IP address.
ZyWALL/USG Series User’s Guide
548
Chapter 34 Device HA
Synchronization
Use synchronization to have a backup ZyWALL/USG copy the master ZyWALL/USG’s configuration,
signatures (anti-virus, IDP/application patrol, and system protect), and certificates.
Note: Only ZyWALL/USGs of the same model and firmware version can synchronize.
Otherwise you must manually configure the master ZyWALL/USG’s settings on the backup (by
editing copies of the configuration files in a text editor for example).
Finding Out More
• See Section 34.5 on page 556 for device HA background/technical information.
34.1.3 Before You Begin
• Configure a static IP address for each interface that you will have device HA monitor.
Note: Subscribe to services on the backup ZyWALL/USG before synchronizing it with the
master ZyWALL/USG.
• Synchronization includes updates for services to which the master and backup ZyWALL/USGs are
both subscribed. For example, a backup subscribed to IDP/AppPatrol, but not anti-virus, gets
IDP/AppPatrol updates from the master, but not anti-virus updates. It is highly recommended to
subscribe the master and backup ZyWALL/USGs to the same services.
34.2 Device HA General
The Configuration > Device HA General screen lets you enable or disable device HA, and
displays which device HA mode the ZyWALL/USG is set to use along with a summary of the
monitored interfaces.
Figure 365 Configuration > Device HA > General
ZyWALL/USG Series User’s Guide
549
Chapter 34 Device HA
The following table describes the labels in this screen.
Table 228 Configuration > Device HA > General
LABEL
DESCRIPTION
Enable Device
HA
Turn the ZyWALL/USG’s device HA feature on or off.
Note: It is not recommended to use STP (Spanning Tree Protocol) with device HA.
Device HA Mode
This displays whether the ZyWALL/USG is currently set to use active-passive mode device
HA. Active-passive mode is recommended for general device failover deployments.
Click the link to go to the screen where you can configure the ZyWALL/USG to use the
device HA mode that it is not currently using.
Monitored
Interface
Summary
This table shows the status of the interfaces that you selected for monitoring in the other
device HA screens.
#
This is the entry’s index number in the list.
Interface
These are the names of the interfaces that are monitored by device HA.
Virtual Router IP
/ Netmask
This is the interface’s IP address and subnet mask. Whichever ZyWALL/USG is the master
uses this virtual router IP address and subnet mask.
Management IP /
Netmask
This field displays the interface’s management IP address and subnet mask. You can use
this IP address and subnet mask to access the ZyWALL/USG whether it is in master or
backup mode.
Link Status
This tells whether the monitored interface’s connection is down or up.
HA Status
The text before the slash shows whether the device is configured as the master or the
backup role.
This text after the slash displays the monitored interface’s status in the virtual router.
Active - This interface is up and using the virtual IP address and subnet mask.
Stand-By - This interface is a backup interface in the virtual router. It is not using the
virtual IP address and subnet mask.
Fault - This interface is not functioning in the virtual router right now. In active-passive
mode if one of the master ZyWALL/USG’s interfaces loses its connection, the master
ZyWALL/USG forces all of its interfaces to the fault state so the backup ZyWALL/USG can
take over all of the master ZyWALL/USG’s functions.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
34.3 The Active-Passive Mode Screen
Virtual Router
The master and backup ZyWALL/USG form a single ‘virtual router’. In the following example,
master ZyWALL/USG A and backup ZyWALL/USG B form a virtual router.
ZyWALL/USG Series User’s Guide
550
Chapter 34 Device HA
Figure 366 Virtual Router
A
B
Cluster ID
You can have multiple ZyWALL/USG virtual routers on your network. Use a different cluster ID to
identify each virtual router. In the following example, ZyWALL/USGs A and B form a virtual router
that uses cluster ID 1. ZyWALL/USGs C and D form a virtual router that uses cluster ID 2.
Figure 367 Cluster IDs for Multiple Virtual Routers
A
1
B
C
D
2
Monitored Interfaces in Active-Passive Mode Device HA
You can select which interfaces device HA monitors. If a monitored interface on the ZyWALL/USG
loses its connection, device HA has the backup ZyWALL/USG take over.
Enable monitoring for the same interfaces on the master and backup ZyWALL/USGs. Each
monitored interface must have a static IP address and be connected to the same subnet as the
corresponding interface on the backup or master ZyWALL/USG.
Virtual Router and Management IP Addresses
• If a backup takes over for the master, it uses the master’s IP addresses. These IP addresses are
know as the virtual router IP addresses.
ZyWALL/USG Series User’s Guide
551
Chapter 34 Device HA
• Each interface can also have a management IP address. You can connect to this IP address to
manage the ZyWALL/USG regardless of whether it is the master or the backup.
For example, ZyWALL/USG B takes over A’s 192.168.1.1 LAN interface IP address. This is a virtual
router IP address. ZyWALL/USG A keeps it’s LAN management IP address of 192.168.1.5 and
ZyWALL/USG B has its own LAN management IP address of 192.168.1.6. These do not change
when ZyWALL/USG B becomes the master.
Figure 368 Management IP Addresses
A
192.168.1.1
192.168.1.5
B
192.168.1.1
192.168.1.6
34.3.1 Configuring Active-Passive Mode Device HA
The Device HA Active-Passive Mode screen lets you configure general active-passive mode
device HA settings, view and manage the list of monitored interfaces, and synchronize backup
ZyWALL/USGs. To access this screen, click Configuration > Device HA > Active-Passive Mode.
ZyWALL/USG Series User’s Guide
552
Chapter 34 Device HA
Figure 369 Configuration > Device HA > Active Passive Mode
ZyWALL/USG Series User’s Guide
553
Chapter 34 Device HA
The following table describes the labels in this screen. See Section 34.4 on page 555 for more
information as well.
Table 229 Configuration > Device HA > Active-Passive Mode
LABEL
DESCRIPTION
Show Advanced
Settings / Hide
Advanced
Settings
Click this button to display a greater or lesser number of configuration fields.
Authentication
Select the authentication method the virtual router uses. Every interface in a virtual
router must use the same authentication method and password. Choices are:
None - this virtual router does not use any authentication method.
Text - this virtual router uses a plain text password for authentication. Type the
password in the field next to the radio button. The password can consist of alphanumeric
characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ),
and it can be up to eight characters long.
IP AH (MD5) - this virtual router uses an encrypted MD5 password for authentication.
Type the password in the field next to the radio button. The password can consist of
alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .!
@$&%#~ ‘ \ () ), and it can be up to eight characters long.
Monitored
Interface
Summary
This table shows the status of the device HA settings and status of the ZyWALL/USG’s
interfaces.
Edit
Select an entry and click this to be able to modify it.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
Interface
This field identifies the interface. At the time of writing, Ethernet and bridge interfaces
can be included in the active-passive mode virtual router. The member interfaces of any
bridge interfaces do not display separately.
Virtual Router IP /
Netmask
This is the master ZyWALL/USG’s (static) IP address and subnet mask for this interface.
If a backup takes over for the master, it uses this IP address. These fields are blank if the
interface is a DHCP client or has no IP settings.
Management IP /
Netmask
This field displays the interface’s management IP address and subnet mask. You can use
this IP address and subnet mask to access the ZyWALL/USG whether it is in master or
backup mode.
Link Status
This tells whether the monitored interface’s connection is down or up.
Synchronization
Use synchronization to have a backup ZyWALL/USG copy the master ZyWALL/USG’s
configuration, certificates, AV signatures, IDP and application patrol signatures, and
system protect signatures.
Every interface’s management IP address must be in the same subnet as the interface’s
IP address (the virtual router IP address).
Server Address
If this ZyWALL/USG is set to backup role, enter the IP address or Fully-Qualified Domain
Name (FQDN) of the ZyWALL/USG from which to get updated configuration. Usually, you
should enter the IP address or FQDN of a virtual router on a secure network.
If this ZyWALL/USG is set to master role, this field displays the ZyWALL/USG’s IP
addresses and/or Fully-Qualified Domain Names (FQDN) through which ZyWALL/USGs in
backup role can get updated configuration from this ZyWALL/USG.
ZyWALL/USG Series User’s Guide
554
Chapter 34 Device HA
Table 229 Configuration > Device HA > Active-Passive Mode (continued)
LABEL
DESCRIPTION
Server Port
If this ZyWALL/USG is set to the backup role, enter the port number to use for Secure
FTP when synchronizing with the specified master ZyWALL/USG.
If this ZyWALL/USG is set to master role, this field displays the ZyWALL/USG’s Secure
FTP port number. Click the Configure link if you need to change the FTP port number.
Every ZyWALL/USG in the virtual router must use the same port number. If the master
ZyWALL/USG changes, you have to manually change this port number in the backups.
Password
Enter the password used for verification during synchronization. Every ZyWALL/USG in
the virtual router must use the same password.
If you leave this field blank in the master ZyWALL/USG, no backup ZyWALL/USGs can
synchronize from it.
If you leave this field blank in a backup ZyWALL/USG, it cannot synchronize from the
master ZyWALL/USG.
Retype to Confirm
Type the password again here to confirm it.
Apply
This appears when the ZyWALL/USG is currently using active-passive mode device HA.
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
34.4 Active-Passive Mode Edit Monitored Interface
The Device HA Active-Passive Mode Monitored Interface Edit screen lets you enable or
disable monitoring of an interface and set the interface’s management IP address and subnet mask.
To access this screen, click Configuration > Device HA > Active-Passive Mode > Edit.
If you configure device HA settings for an Ethernet interface and later add the Ethernet interface to
a bridge, the ZyWALL/USG retains the interface’s device HA settings and uses them again if you
later remove the interface from the bridge. If the bridge is later deleted or the interface is removed
from it, Device HA will recover the interface’s setting.
A bridge interface’s device HA settings are not retained if you delete the bridge interface.
Figure 370 Configuration > Device HA > Active-Passive Mode > Edit
ZyWALL/USG Series User’s Guide
555
Chapter 34 Device HA
Figure 371 Configuration > Device HA > Active-Passive Mode > Edit
The following table describes the labels in this screen.
Table 230 Configuration > Device HA > Active-Passive Mode > Edit
LABEL
DESCRIPTION
Enable
Monitored
Interface
Select this to have device HA monitor the status of this interface’s connection.
Interface Name
This identifies the interface.
Note: Do not connect the bridge interfaces on two ZyWALL/USGs without device HA
activated on both. Doing so could cause a broadcast storm.
Either activate device HA before connecting the bridge interfaces or disable the bridge
interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the
bridge interfaces.
Virtual Router IP
(VRIP) / Subnet
Mask
This is the interface’s (static) IP address and subnet mask in the virtual router. Whichever
ZyWALL/USG is currently serving as the master uses this virtual router IP address and
subnet mask. These fields are blank if the interface is a DHCP client or has no IP settings.
Manage IP
Enter the interface’s IP address for management access. You can use this IP address to
access the ZyWALL/USG whether it is the master or a backup. This management IP
address should be in the same subnet as the interface IP address.
Manage IP
Subnet Mask
Enter the subnet mask of the interface’s management IP address.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
34.5 Device HA Technical Reference
Active-Passive Mode Device HA with Bridge Interfaces
Here are two ways to avoid a broadcast storm when you connect the bridge interfaces on two
ZyWALL/USGs.
First Option for Connecting the Bridge Interfaces on Two ZyWALL/USGs
The first way is to activate device HA before connecting the bridge interfaces as shown in the
following example.
ZyWALL/USG Series User’s Guide
556
Chapter 34 Device HA
1
Make sure the bridge interfaces of the master ZyWALL/USG (A) and the backup ZyWALL/USG (B)
are not connected.
A
B
2
Configure the bridge interface on the master ZyWALL/USG, set the bridge interface as a monitored
interface, and activate device HA.
Br0 {ge4, ge5}
A
B
3
Configure the bridge interface on the backup ZyWALL/USG, set the bridge interface as a monitored
interface, and activate device HA.
Br0 {ge4, ge5}
A
B
Br0 {ge4, ge5}
4
Connect the ZyWALL/USGs.
ZyWALL/USG Series User’s Guide
557
Chapter 34 Device HA
Br0 {ge4, ge5}
A
B
Br0 {ge4, ge5}
Second Option for Connecting the Bridge Interfaces on Two ZyWALL/USGs
Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA,
and finally reactivate the bridge interfaces as shown in the following example.
1
In this case the ZyWALL/USGs are already connected, but the bridge faces have not been
configured yet. Configure a disabled bridge interface on the master ZyWALL/USG but disable it.
Then set the bridge interface as a monitored interface, and activate device HA.
Br0 {ge4, ge5}
Disabled
A
B
2
Configure a corresponding disabled bridge interface on the backup ZyWALL/USG. Then set the
bridge interface as a monitored interface, and activate device HA.
Br0 {ge4, ge5}
Disabled
A
B
Br0 {ge4, ge5}
Disabled
ZyWALL/USG Series User’s Guide
558
Chapter 34 Device HA
3
Enable the bridge interface on the master ZyWALL/USG and then on the backup ZyWALL/USG.
Br0 {ge4, ge5}
A
B
Br0 {ge4, ge5}
4
Connect the ZyWALL/USGs.
Br0 {ge4, ge5}
A
B
Br0 {ge4, ge5}
Synchronization
During synchronization, the master ZyWALL/USG sends the following information to the backup
ZyWALL/USG.
• Startup configuration file (startup-config.conf)
• AV signatures
• IDP and application patrol signatures
• System protect signatures
• Certificates (My Certificates, and Trusted Certificates)
Synchronization does not change the device HA settings in the backup ZyWALL/USG.
Synchronization affects the entire device configuration. You can only configure one set of settings
for synchronization, regardless of how many VRRP groups you might configure. The ZyWALL/USG
uses Secure FTP (on a port number you can change) to synchronize, but it is still recommended
that the backup ZyWALL/USG synchronize with a master ZyWALL/USG on a secure network.
ZyWALL/USG Series User’s Guide
559
Chapter 34 Device HA
The backup ZyWALL/USG gets the configuration from the master ZyWALL/USG. The backup
ZyWALL/USG cannot become the master or be managed while it applies the new configuration. This
usually takes two or three minutes or longer depending on the configuration complexity.
The following restrictions apply with active-passive mode.
• The master ZyWALL/USG must have no inactive monitored interfaces.
• The backup ZyWALL/USG cannot be the master. This refers to the actual role at the time of
synchronization, not the role setting in the configuration screen.
The backup applies the entire configuration if it is different from the backup’s current configuration.
ZyWALL/USG Series User’s Guide
560
C HAPTER
35
Object
35.1 Zones Overview
Set up zones to configure network security and network policies in the ZyWALL/USG. A zone is a
group of interfaces and/or VPN tunnels. The ZyWALL/USG uses zones instead of interfaces in many
security and policy settings, such as Secure Policies rules, UTM Profile, and remote management.
Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP
interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically
assigned to the same zone as the interface on which they run.
Figure 372 Example: Zones
Use the Zone screens (see Section 35.8.2 on page 614) to manage the ZyWALL/USG’s zones.
35.1.1 What You Need to Know
Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone
traffic.
Intra-zone Traffic
• Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in
Figure 372 on page 561, traffic between VLAN 2 and the Ethernet is intra-zone traffic.
ZyWALL/USG Series User’s Guide
561
Chapter 35 Object
Inter-zone Traffic
Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in
Figure 372 on page 561, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the
normal case when zone-based security and policy settings apply.
Extra-zone Traffic
• Extra-zone traffic is traffic to or from any interface or VPN tunnel that is not assigned to a zone.
For example, in Figure 372 on page 561, traffic to or from computer C is extra-zone traffic.
• Some zone-based security and policy settings may apply to extra-zone traffic, especially if you
can set the zone attribute in them to Any or All. See the specific feature for more information.
35.1.2 The Zone Screen
The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit,
and remove zones. To access this screen, click Configuration > Object > Zone.
Figure 373 Configuration > Object > Zone
The following table describes the labels in this screen.
Table 231 Configuration > Object > Zone
LABEL
DESCRIPTION
User Configuration /
System Default
The ZyWALL/USG comes with pre-configured System Default zones that you
cannot delete. You can create your own User Configuration zones
Add
Click this to create a new, user-configured zone.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry’s settings.
Remove
To remove a user-configured trunk, select it and click Remove. The ZyWALL/USG
confirms you want to remove it before doing so.
Object References
Select an entry and click Object References to open a screen that shows which
settings use the entry. Click Refresh to update information in this screen.
#
This field is a sequential value, and it is not associated with any interface.
Name
This field displays the name of the zone.
Member
This field displays the names of the interfaces that belong to each zone.
Reference
This field displays the number of times an Object Reference is used in a policy.
ZyWALL/USG Series User’s Guide
562
Chapter 35 Object
35.1.2.1 Zone Edit
The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone
screen (see Section 35.8.2 on page 614), and click the Add icon or an Edit icon.
Figure 374 Configuration > Object > Zone > Add
The following table describes the labels in this screen.
Table 232 Configuration > Object > Zone > Add/Edit
LABEL
DESCRIPTION
Name
For a system default zone, the name is read only.
For a user-configured zone, type the name used to refer to the zone. You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot
be a number. This value is case-sensitive.
Member List
Available lists the interfaces and VPN tunnels that do not belong to any zone. Select
the interfaces and VPN tunnels that you want to add to the zone you are editing, and
click the right arrow button to add them.
Member lists the interfaces and VPN tunnels that belong to the zone. Select any
interfaces that you want to remove from the zone, and click the left arrow button to
remove them.
OK
Click OK to save your customized settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.
35.2 User/Group Overview
This section describes how to set up user accounts, user groups, and user settings for the ZyWALL/
USG. You can also set up rules that control when users have to log in to the ZyWALL/USG before
the ZyWALL/USG routes traffic for them.
• The User screen (see Section 35.14.1 on page 654) provides a summary of all user accounts.
ZyWALL/USG Series User’s Guide
563
Chapter 35 Object
• The Group screen (see Section 35.2.3 on page 569) provides a summary of all user groups. In
addition, this screen allows you to add, edit, and remove user groups. User groups may consist of
access users and other user groups. You cannot put admin users in user groups
• The Setting screen (see Section 35.2.4 on page 570) controls default settings, login settings,
lockout settings, and other user settings for the ZyWALL/USG. You can also use this screen to
specify when users must log in to the ZyWALL/USG before it routes traffic for them.
• The MAC Address screen (see Section 35.2.5 on page 575) allows you to configure the MAC
addresses or OUI (Organizationally Unique Identifier) of wireless clients for MAC authentication
using the local user database. The OUI is the first three octets in a MAC address and uniquely
identifies the manufacturer of a network device.
35.2.1 What You Need To Know
User Account
A user account defines the privileges of a user logged into the ZyWALL/USG. User accounts are
used in security policies and application patrol, in addition to controlling access to configuration and
services in the ZyWALL/USG.
User Types
These are the types of user accounts the ZyWALL/USG uses.
Table 233 Types of User Accounts
TYPE
ABILITIES
LOGIN METHOD(S)
admin
Change ZyWALL/USG configuration (web, CLI)
WWW, TELNET, SSH, FTP, Console
limited-admin
Look at ZyWALL/USG configuration (web, CLI)
WWW, TELNET, SSH, Console
Admin Users
Perform basic diagnostics (CLI)
Access Users
user
Access network services
WWW, TELNET, SSH
Browse user-mode commands (CLI)
guest
Access network services
WWW
ext-user
External user account
WWW
ext-group-user
External group user account
WWW
Note: The default admin account is always authenticated locally, regardless of the
authentication method setting. (See Chapter 35 on page 627 for more information
about authentication methods.)
Ext-User Accounts
Set up an ext-user account if the user is authenticated by an external server and you want to set
up specific policies for this user in the ZyWALL/USG. If you do not want to set up policies for this
user, you do not have to set up an ext-user account.
All ext-user users should be authenticated by an external server, such as AD, LDAP or RADIUS. If
the ZyWALL/USG tries to use the local database to authenticate an ext-user, the authentication
ZyWALL/USG Series User’s Guide
564
Chapter 35 Object
attempt always fails. (This is related to AAA servers and authentication methods, which are
discussed in those chapters in this guide.)
Note: If the ZyWALL/USG tries to authenticate an ext-user using the local database, the
attempt always fails.
Once an ext-user user has been authenticated, the ZyWALL/USG tries to get the user type (see
Table 233 on page 564) from the external server. If the external server does not have the
information, the ZyWALL/USG sets the user type for this session to User.
For the rest of the user attributes, such as reauthentication time, the ZyWALL/USG checks the
following places, in order.
1
User account in the remote server.
2
User account (Ext-User) in the ZyWALL/USG.
3
Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radiususers) in the ZyWALL/USG.
See Setting up User Attributes in an External Server on page 577 for a list of attributes and how to
set up the attributes in an external server.
Ext-Group-User Accounts
Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by
the value of the group membership attribute configured for the AD or LDAP server. See Section
35.9.5.1 on page 622 for more on the group membership attribute.
User Groups
User groups may consist of user accounts or other user groups. Use user groups when you want to
create the same rule for several user accounts, instead of creating separate rules for each one.
Note: You cannot put access users and admin users in the same user group.
Note: You cannot put the default admin account into any user group.
The sequence of members in a user group is not important.
User Awareness
By default, users do not have to log into the ZyWALL/USG to use the network services it provides.
The ZyWALL/USG automatically routes packets for everyone. If you want to restrict network
services that certain users can use via the ZyWALL/USG, you can require them to log in to the
ZyWALL/USG first. The ZyWALL/USG is then ‘aware’ of the user who is logged in and you can create
‘user-aware policies’ that define what services they can use. See Section 35.2.6 on page 576 for a
user-aware login example.
Finding Out More
• See Section 35.2.6 on page 576 for some information on users who use an external
authentication server in order to log in.
ZyWALL/USG Series User’s Guide
565
Chapter 35 Object
• The ZyWALL/USG supports TTLS using PAP so you can use the ZyWALL/USG’s local user database
to authenticate users with WPA or WPA2 instead of needing an external RADIUS server.
35.2.2 User/Group User Summary Screen
The User screen provides a summary of all user accounts. To access this screen, login to the Web
Configurator, and click Configuration > Object > User/Group.
Figure 375 Configuration > Object > User/Group > User
The following table describes the labels in this screen.
Table 234 Configuration > Object > User/Group > User
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific user.
User Name
This field displays the user name of each user.
User Type
This field displays the types of user accounts the ZyWALL/USG uses:
•
•
•
•
•
•
admin - this user can look at and change the configuration of the ZyWALL/USG
limited-admin - this user can look at the configuration of the ZyWALL/USG but not to
change it
user - this user has access to the ZyWALL/USG’s services and can also browse usermode commands (CLI).
guest - this user has access to the ZyWALL/USG’s services but cannot look at the
configuration
ext-user - this user account is maintained in a remote server, such as RADIUS or
LDAP. See Ext-User Accounts on page 564 for more information about this type.
ext-group-user - this user account is maintained in a remote server, such as RADIUS
or LDAP. See Ext-Group-User Accounts on page 565 for more information about this
type.
Description
This field displays the description for each user.
Reference
This displays the number of times an object reference is used in a profile.
35.2.2.1 User Add/Edit Screen
The User Add/Edit screen allows you to create a new user account or edit an existing one.
ZyWALL/USG Series User’s Guide
566
Chapter 35 Object
35.2.2.2 Rules for User Names
Enter a user name from 1 to 31 characters.
The user name can only contain the following characters:
• Alphanumeric A-z 0-9 (there is no unicode support)
• _ [underscores]
• - [dashes]
The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other
limitations on user names are:
• User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS
or FTP, it will use the account settings used for 'BOB' not ‘bob’.
• User names have to be different than user group names.
• Here are the reserved user names:
•
adm
•
admin
•
any
•
bin
•
daemon
•
debug
•
devicehaecived
•
ftp
•
games
•
halt
•
ldap-users
•
lp
•
mail
•
news
•
nobody
•
operator
•
radius-users
•
root
•
shutdown
•
sshd
•
sync
•
uucp
•
zyxel
To access this screen, go to the User screen (see Section 35.14.1 on page 654), and click either the
Add icon or an Edit icon.
Figure 376 Configuration > Object > User/Group > User > Add
ZyWALL/USG Series User’s Guide
567
Chapter 35 Object
The following table describes the labels in this screen.
Table 235 Configuration > Object > User/Group > User > Add
LABEL
DESCRIPTION
User Name
Type the user name for this user account. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive. User names have to be different than user group names, and some
words are reserved. See Section 35.2.2.2 on page 567.
User Type
This field displays the types of user accounts the ZyWALL/USG uses:
•
•
•
•
•
•
Password
admin - this user can look at and change the configuration of the ZyWALL/USG
limited-admin - this user can look at the configuration of the ZyWALL/USG but not
to change it
user - this user has access to the ZyWALL/USG’s services and can also browse usermode commands (CLI).
guest - this user has access to the ZyWALL/USG’s services but cannot look at the
configuration.
ext-user - this user account is maintained in a remote server, such as RADIUS or
LDAP. See Ext-User Accounts on page 564 for more information about this type.
ext-group-user - this user account is maintained in a remote server, such as
RADIUS or LDAP. See Ext-Group-User Accounts on page 565 for more information
about this type.
This field is not available if you select the ext-user or ext-group-user type.
Enter the password of this user account. It can consist of 4 - 31 alphanumeric
characters.
Retype
This field is not available if you select the ext-user or ext-group-user type.
Group Identifier
This field is available for a ext-group-user type user account.
Specify the value of the AD or LDAP server’s Group Membership Attribute that
identifies the group to which this user belongs.
Associated AAA
Server Object
This field is available for a ext-group-user type user account. Select the AAA server to
use to authenticate this account’s users.
Description
Enter the description of each user, if any. You can use up to 60 printable ASCII
characters. Default descriptions are provided.
Authentication
Timeout Settings
If you want the system to use default settings, select Use Default Settings. If you
want to set authentication timeout to a value other than the default settings, select Use
Manual Settings then fill your preferred values in the fields that follow.
Lease Time
If you select Use Default Settings in the Authentication Timeout Settings field, the
default lease time is shown.
If you select Use Manual Settings, you need to enter the number of minutes this user
has to renew the current session before the user is logged out. You can specify 1 to
1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users
renew the session every time the main screen refreshes in the Web Configurator. Access
users can renew the session by clicking the Renew button on their screen. If you allow
access users to renew time automatically (see Section 35.2.4 on page 570), the users
can select this check box on their screen as well. In this case, the session is
automatically renewed before the lease time expires.
Reauthentication
Time
If you select Use Default Settings in the Authentication Timeout Settings field, the
default lease time is shown.
If you select Use Manual Settings, you need to type the number of minutes this user
can be logged into the ZyWALL/USG in one session before the user has to log in again.
You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes
unlimited. Unlike Lease Time, the user has no opportunity to renew the session
without logging out.
Configuration
Validation
Use a user account from the group specified above to test if the configuration is correct.
Enter the account’s user name in the User Name field and click Test.
ZyWALL/USG Series User’s Guide
568
Chapter 35 Object
Table 235 Configuration > Object > User/Group > User > Add (continued)
LABEL
DESCRIPTION
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.2.3 User/Group Group Summary Screen
User groups consist of access users and other user groups. You cannot put admin users in user
groups. The Group screen provides a summary of all user groups. In addition, this screen allows
you to add, edit, and remove user groups. To access this screen, login to the Web Configurator, and
click Configuration > Object > User/Group > Group.
Figure 377 Configuration > Object > User/Group > Group
The following table describes the labels in this screen. See Section 35.2.3.1 on page 569 for more
information as well.
Table 236 Configuration > Object > User/Group > Group
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so. Removing a group does not remove the user accounts in the
group.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific user group.
Group Name
This field displays the name of each user group.
Description
This field displays the description for each user group.
Member
This field lists the members in the user group. Each member is separated by a comma.
Reference
This displays the number of times an object reference is used in a profile.
35.2.3.1 Group Add/Edit Screen
The Group Add/Edit screen allows you to create a new user group or edit an existing one. To
access this screen, go to the Group screen (see Section 35.2.3 on page 569), and click either the
Add icon or an Edit icon.
ZyWALL/USG Series User’s Guide
569
Chapter 35 Object
Figure 378 Configuration > Object > User/Group > Group > Add
The following table describes the labels in this screen.
Table 237 Configuration > Object > User/Group > Group > Add
LABEL
DESCRIPTION
Name
Type the name for this user group. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive. User group names have to be different than user names.
Description
Enter the description of the user group, if any. You can use up to 60 characters,
punctuation marks, and spaces.
Member List
The Member list displays the names of the users and user groups that have been added
to the user group. The order of members is not important. Select users and groups from
the Available list that you want to be members of this group and move them to the
Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key
to select multiple entries and use the arrow button to move them.
Move any members you do not want included to the Available list.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.2.4 User/Group Setting Screen
The Setting screen controls default settings, login settings, lockout settings, and other user
settings for the ZyWALL/USG. You can also use this screen to specify when users must log in to the
ZyWALL/USG before it routes traffic for them.
To access this screen, login to the Web Configurator, and click Configuration > Object > User/
Group > Setting.
ZyWALL/USG Series User’s Guide
570
Chapter 35 Object
Figure 379 Configuration > Object > User/Group > Setting
The following table describes the labels in this screen.
Table 238 Configuration > Object > User/Group > Setting
LABEL
DESCRIPTION
User Authentication Timeout Settings
Default Authentication
Timeout Settings
These authentication timeout settings are used by default when you create a
new user account. They also control the settings for any existing user
accounts that are set to use the default settings. You can still manually
configure any user account’s authentication timeout settings.
Edit
Double-click an entry or select it and click Edit to open a screen where you
can modify the entry’s settings.
#
This field is a sequential value, and it is not associated with a specific entry.
ZyWALL/USG Series User’s Guide
571
Chapter 35 Object
Table 238 Configuration > Object > User/Group > Setting (continued)
LABEL
User Type
DESCRIPTION
These are the kinds of user account the ZyWALL/USG supports.
•
•
•
•
•
•
Lease Time
admin - this user can look at and change the configuration of the
ZyWALL/USG
limited-admin - this user can look at the configuration of the ZyWALL/
USG but not to change it
user - this user has access to the ZyWALL/USG’s services but cannot
look at the configuration
guest - this user has access to the ZyWALL/USG’s services but cannot
look at the configuration
ext-user - this user account is maintained in a remote server, such as
RADIUS or LDAP. See Ext-User Accounts on page 564 for more
information about this type.
ext-group-user - this user account is maintained in a remote server,
such as RADIUS or LDAP. See Ext-Group-User Accounts on page 565 for
more information about this type.
This is the default lease time in minutes for each type of user account. It
defines the number of minutes the user has to renew the current session
before the user is logged out.
Admin users renew the session every time the main screen refreshes in the
Web Configurator. Access users can renew the session by clicking the
Renew button on their screen. If you allow access users to renew time
automatically (see Section 35.2.4 on page 570), the users can select this
check box on their screen as well. In this case, the session is automatically
renewed before the lease time expires.
Reauthentication Time
This is the default reauthentication time in minutes for each type of user
account. It defines the number of minutes the user can be logged into the
ZyWALL/USG in one session before having to log in again. Unlike Lease
Time, the user has no opportunity to renew the session without logging out.
Miscellaneous Settings
Allow renewing lease time
automatically
Select this check box if access users can renew lease time automatically, as
well as manually, simply by selecting the Updating lease time
automatically check box on their screen.
Enable user idle detection
This is applicable for access users.
Select this check box if you want the ZyWALL/USG to monitor how long each
access user is logged in and idle (in other words, there is no traffic for this
access user). The ZyWALL/USG automatically logs out the access user once
the User idle timeout has been reached.
User idle timeout
This is applicable for access users.
This field is effective when Enable user idle detection is checked. Type the
number of minutes each access user can be logged in and idle before the
ZyWALL/USG automatically logs out the access user.
User Logon Settings
Limit the number of
simultaneous logons for
administration account
Select this check box if you want to set a limit on the number of
simultaneous logins by admin users. If you do not select this, admin users
can login as many times as they want at the same time using the same or
different IP addresses.
Maximum number per
administration account
This field is effective when Limit ... for administration account is
checked. Type the maximum number of simultaneous logins by each admin
user.
Limit the number of
simultaneous logons for
access account
Select this check box if you want to set a limit on the number of
simultaneous logins by non-admin users. If you do not select this, access
users can login as many times as they want as long as they use different IP
addresses.
ZyWALL/USG Series User’s Guide
572
Chapter 35 Object
Table 238 Configuration > Object > User/Group > Setting (continued)
LABEL
Maximum number per
access account
DESCRIPTION
This field is effective when Limit ... for access account is checked. Type
the maximum number of simultaneous logins by each access user.
User Lockout Settings
Enable logon retry limit
Select this check box to set a limit on the number of times each user can
login unsuccessfully (for example, wrong password) before the IP address is
locked out for a specified amount of time.
Maximum retry count
This field is effective when Enable logon retry limit is checked. Type the
maximum number of times each user can login unsuccessfully before the IP
address is locked out for the specified lockout period. The number must be
between 1 and 99.
Lockout period
This field is effective when Enable logon retry limit is checked. Type the
number of minutes the user must wait to try to login again, if logon retry
limit is enabled and the maximum retry count is reached. This number
must be between 1 and 65,535 (about 45.5 days).
Apply
Click Apply to save the changes.
Reset
Click Reset to return the screen to its last-saved settings.
35.2.4.1 Default User Authentication Timeout Settings Edit Screens
The Default Authentication Timeout Settings Edit screen allows you to set the default
authentication timeout settings for the selected type of user account. These default authentication
timeout settings also control the settings for any existing user accounts that are set to use the
default settings. You can still manually configure any user account’s authentication timeout
settings.
To access this screen, go to the Configuration > Object > User/Group > Setting screen (see
Section 35.2.4 on page 570), and click one of the Default Authentication Timeout Settings
section’s Edit icons.
Figure 380 Configuration > Object > User/Group > Setting > Edit
ZyWALL/USG Series User’s Guide
573
Chapter 35 Object
The following table describes the labels in this screen.
Table 239 Configuration > Object > User/Group > Setting > Edit
LABEL
DESCRIPTION
User Type
This read-only field identifies the type of user account for which you are configuring the
default settings.
•
•
•
•
•
•
Lease Time
admin - this user can look at and change the configuration of the ZyWALL/USG
limited-admin - this user can look at the configuration of the ZyWALL/USG but not
to change it.
user - this user has access to the ZyWALL/USG’s services but cannot look at the
configuration.
guest - this user has access to the ZyWALL/USG’s services but cannot look at the
configuration.
ext-user - this user account is maintained in a remote server, such as RADIUS or
LDAP. See Ext-User Accounts on page 564 for more information about this type.
ext-group-user - this user account is maintained in a remote server, such as
RADIUS or LDAP. See Ext-Group-User Accounts on page 565 for more information
about this type.
Enter the number of minutes this type of user account has to renew the current session
before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to
make the number of minutes unlimited.
Admin users renew the session every time the main screen refreshes in the Web
Configurator. Access users can renew the session by clicking the Renew button on their
screen. If you allow access users to renew time automatically (see Section 35.2.4 on
page 570), the users can select this check box on their screen as well. In this case, the
session is automatically renewed before the lease time expires.
Reauthentication
Time
Type the number of minutes this type of user account can be logged into the ZyWALL/
USG in one session before the user has to log in again. You can specify 1 to 1440
minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time,
the user has no opportunity to renew the session without logging out.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.2.4.2 User Aware Login Example
Access users cannot use the Web Configurator to browse the configuration of the ZyWALL/USG.
Instead, after access users log into the ZyWALL/USG, the following screen appears.
Figure 381 Web Configurator for Non-Admin Users
ZyWALL/USG Series User’s Guide
574
Chapter 35 Object
The following table describes the labels in this screen.
Table 240 Web Configurator for Non-Admin Users
LABEL
DESCRIPTION
User-defined
lease time (max
... minutes)
Access users can specify a lease time shorter than or equal to the one that you specified.
The default value is the lease time that you specified.
Renew
Access users can click this button to reset the lease time, the amount of time remaining
before the ZyWALL/USG automatically logs them out. The ZyWALL/USG sets this amount
of time according to the
•
•
•
User-defined lease time field in this screen
Lease time field in the User Add/Edit screen (see Section 35.2.5.1 on page 576)
Lease time field in the Setting screen (see Section 35.2.4 on page 570)
Updating lease
time
automatically
This box appears if you checked the Allow renewing lease time automatically box in
the Setting screen. (See Section 35.2.4 on page 570.) Access users can select this check
box to reset the lease time automatically 30 seconds before it expires. Otherwise, access
users have to click the Renew button to reset the lease time.
Remaining time
before lease
timeout
This field displays the amount of lease time that remains, though the user might be able to
reset it.
Remaining time
before auth.
timeout
This field displays the amount of time that remains before the ZyWALL/USG automatically
logs the access user out, regardless of the lease time.
35.2.5 User/Group MAC Address Summary Screen
This screen shows the MAC addresses of wireless clients, which can be authenticated by their MAC
addresses using the local user database. Click Configuration > Object > User/Group > MAC
Address to open this screen.
Note: You need to configure an SSID security profile’s MAC authentication settings to
have the AP use the ZyWALL/USG’s local database to authenticate wireless clients
by their MAC addresses.
Figure 382 Configuration > Object > User/Group > MAC Address
The following table describes the labels in this screen.
Table 241 Configuration > Object > User/Group > MAC Address
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
ZyWALL/USG Series User’s Guide
575
Chapter 35 Object
Table 241 Configuration > Object > User/Group > MAC Address (continued)
LABEL
DESCRIPTION
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
MAC Address/
OUI
This field displays the MAC address or OUI (Organizationally Unique Identifier of computer
hardware manufacturers) of wireless clients using MAC authentication with the ZyWALL/
USG local user database.
Description
This field displays a description of the device identified by the MAC address or OUI.
35.2.5.1 MAC Address Add/Edit Screen
This screen allows you to create a new allowed device or edit an existing one. To access this screen,
go to the MAC Address screen (see Section 35.2.5 on page 575), and click either the Add icon or
an Edit icon.
Figure 383 Configuration > Object > User/Group > MAC Address > Add
The following table describes the labels in this screen.
Table 242 Configuration > Object > User/Group > MAC Address > Add
LABEL
DESCRIPTION
MAC Address/
OUI
Type the MAC address (six hexadecimal number pairs separated by colons or hyphens) or
OUI (three hexadecimal number pairs separated by colons or hyphens) to identify specific
wireless clients for MAC authentication using the ZyWALL/USG local user database. The
OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of
a network device.
Description
Enter an optional description of the wireless device(s) identified by the MAC or OUI. You
can use up to 60 characters, punctuation marks, and spaces.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.2.6 User /Group Technical Reference
This section provides some information on users who use an external authentication server in order
to log in.
ZyWALL/USG Series User’s Guide
576
Chapter 35 Object
Setting up User Attributes in an External Server
To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the
following keywords in the user configuration file.
Table 243 LDAP/RADIUS: Keywords for User Attributes
KEYWORD
CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR
type
User Type. Possible Values: admin, limited-admin, user, guest.
leaseTime
Lease Time. Possible Values: 1-1440 (minutes).
reauthTime
Reauthentication Time. Possible Values: 1-1440 (minutes).
The following examples show you how you might set up user attributes in LDAP and RADIUS
servers.
Figure 384 LDAP Example: Keywords for User Attributes
type: admin
leaseTime: 99
reauthTime: 199
Figure 385 RADIUS Example: Keywords for User Attributes
type=user;leaseTime=222;reauthTime=222
Creating a Large Number of Ext-User Accounts
If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead
of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS
server, and create a shell script that creates the user accounts.
35.3 AP Profile Overview
This section shows you how to configure preset profiles for the Access Points (APs) connected to
your ZyWALL/USG’s wireless network.
• The Radio screen (Section 35.3.1 on page 578) creates radio configurations that can be used by
the APs.
• The SSID screen (Section 35.3.2 on page 583) configures three different types of profiles for
your networked APs.
35.3.0.1 What You Need To Know
The following terms and concepts may help as you read this section.
Wireless Profiles
At the heart of all wireless AP configurations on the ZyWALL/USG are profiles. A profile represents a
group of saved settings that you can use across any number of connected APs. You can set up the
following wireless profile types:
ZyWALL/USG Series User’s Guide
577
Chapter 35 Object
• Radio - This profile type defines the properties of an AP’s radio transmitter. You can have a
maximum of 32 radio profiles on the ZyWALL/USG.
• SSID - This profile type defines the properties of a single wireless network signal broadcast by
an AP. Each radio on a single AP can broadcast up to 8 SSIDs. You can have a maximum of 32
SSID profiles on the ZyWALL/USG.
• Security - This profile type defines the security settings used by a single SSID. It controls the
encryption method required for a wireless client to associate itself with the SSID. You can have a
maximum of 32 security profiles on the ZyWALL/USG.
• MAC Filtering - This profile provides an additional layer of security for an SSID, allowing you to
block access or allow access to that SSID based on wireless client MAC addresses. If a client’s
MAC address is on the list, then it is either allowed or denied, depending on how you set up the
MAC Filter profile. You can have a maximum of 32 MAC filtering profiles on the ZyWALL/USG.
SSID
The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless
station is associated. Wireless stations associating to the access point (AP) must have the same
SSID. In other words, it is the name of the wireless network that clients use to connect to it.
WEP
WEP (Wired Equivalent Privacy) encryption scrambles all data packets transmitted between the AP
and the wireless stations associated with it in order to keep network communications private. Both
the wireless stations and the access points must use the same WEP key for data encryption and
decryption.
WPA and WPA2
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a
wireless security standard that defines stronger encryption, authentication and key management
than WPA. Key differences between WPA(2) and WEP are improved data encryption and user
authentication.
IEEE 802.1x
The IEEE 802.1x standard outlines enhanced security methods for both the authentication of
wireless stations and encryption key management. Authentication is done using an external
RADIUS server.
35.3.1 Radio Screen
This screen allows you to create radio profiles for the APs on your network. A radio profile is a list of
settings that a supported managed AP (NWA5121-N for example) can use to configure either one of
its two radio transmitters. To access this screen click Configuration > Object > AP Profile.
ZyWALL/USG Series User’s Guide
578
Chapter 35 Object
Note: You can have a maximum of 32 radio profiles on the ZyWALL/USG.
Figure 386 Configuration > Object > AP Profile > Radio
The following table describes the labels in this screen.
Table 244 Configuration > Object > AP Profile > Radio
LABEL
DESCRIPTION
Add
Click this to add a new radio profile.
Edit
Click this to edit the selected radio profile.
Remove
Click this to remove the selected radio profile.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Object Reference
Click this to view which other objects are linked to the selected radio profile.
#
This field is a sequential value, and it is not associated with a specific profile.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Profile Name
This field indicates the name assigned to the radio profile.
Frequency Band
This field indicates the frequency band which this radio profile is configured to use.
Channel ID
This field indicates the broadcast channel which this radio profile is configured to use.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
ZyWALL/USG Series User’s Guide
579
Chapter 35 Object
35.3.1.1 Add/Edit Radio Profile
This screen allows you to create a new radio profile or edit an existing one. To access this screen,
click the Add button or select a radio profile from the list and click the Edit button.
Figure 387 Configuration > Object > AP Profile > Add/Edit Radio Profile
ZyWALL/USG Series User’s Guide
580
Chapter 35 Object
The following table describes the labels in this screen.
Table 245 Configuration > Object > AP Profile > Add/Edit Radio Profile
LABEL
DESCRIPTION
Hide / Show
Advanced Settings
Click this to hide or show the Advanced Settings in this window.
Create New Object
Select an item from this menu to create a new object of that type. Any objects created
in this way are automatically linked to this radio profile.
General Settings
Activate
Select this option to make this profile active.
Profile Name
Enter up to 31 alphanumeric characters to be used as this profile’s name. Spaces and
underscores are allowed.
802.11 Band
Select the wireless band which this radio profile should use.
2.4 GHz is the frequency used by IEEE 802.11b/g/n wireless clients.
5 GHz is the frequency used by IEEE 802.11a/n wireless clients.
Mode
Select how to let wireless clients connect to the AP.
When using the 2.4 GHz band, select b/g to let IEEE 802.11b and IEEE 802.11g
compliant WLAN devices associate with the AP.
When using the 2.4 GHz band, select b/g/n to let IEEE 802.11b, IEEE 802.11g, and
IEEE 802.11n compliant WLAN devices associate with the AP.
When using the 5 GHz band, select a to let only IEEE 802.11a compliant WLAN devices
associate with the AP.
When using the 5 GHz band, select a/n to let IEEE 802.11a and IEEE 802.11n
compliant WLAN devices associate with the AP.
Channel
Select the wireless channel which this radio profile should use.
It is recommended that you choose the channel least in use by other APs in the region
where this profile will be implemented. This will reduce the amount of interference
between wireless clients and the AP to which this profile is assigned.
Some 5 GHz channels include the label indoor use only. These are for use with an
indoor AP only. Do not use them with an outdoor AP.
Advanced Settings
Channel Width
Select the channel bandwidth you want to use for your wireless network.
Select Auto to allow the ZyWALL/USG to adjust the channel bandwidth to 40 MHz or
20 MHz depending on network conditions.
Select 20 MHz if you want to lessen radio interference with other wireless devices in
your neighborhood.
Guard Interval
Set the guard interval for this radio profile to either short or long.
The guard interval is the gap introduced between data transmission from users in order
to reduce interference. Reducing the interval increases data transfer rates but also
increases interference. Increasing the interval reduces data transfer rates but also
reduces interference.
Enable A-MPDU
Aggregation
Select this to enable A-MPDU aggregation.
A-MPDU Limit
Enter the maximum frame size to be aggregated.
Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with
their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful
for increasing bandwidth throughput in environments that are prone to high error
rates.
ZyWALL/USG Series User’s Guide
581
Chapter 35 Object
Table 245 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued)
LABEL
DESCRIPTION
A-MPDU
Subframe
Enter the maximum number of frames to be aggregated each time.
Enable A-MSDU
Aggregation
Select this to enable A-MSDU aggregation.
A-MSDU Limit
Enter the maximum frame size to be aggregated.
Disable-Channel
Switch for DFS
This field is available when you select 5G in the 802.11 Band field.
Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of
their 802.11n headers and wraps the header-less payload in a single 802.11n MAC
header. This method is useful for increasing bandwidth throughput. It is also more
efficient than A-MPDU except in environments that are prone to high error rates.
DFS (dynamic frequency selection) allows an AP to detect other devices in the same
channel. If there is another device using the same channel, the AP changes to a
different channel, so that it can avoid interference with radar systems or other wireless
networks.
Select this option to disable DFS on the AP.
RTS/CTS
Threshold
Use RTS/CTS to reduce data collisions on the wireless network if you have wireless
clients that are associated with the same AP but out of range of one another. When
enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS
(Clear To Send) before it transmits. This stops wireless clients from transmitting
packets at the same time (and causing data collisions).
A wireless client sends an RTS for all packets larger than the number (of bytes) that
you enter here. Set the RTS/CTS equal to or higher than the fragmentation threshold
to turn RTS/CTS off.
Beacon Interval
When a wirelessly networked device sends a beacon, it includes with it a beacon
interval. This specifies the time period before the device sends the beacon again. The
interval tells receiving devices on the network how long they can wait in low-power
mode before waking up to handle the beacon. A high value helps save current
consumption of the access point.
DTIM
Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and
multicast packets are transmitted to mobile clients in the Active Power Management
mode. A high DTIM value can cause clients to lose connectivity with the network. This
value can be set from 1 to 255.
Output Power
Set the output power of the AP in this field. If there is a high density of APs in an area,
decrease the output power of the NWA5160N to reduce interference with other APs.
Select one of the following 100%, 50%, 25%, or 12.5%. See the product
specifications for more information on your ZyWALL/USG’s output power.
Note: Reducing the output power also reduces the ZyWALL/USG’s effective broadcast
radius.
Enable Signal
Threshold
Select the check box to use the signal threshold to ensure wireless clients receive good
throughput. This allows only wireless clients with a strong signal to connect to the AP.
Clear the check box to not require wireless clients to have a minimum signal strength
to connect to the AP.
Station Signal
Threshold
Set a minimum client signal strength. A wireless client is allowed to connect to the AP
only when its signal strength is stronger than the specified threshold.
-20 dBm is the strongest signal you can require and -76 is the weakest.
Disassociate
Station
Threshold
Set a minimum kick-off signal strength. When a wireless client’s signal strength is
lower than the specified threshold, the ZyWALL/USG disconnects the wireless client
from the AP.
-20 dBm is the strongest signal you can require and -90 is the weakest.
ZyWALL/USG Series User’s Guide
582
Chapter 35 Object
Table 245 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued)
LABEL
DESCRIPTION
Allow Station
Connection after
Multiple Retries
Select this option to allow a wireless client to try to associate with the AP again after it
is disconnected due to weak signal strength.
Station Retry
Count
Set the maximum number of times a wireless client can attempt to re-connect to the
AP.
Rate Configuration
This section controls the data rates permitted for clients.
For each Rate, select a rate option from its list. The rates are:
•
•
•
Multicast Settings
Transmission
Mode
Basic Rate (Mbps) - Set the basic rate configuration in Mbps.
Support Rate (Mbps) - Set the support rate configuration in Mbps.
MCS Rate - Set the MCS rate configuration. IEEE 802.11n supports many different
data rates which are called MCS rates. MCS stands for Modulation and Coding
Scheme. This is an 802.11n feature that increases the wireless network
performance in terms of throughput.
Use this section to set a transmission mode and maximum rate for multicast traffic.
Set how the AP handles multicast traffic.
Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless
clients as unicast traffic. Unicast traffic dynamically changes the data rate based on the
application’s bandwidth requirements. The retransmit mechanism of unicast traffic
provides more reliable transmission of the multicast traffic, although it also produces
duplicate packets.
Select Fixed Multicast Rate to send wireless multicast traffic at a single data rate.
You must know the multicast application’s bandwidth requirements and set it in the
following field.
Multicast Rate
(Mbps)
MBSSID Settings
If you set the multicast transmission mode to fixed multicast rate, set the data rate for
multicast traffic here. For example, to deploy 4 Mbps video, select a fixed multicast
rate higher than 4 Mbps.
This section allows you to associate an SSID profile with the radio profile.
Edit
Select and SSID and click this button to reassign it. The selected SSID becomes
editable immediately upon clicking.
SSID Profile
Indicates which SSID profile is associated with this radio profile.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.3.2 SSID Screen
The SSID screens allow you to configure three different types of profiles for your networked APs: an
SSID list, which can assign specific SSID configurations to your APs; a security list, which can
assign specific encryption methods to the APs when allowing wireless clients to connect to them;
and a MAC filter list, which can limit connections to an AP based on wireless clients MAC addresses.
35.3.2.1 SSID List
This screen allows you to create and manage SSID configurations that can be used by the APs. An
SSID, or Service Set IDentifier, is basically the name of the wireless network to which a wireless
client can connect. The SSID appears as readable text to any device capable of scanning for
wireless frequencies (such as the WiFi adapter in a laptop), and is displayed as the wireless network
name when a person makes a connection to it.
To access this screen click Configuration > Object > AP Profile > SSID.
ZyWALL/USG Series User’s Guide
583
Chapter 35 Object
Note: You can have a maximum of 32 SSID profiles on the ZyWALL/USG.
Figure 388 Configuration > Object > AP Profile > SSID List
The following table describes the labels in this screen.
Table 246 Configuration > Object > AP Profile > SSID List
LABEL
DESCRIPTION
Add
Click this to add a new SSID profile.
Edit
Click this to edit the selected SSID profile.
Remove
Click this to remove the selected SSID profile.
Object Reference
Click this to view which other objects are linked to the selected SSID profile (for example,
radio profile).
#
This field is a sequential value, and it is not associated with a specific profile.
Profile Name
This field indicates the name assigned to the SSID profile.
SSID
This field indicates the SSID name as it appears to wireless clients.
Security Profile
This field indicates which (if any) security profile is associated with the SSID profile.
QoS
This field indicates the QoS type associated with the SSID profile.
MAC Filtering
Profile
This field indicates which (if any) MAC Filter Profile is associated with the SSID profile.
VLAN ID
This field indicates the VLAN ID associated with the SSID profile.
ZyWALL/USG Series User’s Guide
584
Chapter 35 Object
35.3.2.2 Add/Edit SSID Profile
This screen allows you to create a new SSID profile or edit an existing one. To access this screen,
click the Add button or select an SSID profile from the list and click the Edit button.
Figure 389 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile
The following table describes the labels in this screen.
Table 247 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile
LABEL
DESCRIPTION
Create new
Object
Select an object type from the list to create a new one associated with this SSID profile.
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in
the Web Configurator and is only for management purposes. Spaces and underscores are
allowed.
SSID
Enter the SSID name for this profile. This is the name visible on the network to wireless
clients. Enter up to 32 characters, spaces and underscores are allowed.
Security Profile
Select a security profile from this list to associate with this SSID. If none exist, you can use
the Create new Object menu to create one.
Note: It is highly recommended that you create security profiles for all of your SSIDs to
enhance your network security.
MAC Filtering
Profile
Select a MAC filtering profile from the list to associate with this SSID. If none exist, you can
use the Create new Object menu to create one.
MAC filtering allows you to limit the wireless clients connecting to your network through a
particular SSID by wireless client MAC addresses. Any clients that have MAC addresses not
in the MAC filtering profile of allowed addresses are denied connections.
The disable setting means no MAC filtering is used.
ZyWALL/USG Series User’s Guide
585
Chapter 35 Object
Table 247 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued)
LABEL
DESCRIPTION
QoS
Select a Quality of Service (QoS) access category to associate with this SSID. Access
categories minimize the delay of data packets across a wireless network. Certain
categories, such as video or voice, are given a higher priority due to the time sensitive
nature of their data packets.
QoS access categories are as follows:
disable: Turns off QoS for this SSID. All data packets are treated equally and not tagged
with access categories.
WMM: Enables automatic tagging of data packets. The ZyWALL/USG assigns access
categories to the SSID by examining data as it passes through it and making a best guess
effort. If something looks like video traffic, for instance, it is tagged as such.
WMM_VOICE: All wireless traffic to the SSID is tagged as voice data. This is
recommended if an SSID is used for activities like placing and receiving VoIP phone calls.
WMM_VIDEO: All wireless traffic to the SSID is tagged as video data. This is
recommended for activities like video conferencing.
WMM_BEST_EFFORT: All wireless traffic to the SSID is tagged as “best effort,” meaning
the data travels the best route it can without displacing higher priority traffic. This is good
for activities that do not require the best bandwidth throughput, such as surfing the
Internet.
WMM_BACKGROUND: All wireless traffic to the SSID is tagged as low priority or
“background traffic”, meaning all other access categories take precedence over this one. If
traffic from an SSID does not have strict throughput requirements, then this access
category is recommended. For example, an SSID that only has network printers connected
to it.
Rate Limiting
(Per Station
Traffic Rate)
Define the maximum incoming and outgoing transmission data rate per wireless station
Downlink:
Define the maximum incoming transmission data rate (either in mbps or kbps) on a perstation basis.
Uplink:
Define the maximum outgoing transmission data rate (either in mbps or kbps) on a perstation basis.
Band Select:
To improve network performance and avoid interference in the 2.4 GHz frequency band,
you can enable this feature to use the 5 GHz band first. You should set 2.4GHz and 5 GHz
radio profiles to use the same SSID and security settings.
Select standard to have the AP try to connect the wireless clients to the same SSID using
the 5 GHZ band. Connections to an SSID using the 2.4GHz band are still allowed.
Otherwise, select disable to turn off this feature.
VLAN ID
Enter the VLAN ID that will be used to tag all traffic originating from this SSID if the VLAN
is different from the native VLAN.
Hidden SSID
Select this if you want to “hide” your SSID from wireless clients. This tells any wireless
clients in the vicinity of the AP using this SSID profile not to display its SSID name as a
potential connection. Not all wireless clients respect this flag and display it anyway.
When an SSID is “hidden” and a wireless client cannot see it, the only way you can connect
to the SSID is by manually entering the SSID name in your wireless connection setup
screen(s) (these vary by client, client connectivity software, and operating system).
Enable Intra-BSS
Traffic Blocking
Select this option to prevent crossover traffic from within the same SSID.
Local VAP
Setting
This part of the screen only applies to ZyWALL/USG models that have built-in wireless
functionality (AP) - see Table 1 on page 21.
ZyWALL/USG Series User’s Guide
586
Chapter 35 Object
Table 247 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued)
LABEL
DESCRIPTION
VLAN Support
Select On to have the ZyWALL/USG assign the VLAN ID listed in the top part of the screen
to the built-in AP.
Select Off to have the ZyWALL/USG ignore the VLAN ID listed in the top part of the screen.
Select an Outgoing Interface to have the ZyWALL/USG assign an IP address in the same
subnet as the selected interface to the built-in AP.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.3.2.3 Security List
This screen allows you to manage wireless security configurations that can be used by your SSIDs.
Wireless security is implemented strictly between the AP broadcasting the SSID and the stations
that are connected to it.
To access this screen click Configuration > Object > AP Profile > SSID > Security List.
Note: You can have a maximum of 32 security profiles on the ZyWALL/USG.
Figure 390 Configuration > Object > AP Profile > SSID > Security List
The following table describes the labels in this screen.
Table 248 Configuration > Object > AP Profile > SSID > Security List
LABEL
DESCRIPTION
Add
Click this to add a new security profile.
Edit
Click this to edit the selected security profile.
Remove
Click this to remove the selected security profile.
Object Reference
Click this to view which other objects are linked to the selected security profile (for
example, SSID profile).
#
This field is a sequential value, and it is not associated with a specific profile.
Profile Name
This field indicates the name assigned to the security profile.
Security Mode
This field indicates this profile’s security mode (if any).
ZyWALL/USG Series User’s Guide
587
Chapter 35 Object
35.3.2.3.1 Add/Edit Security Profile
This screen allows you to create a new security profile or edit an existing one. To access this screen,
click the Add button or select a security profile from the list and click the Edit button.
Note: This screen’s options change based on the Security Mode selected. Only the
default screen is displayed here.
Figure 391 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile
The following table describes the labels in this screen.
Table 249 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile
LABEL
DESCRIPTION
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in
the Web Configurator and is only for management purposes. Spaces and underscores
are allowed.
Security Mode
Select a security mode from the list: wep, wpa, wpa2, or wpa2-mix.
Radius Server Type
Select Internal to use the ZyWALL/USG’s internal authentication database, or External
to use an external RADIUS server for authentication.
ZyWALL/USG Series User’s Guide
588
Chapter 35 Object
Table 249 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile
LABEL
DESCRIPTION
Primary /
Secondary Radius
Server Activate
Select this to have the ZyWALL/USG use the specified RADIUS server.
Radius Server IP
Address
Enter the IP address of the RADIUS server to be used for authentication.
Radius Server Port
Enter the port number of the RADIUS server to be used for authentication.
Radius Server
Secret
Enter the shared secret password of the RADIUS server to be used for authentication.
MAC Authentication
Select this to use an external server or the ZyWALL/USG’s local database to
authenticate wireless clients by their MAC addresses. Users cannot get an IP address if
the MAC authentication fails.
An external server can use the wireless client’s account (username/password) or Calling
Station ID for MAC authentication. Configure the ones the external server uses.
Delimiter
(Account)
Select the separator the external server uses for the two-character pairs within account
MAC addresses.
Case (Account)
Select the case (upper or lower) the external server requires for letters in the account
MAC addresses.
Delimiter
(Calling Station
ID)
RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute.
Case (Calling
Station ID)
Select the case (upper or lower) the external server requires for letters in the calling
station MAC addresses.
802.1X
Auth. Method
Select the separator the external server uses for the pairs in calling station MAC
addresses.
Select this to enable 802.1x secure authentication.
This field is available only when you set the RADIUS server type to Internal.
Select an authentication method if you have created any in the Configuration >
Object > Auth. Method screen.
Reauthenticatio
n Timer
Enter the interval (in seconds) between authentication requests. Enter a 0 for unlimited
requests.
The following fields are available if you set Security Mode to wep.
Idle Timeout
Enter the idle interval (in seconds) that a client can be idle before authentication is
discontinued.
Authentication Type
Select a WEP authentication method. Choices are Open or Share key.
Key Length
Select the bit-length of the encryption key to be used in WEP connections.
If you select WEP-64:
•
Enter 10 hexadecimal digits in the range of “A-F”, “a-f” and “0-9” (for example,
0x11AA22BB33) for each Key used.
or
•
Enter 5 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for
example, MyKey) for each Key used.
If you select WEP-128:
•
Enter 26 hexadecimal digits in the range of “A-F”, “a-f” and “0-9” (for example,
0x00112233445566778899AABBCC) for each Key used.
or
•
Key 1~4
Enter 13 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for
example, MyKey12345678) for each Key used.
Based on your Key Length selection, enter the appropriate length hexadecimal or
ASCII key.
ZyWALL/USG Series User’s Guide
589
Chapter 35 Object
Table 249 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile
LABEL
DESCRIPTION
The following fields are available if you set Security Mode to wpa, wpa2 or wpa2-mix.
PSK
Pre-Shared Key
Cipher Type
Select this option to use a Pre-Shared Key with WPA encryption.
Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including
spaces and symbols) or 64 hexadecimal characters.
Select an encryption cipher type from the list.
•
•
•
auto - This automatically chooses the best available cipher based on the cipher in
use by the wireless client that is attempting to make a connection.
tkip - This is the Temporal Key Integrity Protocol encryption method added later to
the WEP encryption protocol to further secure. Not all wireless clients may support
this.
aes - This is the Advanced Encryption Standard encryption method. It is a more
recent development over TKIP and considerably more robust. Not all wireless clients
may support this.
Idle Timeout
Enter the idle interval (in seconds) that a client can be idle before authentication is
discontinued.
Group Key Update
Timer
Enter the interval (in seconds) at which the AP updates the group WPA encryption key.
Pre-Authentication
This field is available only when you set Security Mode to wpa2 or wpa2-mix and
enable 802.1x authentication.
Enable or Disable pre-authentication to allow the AP to send authentication
information to other APs on the network, allowing connected wireless clients to switch
APs without having to re-authenticate their network connection.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.3.2.4 MAC Filter List
This screen allows you to create and manage security configurations that can be used by your
SSIDs. To access this screen click Configuration > Object > AP Profile > SSID > MAC Filter
List.
Note: You can have a maximum of 32 MAC filtering profiles on the ZyWALL/USG.
Figure 392 Configuration > Object > AP Profile > SSID > MAC Filter List
The following table describes the labels in this screen.
Table 250 Configuration > Object > AP Profile > SSID > MAC Filter List
LABEL
DESCRIPTION
Add
Click this to add a new MAC filtering profile.
Edit
Click this to edit the selected MAC filtering profile.
ZyWALL/USG Series User’s Guide
590
Chapter 35 Object
Table 250 Configuration > Object > AP Profile > SSID > MAC Filter List (continued)
LABEL
DESCRIPTION
Remove
Click this to remove the selected MAC filtering profile.
Object Reference
Click this to view which other objects are linked to the selected MAC filtering profile (for
example, SSID profile).
#
This field is a sequential value, and it is not associated with a specific profile.
Profile Name
This field indicates the name assigned to the MAC filtering profile.
Filter Action
This field indicates this profile’s filter action (if any).
35.3.2.4.1 Add/Edit MAC Filter Profile
This screen allows you to create a new MAC filtering profile or edit an existing one. To access this
screen, click the Add button or select a MAC filter profile from the list and click the Edit button.
Figure 393 SSID > MAC Filter List > Add/Edit MAC Filter Profile
The following table describes the labels in this screen.
Table 251 SSID > MAC Filter List > Add/Edit MAC Filter Profile
LABEL
DESCRIPTION
Profile Name
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the
Web Configurator and is only for management purposes. Spaces and underscores are
allowed.
Filter Action
Select allow to permit the wireless client with the MAC addresses in this profile to connect to
the network through the associated SSID; select deny to block the wireless clients with the
specified MAC addresses.
Add
Click this to add a MAC address to the profile’s list.
Edit
Click this to edit the selected MAC address in the profile’s list.
Remove
Click this to remove the selected MAC address from the profile’s list.
#
This field is a sequential value, and it is not associated with a specific profile.
MAC Address
This field specifies a MAC address associated with this profile.
Description
This field displays a description for the MAC address associated with this profile. You can click
the description to make it editable. Enter up to 60 characters, spaces and underscores
allowed.
ZyWALL/USG Series User’s Guide
591
Chapter 35 Object
Table 251 SSID > MAC Filter List > Add/Edit MAC Filter Profile (continued)
LABEL
DESCRIPTION
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.4 MON Profile
35.4.1 Overview
This screen allows you to set up monitor mode configurations that allow your connected APs to scan
for other wireless devices in the vicinity. Once detected, you can use the MON Mode screen
(Section 8.4 on page 166) to classify them as either rogue or friendly and then manage them
accordingly.
35.4.1.1 What You Can Do in this Chapter
The MON Profile screen (Section 35.4.2 on page 592) creates preset monitor mode configurations
that can be used by the APs.
35.4.1.2 What You Need To Know
The following terms and concepts may help as you read this chapter.
Active Scan
An active scan is performed when an 802.11-compatible wireless monitoring device is explicitly
triggered to scan a specified channel or number of channels for other wireless devices broadcasting
on the 802.11 frequencies by sending probe request frames.
Passive Scan
A passive scan is performed when an 802.11-compatible monitoring device is set to periodically
listen to a specified channel or number of channels for other wireless devices broadcasting on the
802.11 frequencies.
35.4.2 MON Profile
This screen allows you to create monitor mode configurations that can be used by the APs. To
access this screen, login to the Web Configurator, and click Configuration > Object > MON
Profile.
ZyWALL/USG Series User’s Guide
592
Chapter 35 Object
Figure 394 Configuration > Object > MON Profile
The following table describes the labels in this screen.
Table 252 Configuration > Object > MON Profile
LABEL
DESCRIPTION
Add
Click this to add a new monitor mode profile.
Edit
Click this to edit the selected monitor mode profile.
Remove
Click this to remove the selected monitor mode profile.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Object Reference
Click this to view which other objects are linked to the selected monitor mode profile (for
example, an AP management profile).
#
This field is a sequential value, and it is not associated with a specific user.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Profile Name
This field indicates the name assigned to the monitor profile.
Apply
Click Apply to save your changes back to the ZyWALL/USG.
Reset
Click Reset to return the screen to its last-saved settings.
35.4.2.1 Add/Edit MON Profile
This screen allows you to create a new monitor mode profile or edit an existing one. To access this
screen, click the Add button or select and existing monitor mode profile and click the Edit button.
ZyWALL/USG Series User’s Guide
593
Chapter 35 Object
Figure 395 Configuration > Object > MON Profile > Add/Edit MON Profile
The following table describes the labels in this screen.
Table 253 Configuration > Object > MON Profile > Add/Edit MON Profile
LABEL
DESCRIPTION
Activate
Select this to activate this monitor mode profile.
Profile Name
This field indicates the name assigned to the monitor mode profile.
Channel dwell time
Enter the interval (in milliseconds) before the AP switches to another channel for
monitoring.
Scan Channel Mode
Select auto to have the AP switch to the next sequential channel once the Channel
dwell time expires.
Select manual to set specific channels through which to cycle sequentially when the
Channel dwell time expires. Selecting this options makes the Scan Channel List
options available.
Set Scan Channel
List (2.4 GHz)
Move a channel from the Available channels column to the Channels selected
column to have the APs using this profile scan that channel when Scan Channel Mode
is set to manual.
These channels are limited to the 2 GHz range (802.11 b/g/n).
ZyWALL/USG Series User’s Guide
594
Chapter 35 Object
Table 253 Configuration > Object > MON Profile > Add/Edit MON Profile (continued)
LABEL
DESCRIPTION
Set Scan Channel
List (5 GHz)
Move a channel from the Available channels column to the Channels selected
column to have the APs using this profile scan that channel when Scan Channel Mode
is set to manual.
These channels are limited to the 5 GHz range (802.11 a/n).
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.4.3 Technical Reference
The following section contains additional technical information about the features described in this
chapter.
Rogue APs
Rogue APs are wireless access points operating in a network’s coverage area that are not under the
control of the network’s administrators, and can open up holes in a network’s security. Attackers
can take advantage of a rogue AP’s weaker (or non-existent) security to gain access to the network,
or set up their own rogue APs in order to capture information from wireless clients. If a scan reveals
a rogue AP, you can use commercially-available software to physically locate it.
Figure 396 Rogue AP Example
A
X
RG
C
B
In the example above, a corporate network’s security is compromised by a rogue AP (RG) set up by
an employee at his workstation in order to allow him to connect his notebook computer wirelessly
(A). The company’s legitimate wireless network (the dashed ellipse B) is well-secured, but the
rogue AP uses inferior security that is easily broken by an attacker (X) running readily available
encryption-cracking software. In this example, the attacker now has access to the company
network, including sensitive data stored on the file server (C).
ZyWALL/USG Series User’s Guide
595
Chapter 35 Object
Friendly APs
If you have more than one AP in your wireless network, you should also configure a list of “friendly”
APs. Friendly APs are other wireless access points that are detected in your network, as well as any
others that you know are not a threat (those from recognized networks, for example). It is
recommended that you export (save) your list of friendly APs often, especially if you have a
network with a large number of access points.
35.5 Application
Go to Configuration > Licensing > Signature Update > IDP/AppPatrol to check that you
have the latest IDP and App Patrol signatures. These signatures are available to create application
objects in Configuration > Object > Application > Application. Categories of applications
include (at the time of writing):
Table 254 Categories of Applications
•
Instant Messaging
•
P2P
•
File Transfer
•
Streaming Media
•
Mail and Collaboration
•
Voice over IP
•
Database
•
Games
•
Network Management
•
Remote Access
Terminals
•
Bypass Proxies and
Tunnels
•
Web
•
Security Update
•
Web IM
•
TCP/UDP traffic
•
Business
•
Network Protocols
•
Mobile
•
Private Protocol
•
Social Network
•
The following table shows the types of categories currently supported (A) and the associated
signatures for each category (B).
Figure 397 Application Categories and Associated Signatures
ZyWALL/USG Series User’s Guide
596
Chapter 35 Object
• Use the Application screen (Section on page 597) to create application objects that can be
used in App Patrol profiles.
• Use the Application Group screen (Section 35.5.2 on page 601) to group application objects as
an individual object that can be used in App Patrol profiles.
The Application screen allows you to create application objects consisting of service signatures as
well as view license and signature information. To access this screen click Configuration > Object
> Application > Application.
Figure 398 Configuration > Object > Application > Application
The following table describes the labels in this screen.
Table 255 Configuration > Object > Application > Application
LABEL
DESCRIPTION
Configuration
Add
Click this to add a new application object.
Edit
Click this to edit the selected application object.
Remove
Click this to remove the selected application object.
Object
Reference
Click this to view which other objects are linked to the selected application object.
Clone
Use Clone to create a new entry by modifying an existing one.
•
•
•
Select an existing entry.
Click Clone.
A configuration copy of the selected entry pops up. You must at least change the name
as duplicate entry names are not allowed.
#
This field is a sequential value associated with an application object..
Name
This field indicates the name assigned to the application object.
Description
This field shows some extra information on the application object.
Content
This field shows the application signature(s) in this application object.
Reference
This displays the number of times an object reference is used in a profile.
License
You need to buy a license or use a trial license in order to use IDP/AppPatrol signatures.
These fields show license-related information.
License
Status
This field shows whether you have activated an IDP/AppPatrol signatures license
License Type
This field shows the type of IDP/AppPatrol signatures license you have activated
ZyWALL/USG Series User’s Guide
597
Chapter 35 Object
Table 255 Configuration > Object > Application > Application (continued)
LABEL
DESCRIPTION
Signature
Information
An activated license allows you to download signatures to the ZyWALL/USG from
myZyXEL.com. These fields show details on the signatures downloaded.
Current
Version
The version number increments when signatures are updated at myZyXEL.com. This field
shows the current version downloaded to the ZyWALL/USG.
Released
Date
This field shows the date (YYYY-MM-DD) and time the current signature version was
released.
Update
Signatures
If your signature set is not the most recent, click this to go to Configuration > Licensing >
Signature Update > IDP / AppPatrol to update your signatures.
35.5.1 Add Application Rule
Click Add in Configuration > Object > Application > Application to create a new application
rule. In the first screen you type a name to identify this application object and write an optional
brief description of it.
You then click Add again to choose the signatures that should go into this object.
Figure 399 Configuration > Object > Application > Application > Add Application Rule
The following table describes the labels in this screen.
Table 256 Configuration > Object > Application > Application > Add Application Rule
LABEL
DESCRIPTION
Name
Type a name to identify this application rule. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Description
You may type some extra information on the application object here.
Add
Click this to create a new application rule.
Remove
Click this to remove the selected application rule.
#
This field is a sequential value associated with this application rule..
Category
This field shows the category to which the signature belongs in this application rule.
ZyWALL/USG Series User’s Guide
598
Chapter 35 Object
Table 256 Configuration > Object > Application > Application (continued)> Add Application Rule
LABEL
DESCRIPTION
Application
This displays the name of the application signature used in this application rule.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.5.1.1 Add Application Object by Category or Service
Click Add in Configuration > Object > Application > Application > Add Application Rule to
choose the signatures that should go into this object.
Figure 400 Configuration > Object > Application > Application > Add Application Rule > Add By
Category
ZyWALL/USG Series User’s Guide
599
Chapter 35 Object
Figure 401 Configuration > Object > Application > Application > Add Application Rule > Add By
Service
The following table describes the labels in this screen.
Table 257 Configuration > Object > Application > Application > Add Application Rule > Add
Application Object
LABEL
DESCRIPTION
Query
Search
Choose signatures in one of the following ways:
•
•
Query Result
Select By Category then select a category in the adjacent drop-down list box to
display all signatures of that category
Select By Service, type a keyword and click Search to display all signatures
containing that keyword.
The results of the search are displayed here.
#
This field is a sequential value associated with this signature
Category
This field shows the category to which the signature belongs. Select the checkbox to add
this signature to the application object.
Application
This displays the name of the application signature.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User’s Guide
600
Chapter 35 Object
35.5.2 Application Group Screen
This screen allows you to group individual application objects to be treated as a single application
object. To access this screen click Configuration > Object > Application > Application Group.
Figure 402 Configuration > Object > Application > Application Group
The following table describes the labels in this screen.
Table 258 Configuration > Object > Application > Application Group
LABEL
DESCRIPTION
Add
Click this to add a new application group.
Edit
Click this to edit the selected application group.
Remove
Click this to remove the selected application group.
Object Reference
Click this to view which other objects are linked to the selected application group.
#
This field is a sequential value associated with an application group..
Name
This field indicates the name assigned to the application group.
Description
You may type some extra information on the application group here.
Member
This field shows the application objects in this application group.
Reference
This displays the number of times an object reference is used in a profile.
License
You need to buy a license or use a trial license in order to use IDP/AppPatrol signatures.
These fields show license-related information.
License
Status
This field shows whether you have activated an IDP/AppPatrol signatures license
License Type
This field shows the type of IDP/AppPatrol signatures license you have activated
Signature
Information
An activated license allows you to download signatures to the ZyWALL/USG from
myZyXEL.com. These fields show details on the signatures downloaded.
Current
Version
The version number increments when signatures are updated at myZyXEL.com. This field
shows the current version downloaded to the ZyWALL/USG.
Released
Date
This field shows the date (YYYY-MM-DD) and time the current signature version was
released.
Update
Signatures
If your signature set is not the most recent, click this to go to Configuration > Licensing
> Signature Update > IDP / AppPatrol to update your signatures.
ZyWALL/USG Series User’s Guide
601
Chapter 35 Object
35.5.2.1 Add Application Group Rule
Click Add in Configuration > Object > Application > Application Group to select already
created application rules and combine them as a single new rule.
Figure 403 Configuration > Object > Application > Application > Add Application Group Rule
The following table describes the labels in this screen.
Table 259 Configuration > Object > Application > Application > Add Application Group Rule
LABEL
DESCRIPTION
Name
Enter a name for the group. You may use 1-31 alphanumeric characters, underscores(_),
or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Description
This field displays the description of each group, if any. You can use up to 60 characters,
punctuation marks, and spaces.
Member List
The Member list displays the names of the application and application group objects that
have been added to the application group. The order of members is not important.
Select items from the Available list that you want to be members and move them to the
Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key
to select multiple entries and use the arrow button to move them.
Move any members you do not want included to the Available list.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.6 Address Overview
Address objects can represent a single IP address or a range of IP addresses. Address groups are
composed of address objects and other address groups.
• The Address screen (Section 35.6.2 on page 603) provides a summary of all addresses in the
ZyWALL/USG. Use the Address Add/Edit screen to create a new address or edit an existing
one.
ZyWALL/USG Series User’s Guide
602
Chapter 35 Object
• Use the Address Group summary screen (Section 35.6.2.3 on page 606) and the Address
Group Add/Edit screen, to maintain address groups in the ZyWALL/USG.
35.6.1 What You Need To Know
Address objects and address groups are used in dynamic routes, security policies, application
patrol, content filtering, and VPN connection policies. For example, addresses are used to specify
where content restrictions apply in content filtering. Please see the respective sections for more
information about how address objects and address groups are used in each one.
Address groups are composed of address objects and address groups. The sequence of members in
the address group is not important.
35.6.2 Address Summary Screen
The address screens are used to create, maintain, and remove addresses. There are the types of
address objects.
• HOST - a host address is defined by an IP Address.
• RANGE - a range address is defined by a Starting IP Address and an Ending IP Address.
• SUBNET - a network address is defined by a Network IP address and Netmask subnet mask.
The Address screen provides a summary of all addresses in the ZyWALL/USG. To access this
screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort
the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Figure 404 Configuration > Object > Address > Address
The following table describes the labels in this screen. See Section 35.6.2.1 on page 604 for more
information as well.
Table 260 Configuration > Object > Address > Address
LABEL
DESCRIPTION
IPv4 Address Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific address.
ZyWALL/USG Series User’s Guide
603
Chapter 35 Object
Table 260 Configuration > Object > Address > Address (continued)
LABEL
DESCRIPTION
Name
This field displays the configured name of each address object.
Type
This field displays the type of each address object. “INTERFACE” means the object uses
the settings of one of the ZyWALL/USG’s interfaces.
IPv4 Address
This field displays the IPv4 addresses represented by each address object. If the object’s
settings are based on one of the ZyWALL/USG’s interfaces, the name of the interface
displays first followed by the object’s current address settings.
Reference
This displays the number of times an object reference is used in a profile.
IPv6 Address Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific address.
Name
This field displays the configured name of each address object.
Type
This field displays the type of each address object. “INTERFACE” means the object uses
the settings of one of the ZyWALL/USG’s interfaces.
IPv6 Address
This field displays the IPv6 addresses represented by each address object. If the object’s
settings are based on one of the ZyWALL/USG’s interfaces, the name of the interface
displays first followed by the object’s current address settings.
35.6.2.1 IPv4 Address Add/Edit Screen
The Configuration > IPv4 Address Add/Edit screen allows you to create a new address or edit
an existing one. To access this screen, go to the Address screen (see Section 35.6.2 on page 603),
and click either the Add icon or an Edit icon in the IPv4 Address Configuration section.
Figure 405 IPv4 Address Configuration > Add/Edit
ZyWALL/USG Series User’s Guide
604
Chapter 35 Object
The following table describes the labels in this screen.
Table 261 IPv4 Address Configuration > Add/Edit
LABEL
DESCRIPTION
Name
Type the name used to refer to the address. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Address Type
Select the type of address you want to create. Choices are: HOST, RANGE, SUBNET,
INTERFACE IP, INTERFACE SUBNET, and INTERFACE GATEWAY.
Note: The ZyWALL/USG automatically updates address objects that are based on an
interface’s IP address, subnet, or gateway if the interface’s IP address settings
change. For example, if you change 1’s IP address, the ZyWALL/USG automatically
updates the corresponding interface-based, LAN subnet address object.
IP Address
This field is only available if the Address Type is HOST. This field cannot be blank. Enter
the IP address that this address object represents.
Starting IP
Address
This field is only available if the Address Type is RANGE. This field cannot be blank.
Enter the beginning of the range of IP addresses that this address object represents.
Ending IP
Address
This field is only available if the Address Type is RANGE. This field cannot be blank.
Enter the end of the range of IP address that this address object represents.
Network
This field is only available if the Address Type is SUBNET, in which case this field cannot
be blank. Enter the IP address of the network that this address object represents.
Netmask
This field is only available if the Address Type is SUBNET, in which case this field cannot
be blank. Enter the subnet mask of the network that this address object represents. Use
dotted decimal format.
Interface
If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the
Address Type, use this field to select the interface of the network that this address object
represents.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.6.2.2 IPv6 Address Add/Edit Screen
The Configuration > IPv6 Address Add/Edit screen allows you to create a new address or edit
an existing one. To access this screen, go to the Address screen (see Section 35.6.2 on page 603),
and click either the Add icon or an Edit icon in the IPv6 Address Configuration section.
Figure 406 IPv6 Address Configuration > Add/Edit
ZyWALL/USG Series User’s Guide
605
Chapter 35 Object
The following table describes the labels in this screen.
Table 262 IPv6 Address Configuration > Add/Edit
LABEL
DESCRIPTION
Name
Type the name used to refer to the address. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Object Type
Select the type of address you want to create. Choices are: HOST, RANGE, SUBNET,
INTERFACE IP, INTERFACE SUBNET, and INTERFACE GATEWAY.
Note: The ZyWALL/USG automatically updates address objects that are based on an
interface’s IP address, subnet, or gateway if the interface’s IP address settings
change. For example, if you change 1’s IP address, the ZyWALL/USG automatically
updates the corresponding interface-based, LAN subnet address object.
IPv6 Address
This field is only available if the Address Type is HOST. This field cannot be blank. Enter
the IP address that this address object represents.
IPv6 Starting
Address
This field is only available if the Address Type is RANGE. This field cannot be blank.
Enter the beginning of the range of IP addresses that this address object represents.
IPv6 Ending
Address
This field is only available if the Address Type is RANGE. This field cannot be blank.
Enter the end of the range of IP address that this address object represents.
IPv6 Address
Prefix
This field is only available if the Address Type is SUBNET. This field cannot be blank.
Enter the IPv6 address prefix that the ZyWALL/USG uses for the LAN IPv6 address.
Interface
If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the
Address Type, use this field to select the interface of the network that this address object
represents.
IPv6 Address
Type
Select whether the IPv6 address is a link-local IP address (LINK LOCAL), static IP
address (STATIC), an IPv6 StateLess Address Auto Configuration IP address (SLAAC), or
is obtained from a DHCPv6 server (DHCPv6).
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.6.2.3 Address Group Summary Screen
The Address Group screen provides a summary of all address groups. To access this screen, click
Configuration > Object > Address > Address Group. Click a column’s heading cell to sort the
table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Figure 407 Configuration > Object > Address > Address Group
ZyWALL/USG Series User’s Guide
606
Chapter 35 Object
The following table describes the labels in this screen. See Section 35.6.2.4 on page 607 for more
information as well.
Table 263 Configuration > Object > Address > Address Group
LABEL
DESCRIPTION
IPv4 Address Group Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific address group.
Name
This field displays the name of each address group.
Description
This field displays the description of each address group, if any.
Reference
This displays the number of times an object reference is used in a profile.
IPv6 Address Group Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific address group.
Name
This field displays the name of each address group.
Description
This field displays the description of each address group, if any.
35.6.2.4 Address Group Add/Edit Screen
The Address Group Add/Edit screen allows you to create a new address group or edit an existing
one. To access this screen, go to the Address Group screen (see Section 35.6.2.3 on page 606),
and click either the Add icon or an Edit icon in the IPv4 Address Group Configuration or IPv6
Address Group Configuration section.
ZyWALL/USG Series User’s Guide
607
Chapter 35 Object
Figure 408 IPv4/IPv6 Address Group Configuration > Add
The following table describes the labels in this screen.
Table 264 IPv4/IPv6 Address Group Configuration > Add
LABEL
DESCRIPTION
Name
Enter a name for the address group. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Description
This field displays the description of each address group, if any. You can use up to 60
characters, punctuation marks, and spaces.
Member List
The Member list displays the names of the address and address group objects that have
been added to the address group. The order of members is not important.
Select items from the Available list that you want to be members and move them to the
Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key
to select multiple entries and use the arrow button to move them.
Move any members you do not want included to the Available list.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.7 Service Overview
Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also
create service groups to refer to multiple service objects in other features.
• Use the Service screens (Section 35.7.2 on page 609) to view and configure the ZyWALL/USG’s
list of services and their definitions.
• Use the Service Group screens (Section 35.7.2 on page 609) to view and configure the
ZyWALL/USG’s list of service groups.
ZyWALL/USG Series User’s Guide
608
Chapter 35 Object
35.7.1 What You Need to Know
IP Protocols
IP protocols are based on the eight-bit protocol field in the IP header. This field represents the nextlevel protocol that is sent in this packet. This section discusses three of the most common IP
protocols.
Computers use Transmission Control Protocol (TCP, IP protocol 6) and User Datagram Protocol
(UDP, IP protocol 17) to exchange data with each other. TCP guarantees reliable delivery but is
slower and more complex. Some uses are FTP, HTTP, SMTP, and TELNET. UDP is simpler and faster
but is less reliable. Some uses are DHCP, DNS, RIP, and SNMP.
TCP creates connections between computers to exchange data. Once the connection is established,
the computers exchange data. If data arrives out of sequence or is missing, TCP puts it in sequence
or waits for the data to be re-transmitted. Then, the connection is terminated.
In contrast, computers use UDP to send short messages to each other. There is no guarantee that
the messages arrive in sequence or that the messages arrive at all.
Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number.
Some port numbers have been standardized and are used by low-level system processes; many
others have no particular meaning.
Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send
error messages or to investigate problems. For example, ICMP is used to send the response if a
computer cannot be reached. Another use is ping. ICMP does not guarantee delivery, but networks
often treat ICMP messages differently, sometimes looking at the message itself to decide where to
send it.
Service Objects and Service Groups
Use service objects to define IP protocols.
• TCP applications
• UDP applications
• ICMP messages
• user-defined services (for other types of IP protocols)
These objects are used in policy routes, security policies, and IDP profiles.
Use service groups when you want to create the same rule for several services, instead of creating
separate rules for each service. Service groups may consist of services and other service groups.
The sequence of members in the service group is not important.
35.7.2 The Service Summary Screen
The Service summary screen provides a summary of all services and their definitions. In addition,
this screen allows you to add, edit, and remove services.
ZyWALL/USG Series User’s Guide
609
Chapter 35 Object
To access this screen, log in to the Web Configurator, and click Configuration > Object > Service
> Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the
heading cell again to reverse the sort order.
Figure 409 Configuration > Object > Service > Service
The following table describes the labels in this screen.
Table 265 Configuration > Object > Service > Service
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific service.
Name
This field displays the name of each service.
Content
This field displays a description of each service.
Reference
This displays the number of times an object reference is used in a profile.
35.7.2.1 The Service Add/Edit Screen
The Service Add/Edit screen allows you to create a new service or edit an existing one. To access
this screen, go to the Service screen (see Section 35.7.2 on page 609), and click either the Add
icon or an Edit icon.
Figure 410 Configuration > Object > Service > Service > Edit
ZyWALL/USG Series User’s Guide
610
Chapter 35 Object
The following table describes the labels in this screen.
Table 266 Configuration > Object > Service > Service > Edit
LABEL
DESCRIPTION
Name
Type the name used to refer to the service. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
IP Protocol
Select the protocol the service uses. Choices are: TCP, UDP, ICMP, ICMPv6, and User
Defined.
Starting Port
Ending Port
This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by
this service. If you fill in one of these fields, the service uses that port. If you fill in both
fields, the service uses the range of ports.
ICMP Type
This field appears if the IP Protocol is ICMP or ICMPv6.
Select the ICMP message used by this service. This field displays the message text, not
the message number.
IP Protocol
Number
This field appears if the IP Protocol is User Defined.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255.
35.7.3 The Service Group Summary Screen
The Service Group summary screen provides a summary of all service groups. In addition, this
screen allows you to add, edit, and remove service groups.
To access this screen, log in to the Web Configurator, and click Configuration > Object > Service
> Service Group.
Figure 411 Configuration > Object > Service > Service Group
ZyWALL/USG Series User’s Guide
611
Chapter 35 Object
The following table describes the labels in this screen. See Section 35.7.3.1 on page 612 for more
information as well.
Table 267 Configuration > Object > Service > Service Group
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific service group.
Family
This field displays the Server Group supported type, which is according to your
configurations in the Service Group Add/Edit screen.
There are 3 types of families:
•
•
•
Name
: Supports IPv4 only
: Supports IPv6 only
: Supports both IPv4 and IPv6
This field displays the name of each service group.
By default, the ZyWALL/USG uses services starting with “Default_Allow_” in the security
policies to allow certain services to connect to the ZyWALL/USG.
Description
This field displays the description of each service group, if any.
Reference
This displays the number of times an object reference is used in a profile.
35.7.3.1 The Service Group Add/Edit Screen
The Service Group Add/Edit screen allows you to create a new service group or edit an existing
one. To access this screen, go to the Service Group screen (see Section 35.7.3 on page 611), and
click either the Add icon or an Edit icon.
Figure 412 Configuration > Object > Service > Service Group > Edit
ZyWALL/USG Series User’s Guide
612
Chapter 35 Object
The following table describes the labels in this screen.
Table 268 Configuration > Object > Service > Service Group > Edit
LABEL
DESCRIPTION
Name
Enter the name of the service group. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Description
Enter a description of the service group, if any. You can use up to 60 printable ASCII
characters.
Member List
The Member list displays the names of the service and service group objects that have
been added to the service group. The order of members is not important.
Select items from the Available list that you want to be members and move them to the
Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key
to select multiple entries and use the arrow button to move them.
Move any members you do not want included to the Available list.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.8 Schedule Overview
Use schedules to set up one-time and recurring schedules for policy routes, security policies,
application patrol, and content filtering. The ZyWALL/USG supports one-time and recurring
schedules. One-time schedules are effective only once, while recurring schedules usually repeat.
Both types of schedules are based on the current date and time in the ZyWALL/USG.
Note: Schedules are based on the ZyWALL/USG’s current date and time.
• Use the Schedule summary screen (Section 35.8.2 on page 614) to see a list of all schedules in
the ZyWALL/USG.
• Use the One-Time Schedule Add/Edit screen (Section 35.8.2.1 on page 615) to create or edit
a one-time schedule.
• Use the Recurring Schedule Add/Edit screen (Section 35.8.2.2 on page 616) to create or edit
a recurring schedule.
• Use the Schedule Group screen (Section 35.8.3 on page 617) to merge individual schedule
objects as one object.
35.8.1 What You Need to Know
One-time Schedules
One-time schedules begin on a specific start date and time and end on a specific stop date and
time. One-time schedules are useful for long holidays and vacation periods.
Recurring Schedules
Recurring schedules begin at a specific start time and end at a specific stop time on selected days of
the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring
ZyWALL/USG Series User’s Guide
613
Chapter 35 Object
schedules always begin and end in the same day. Recurring schedules are useful for defining the
workday and off-work hours.
35.8.2 The Schedule Summary Screen
The Schedule summary screen provides a summary of all schedules in the ZyWALL/USG. To access
this screen, click Configuration > Object > Schedule.
Figure 413 Configuration > Object > Schedule
The following table describes the labels in this screen. See Section 35.8.2.1 on page 615 and
Section 35.8.2.2 on page 616 for more information as well.
Table 269 Configuration > Object > Schedule
LABEL
DESCRIPTION
One Time
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific schedule.
Name
This field displays the name of the schedule, which is used to refer to the schedule.
Start Day /
Time
This field displays the date and time at which the schedule begins.
Stop Day /
Time
This field displays the date and time at which the schedule ends.
Reference
This displays the number of times an object reference is used in a profile.
Recurring
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific schedule.
Name
This field displays the name of the schedule, which is used to refer to the schedule.
ZyWALL/USG Series User’s Guide
614
Chapter 35 Object
Table 269 Configuration > Object > Schedule (continued)
LABEL
DESCRIPTION
Start Time
This field displays the time at which the schedule begins.
Stop Time
This field displays the time at which the schedule ends.
Reference
This displays the number of times an object reference is used in a profile.
35.8.2.1 The One-Time Schedule Add/Edit Screen
The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an
existing one. To access this screen, go to the Schedule screen (see Section 35.8.2 on page 614),
and click either the Add icon or an Edit icon in the One Time section.
Figure 414 Configuration > Object > Schedule > Edit (One Time)
The following table describes the labels in this screen.
Table 270 Configuration > Object > Schedule > Edit (One Time)
LABEL
DESCRIPTION
Configuration
Name
Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.
Date Time
StartDate
Specify the year, month, and day when the schedule begins.
•
•
•
StartTime
Specify the hour and minute when the schedule begins.
•
•
StopDate
Hour - 0 - 23
Minute - 0 - 59
Specify the year, month, and day when the schedule ends.
•
•
•
StopTime
Year - 1900 - 2999
Month - 1 - 12
Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.)
Year - 1900 - 2999
Month - 1 - 12
Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.)
Specify the hour and minute when the schedule ends.
•
•
Hour - 0 - 23
Minute - 0 - 59
ZyWALL/USG Series User’s Guide
615
Chapter 35 Object
Table 270 Configuration > Object > Schedule > Edit (One Time) (continued)
LABEL
DESCRIPTION
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.8.2.2 The Recurring Schedule Add/Edit Screen
The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an
existing one. To access this screen, go to the Schedule screen (see Section 35.8.2 on page 614),
and click either the Add icon or an Edit icon in the Recurring section.
Figure 415 Configuration > Object > Schedule > Edit (Recurring)
The Year, Month, and Day columns are not used in recurring schedules and are disabled in this
screen. The following table describes the remaining labels in this screen.
Table 271 Configuration > Object > Schedule > Edit (Recurring)
LABEL
DESCRIPTION
Configuration
Name
Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric
characters, underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.
Date Time
StartTime
Specify the hour and minute when the schedule begins each day.
•
•
StopTime
Hour - 0 - 23
Minute - 0 - 59
Specify the hour and minute when the schedule ends each day.
•
•
Hour - 0 - 23
Minute - 0 - 59
Weekly
Week Days
Select each day of the week the recurring schedule is effective.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User’s Guide
616
Chapter 35 Object
35.8.3 The Schedule Group Screen
The Schedule Group summary screen provides a summary of all groups of schedules in the
ZyWALL/USG. To access this screen, click Configuration > Object > Schedule >Group.
Figure 416 Configuration > Object > Schedule > Schedule Group
The following table describes the fields in the above screen.
Table 272 Configuration > Object > Schedule > Schedule Group
LABEL
DESCRIPTION
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s
settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you
want to remove it before doing so.
Object Reference
Select an entry and click Object References to open a screen that shows which
settings use the entry.
#
This field is a sequential value, and it is not associated with a specific schedule.
Name
This field displays the name of the schedule group, which is used to refer to the
schedule.
Description
This field displays the decription of the schedule group.
Members
This field lists the members in the schedule group. Each member is separated by
a comma.
Reference
This displays the number of times an object reference is used in a profile.
35.8.3.1 The Schedule Group Add/Edit Screen
The Schedule Group Add/Edit screen allows you to define a schedule group or edit an existing
one. To access this screen, go to the Schedule screen (see ), and click either the Add icon or an
Edit icon in the Schedule Group section.
ZyWALL/USG Series User’s Guide
617
Chapter 35 Object
Figure 417 Configuration > Schedule > Schedule Group > Add
The following table describes the fields in the above screen.
Table 273 Configuration > Schedule > Schedule Group > Add
LABEL
DESCRIPTION
Group Members
Name
Type the name used to refer to the recurring schedule. You may use 1-31
alphanumeric characters, underscores(_), or dashes (-), but the first character
cannot be a number. This value is case-sensitive.
Description
Enter a description of the service group, if any. You can use up to 60 printable
ASCII characters.
Member List
The Member list displays the names of the service and service group objects
that have been added to the service group. The order of members is not
important.
Select items from the Available list that you want to be members and move
them to the Member list. You can double-click a single entry to move it or use
the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to
move them.
Move any members you do not want included to the Available list.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.9 AAA Server Overview
You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to
your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA
Server screens to create and manage objects that contain settings for using AAA servers. You use
ZyWALL/USG Series User’s Guide
618
Chapter 35 Object
AAA server objects in configuring ext-group-user user objects and authentication method objects
(see Chapter 35 on page 627).
35.9.1 Directory Service (AD/LDAP)
LDAP/AD allows a client (the ZyWALL/USG) to connect to a server to retrieve information from a
directory. A network example is shown next.
Figure 418 Example: Directory Service Client and Server
The following describes the user authentication procedure via an LDAP/AD server.
1
A user logs in with a user name and password pair.
2
The ZyWALL/USG tries to bind (or log in) to the LDAP/AD server.
3
When the binding process is successful, the ZyWALL/USG checks the user information in the
directory against the user name and password pair.
4
If it matches, the user is allowed access. Otherwise, access is blocked.
35.9.2 RADIUS Server
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to
authenticate users by means of an external server instead of (or in addition to) an internal device
user database that is limited to the memory capacity of the device. In essence, RADIUS
authentication allows you to validate a large number of users from a central location.
Figure 419 RADIUS Server Network Example
35.9.3 ASAS
ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time
Password (OTP) feature. Purchase a ZyWALL/USG OTP package in order to use this feature. The
ZyWALL/USG Series User’s Guide
619
Chapter 35 Object
package contains server software and physical OTP tokens (PIN generators). Do the following to
use OTP. See the documentation included on the ASAS’ CD for details.
1
Install the ASAS server software on a computer.
2
Create user accounts on the ZyWALL/USG and in the ASAS server.
3
Import each token’s database file (located on the included CD) into the server.
4
Assign users to OTP tokens (on the ASAS server).
5
Configure the ASAS as a RADIUS server in the ZyWALL/USG’s Configuration > Object > AAA
Server screens.
6
Give the OTP tokens to (local or remote) users.
• Use the Configuration > Object > AAA Server > Active Directory (or LDAP) screens
(Section 35.9.5 on page 621) to configure Active Directory or LDAP server objects.
• Use the Configuration > Object > AAA Server > RADIUS screen (Section 35.9.2 on page
619) to configure the default external RADIUS server to use for user authentication.
35.9.4 What You Need To Know
AAA Servers Supported by the ZyWALL/USG
The following lists the types of authentication server the ZyWALL/USG supports.
• Local user database
The ZyWALL/USG uses the built-in local user database to authenticate administrative users
logging into the ZyWALL/USG’s Web Configurator or network access users logging into the
network through the ZyWALL/USG. You can also use the local user database to authenticate VPN
users.
• Directory Service (LDAP/AD)
LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is
both a directory and a protocol for controlling access to a network. The directory consists of a
database specialized for fast information retrieval and filtering activities. You create and store
user profile and login information on the external server.
• RADIUS
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used
to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication
allows you to validate a large number of users from a central location.
Directory Structure
The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the
directory structure reflects the geographical or organizational boundaries. The following figure
shows a basic directory structure branching from countries to organizations to organizational units
to individuals.
ZyWALL/USG Series User’s Guide
620
Chapter 35 Object
Figure 420 Basic Directory Structure
Sales
Sprint
RD3
US
QA
UPS
CSO
Root
Sales
Japan
NEC
Countries (c)
Organizations
RD
Organization Units
Unique
Common Name
(cn)
Distinguished Name (DN)
A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by
commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique
name for entries that have the same “parent DN” (“cn=domain1.com, ou=Sales, o=MyCompany” in
the following examples).
cn=domain1.com, ou = Sales, o=MyCompany, c=US
cn=domain1.com, ou = Sales, o=MyCompany, c=JP
Base DN
A base DN specifies a directory. A base DN usually contains information such as the name of an
organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means
organization and c means country.
Bind DN
A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of
cn=zywallAdmin allows the ZyWALL/USG to log into the LDAP/AD server using the user name of
zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not
specified, the ZyWALL/USG will try to log in as an anonymous user. If the bind password is
incorrect, the login will fail.
35.9.5 Active Directory or LDAP Server Summary
Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the ZyWALL/
USG can use in authenticating users.
Click Configuration > Object > AAA Server > Active Directory (or LDAP) to display the
Active Directory (or LDAP) screen.
ZyWALL/USG Series User’s Guide
621
Chapter 35 Object
Figure 421 Configuration > Object > AAA Server > Active Directory (or LDAP)
The following table describes the labels in this screen.
Table 274 Configuration > Object > AAA Server > Active Directory (or LDAP)
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific AD or LDAP server.
Name
This field displays the name of the Active Directory.
Server Address
This is the address of the AD or LDAP server.
Base DN
This specifies a directory. For example,
o=ZyXEL, c=US.
35.9.5.1 Adding an Active Directory or LDAP Server
Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or
LDAP) screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to
create a new AD or LDAP entry or edit an existing one.
ZyWALL/USG Series User’s Guide
622
Chapter 35 Object
Figure 422 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add
ZyWALL/USG Series User’s Guide
623
Chapter 35 Object
The following table describes the labels in this screen.
Table 275 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add
LABEL
DESCRIPTION
Name
Enter a descriptive name (up to 63 alphanumerical characters) for identification
purposes.
Description
Enter the description of each server, if any. You can use up to 60 printable ASCII
characters.
Server Address
Enter the address of the AD or LDAP server.
Backup Server
Address
If the AD or LDAP server has a backup server, enter its address here.
Port
Specify the port number on the AD or LDAP server to which the ZyWALL/USG sends
authentication requests. Enter a number between 1 and 65535.
This port number should be the same on all AD or LDAP server(s) in this group.
Base DN
Specify the directory (up to 127 alphanumerical characters). For example,
c=US.
o=ZyXEL,
This is only for LDAP.
Use SSL
Select Use SSL to establish a secure connection to the AD or LDAP server(s).
Search time limit
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL/USG
disconnects from the AD or LDAP server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the AD or LDAP
server(s) or the AD or LDAP server(s) is down.
Case-sensitive
User Names
Select this if the server checks the case of the usernames.
Bind DN
Specify the bind DN for logging into the AD or LDAP server. Enter up to 127
alphanumerical characters.
For example,
cn=zywallAdmin specifies zywallAdmin as the user name.
Password
If required, enter the password (up to 15 alphanumerical characters) for the ZyWALL/
USG to bind (or log in) to the AD or LDAP server.
Retype to Confirm
Retype your new password for confirmation.
Login Name
Attribute
Enter the type of identifier the users are to use to log in. For example “name” or “e-mail
address”.
Alternative Login
Name Attribute
If there is a second type of identifier that the users can use to log in, enter it here. For
example “name” or “e-mail address”.
Group
Membership
Attribute
An AD or LDAP server defines attributes for its accounts. Enter the name of the attribute
that the ZyWALL/USG is to check to determine to which group a user belongs. The value
for this attribute is called a group identifier; it determines to which group a user belongs.
You can add ext-group-user user objects to identify groups based on these group
identifier values.
For example you could have an attribute named “memberOf” with values like “sales”,
“RD”, and “management”. Then you could also create a ext-group-user user object for
each group. One with “sales” as the group identifier, another for “RD” and a third for
“management”.
Domain
Authentication for
MSChap
Select the Enable checkbox to enable domain authentication for MSChap.
User Name
Enter the user name for the user who has rights to add a machine to the domain.
This is only for Active Directory.
This is only for Active Directory.
User Password
Enter the password for the associated user name.
This is only for Active Directory.
ZyWALL/USG Series User’s Guide
624
Chapter 35 Object
Table 275 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued)
LABEL
DESCRIPTION
Retype to Confirm
Retype your new password for confirmation.
This is only for Active Directory.
Realm
Enter the realm FQDN.
This is only for Active Directory.
NetBIOS Name
Type the NetBIOS name. This field is optional. NetBIOS packets are TCP or UDP packets
that enable a computer to connect to and communicate with a LAN which allows local
computers to find computers on the remote network and vice versa.
Configuration
Validation
Use a user account from the server specified above to test if the configuration is correct.
Enter the account’s user name in the Username field and click Test.
OK
Click OK to save the changes.
Cancel
Click Cancel to discard the changes.
35.9.6 RADIUS Server Summary
Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL/USG can use in
authenticating users.
Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen.
Figure 423 Configuration > Object > AAA Server > RADIUS
The following table describes the labels in this screen.
Table 276 Configuration > Object > AAA Server > RADIUS
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field displays the index number.
Name
This is the name of the RADIUS server entry.
Server Address
This is the address of the AD or LDAP server.
ZyWALL/USG Series User’s Guide
625
Chapter 35 Object
35.9.6.1 Adding a RADIUS Server
Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the
Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or
LDAP entry or edit an existing one.
Figure 424 Configuration > Object > AAA Server > RADIUS > Add
The following table describes the labels in this screen.
Table 277 Configuration > Object > AAA Server > RADIUS > Add
LABEL
DESCRIPTION
Name
Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Description
Enter the description of each server, if any. You can use up to 60 printable ASCII
characters.
Server Address
Enter the address of the RADIUS server.
Authentication
Port
Specify the port number on the RADIUS server to which the ZyWALL/USG sends
authentication requests. Enter a number between 1 and 65535.
Backup Server
Address
If the RADIUS server has a backup server, enter its address here.
Backup
Authentication
Port
Specify the port number on the RADIUS server to which the ZyWALL/USG sends
authentication requests. Enter a number between 1 and 65535.
ZyWALL/USG Series User’s Guide
626
Chapter 35 Object
Table 277 Configuration > Object > AAA Server > RADIUS > Add (continued)
LABEL
DESCRIPTION
Timeout
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL/USG
disconnects from the RADIUS server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the RADIUS server or the
RADIUS server is down.
NAS IP Address
Type the IP address of the NAS (Network Access Server).
Case-sensitive
User Names
Select this if you want configure your username as case-sensitive.
Key
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the
external authentication server and the ZyWALL/USG.
The key is not sent over the network. This key must be the same on the external
authentication server and the ZyWALL/USG.
Group
Membership
Attribute
A RADIUS server defines attributes for its accounts. Select the name and number of the
attribute that the ZyWALL/USG is to check to determine to which group a user belongs. If
it does not display, select user-defined and specify the attribute’s number.
This attribute’s value is called a group identifier; it determines to which group a user
belongs. You can add ext-group-user user objects to identify groups based on these
group identifier values.
For example you could have an attribute named “memberOf” with values like “sales”, “RD”,
and “management”. Then you could also create a ext-group-user user object for each
group. One with “sales” as the group identifier, another for “RD” and a third for
“management”.
OK
Click OK to save the changes.
Cancel
Click Cancel to discard the changes.
35.10 Auth. Method Overview
Authentication method objects set how the ZyWALL/USG authenticates wireless, HTTP/HTTPS
clients, and peer IPSec routers (extended authentication) clients. Configure authentication method
objects to have the ZyWALL/USG use the local user database, and/or the authentication servers
and authentication server groups specified by AAA server objects. By default, user accounts created
and stored on the ZyWALL/USG are authenticated locally.
• Use the Configuration > Object > Auth. Method screens (Section 35.10.3 on page 628) to
create and manage authentication method objects.
35.10.1 Before You Begin
Configure AAA server objects before you configure authentication method objects.
35.10.2 Example: Selecting a VPN Authentication Method
After you set up an authentication method object in the Auth. Method screens, you can use it in
the VPN Gateway screen to authenticate VPN users for establishing a VPN connection. Refer to the
chapter on VPN for more information.
Follow the steps below to specify the authentication method for a VPN connection.
ZyWALL/USG Series User’s Guide
627
Chapter 35 Object
1
Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen.
2
Click Show Advance Setting and select Enable Extended Authentication.
3
Select Server Mode and select an authentication method object from the drop-down list box.
4
Click OK to save the settings.
Figure 425 Example: Using Authentication Method in VPN
35.10.3 Authentication Method Objects
Click Configuration > Object > Auth. Method to display the screen as shown.
Note: You can create up to 16 authentication method objects.
Figure 426 Configuration > Object > Auth. Method
The following table describes the labels in this screen.
Table 278 Configuration > Object > Auth. Method
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field displays the index number.
Method Name
This field displays a descriptive name for identification purposes.
Method List
This field displays the authentication method(s) for this entry.
ZyWALL/USG Series User’s Guide
628
Chapter 35 Object
35.10.3.1 Creating an Authentication Method Object
Follow the steps below to create an authentication method object.
1
Click Configuration > Object > Auth. Method.
2
Click Add.
3
Specify a descriptive name for identification purposes in the Name field. You may use 1-31
alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
This value is case-sensitive. For example, “My_Device”.
4
Click Add to insert an authentication method in the table.
5
Select a server object from the Method List drop-down list box.
6
You can add up to four server objects to the table. The ordering of the Method List column is
important. The ZyWALL/USG authenticates the users using the databases (in the local user
database or the external authentication server) in the order they appear in this screen.
If two accounts with the same username exist on two authentication servers you specify, the
ZyWALL/USG does not continue the search on the second authentication server when you enter the
username and password that doesn’t match the one on the first authentication server.
Note: You can NOT select two server objects of the same type.
7
Click OK to save the settings or click Cancel to discard all changes and return to the previous
screen.
Figure 427 Configuration > Object > Auth. Method > Add
The following table describes the labels in this screen.
Table 279 Configuration > Object > Auth. Method > Add
LABEL
DESCRIPTION
Name
Specify a descriptive name for identification purposes.
You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first
character cannot be a number. This value is case-sensitive. For example, “My_Device”.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after
the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
ZyWALL/USG Series User’s Guide
629
Chapter 35 Object
Table 279 Configuration > Object > Auth. Method > Add (continued)
LABEL
DESCRIPTION
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Move
To change a method’s position in the numbered list, select the method and click Move to
display a field to type a number for where you want to put it and press [ENTER] to move
the rule to the number that you typed.
The ordering of your methods is important as ZyWALL/USG authenticates the users using
the authentication methods in the order they appear in this screen.
#
This field displays the index number.
Method List
Select a server object from the drop-down list box. You can create a server object in the
AAA Server screen.
The ZyWALL/USG authenticates the users using the databases (in the local user database
or the external authentication server) in the order they appear in this screen.
If two accounts with the same username exist on two authentication servers you specify,
the ZyWALL/USG does not continue the search on the second authentication server when
you enter the username and password that doesn’t match the one on the first
authentication server.
OK
Click OK to save the changes.
Cancel
Click Cancel to discard the changes.
35.11 Certificate Overview
The ZyWALL/USG can use certificates (also called digital IDs) to authenticate users. Certificates are
based on public-private key pairs. A certificate contains the certificate owner’s identity and public
key. Certificates provide a way to exchange public keys for use in authentication.
• Use the My Certificates screens (see Section 35.11.3 on page 633 to Section 35.11.3.3 on page
639) to generate and export self-signed certificates or certification requests and import the CAsigned certificates.
• Use the Trusted Certificates screens (see Section 35.11.4 on page 640 to Section 35.11.4.2 on
page 644) to save CA certificates and trusted remote host certificates to the ZyWALL/USG. The
ZyWALL/USG trusts any valid certificate that you have imported as a trusted certificate. It also
trusts any valid certificate signed by any of the certificates that you have imported as a trusted
certificate.
35.11.1 What You Need to Know
When using public-key cryptology for authentication, each host has two keys. One key is public and
can be made openly available. The other key is private and must be kept secure.
These keys work like a handwritten signature (in fact, certificates are often referred to as “digital
signatures”). Only you can write your signature exactly as it should look. When people know what
your signature looks like, they can verify whether something was signed by you, or by someone
else. In the same way, your private key “writes” your digital signature and your public key allows
people to verify whether data was signed by you, or by someone else. This process works as
follows.
ZyWALL/USG Series User’s Guide
630
Chapter 35 Object
1
Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that
the message content has not been altered by anyone else along the way. Tim generates a public
key pair (one public key and one private key).
2
Tim keeps the private key and makes the public key openly available. This means that anyone who
receives a message seeming to come from Tim can read it and verify whether it is really from him
or not.
3
Tim uses his private key to sign the message and sends it to Jenny.
4
Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is
from Tim, and that although other people may have been able to read the message, no-one can
have altered it (because they cannot re-sign the message with Tim’s private key).
5
Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to
verify the message.
The ZyWALL/USG uses certificates based on public-key cryptology to authenticate users attempting
to establish a connection, not to encrypt the data that you send after establishing a connection. The
method used to secure the data that you send through an established connection depends on the
type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the
certification authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a certificate.
The ZyWALL/USG does not trust a certificate if any certificate on its path has expired or been
revoked.
Certification authorities maintain directory servers with databases of valid and revoked certificates.
A directory of certificates that have been revoked before the scheduled expiration is called a CRL
(Certificate Revocation List). The ZyWALL/USG can check a peer’s certificate against a directory
server’s list of revoked certificates. The framework of servers, software, procedures and policies
that handles keys is called PKI (public-key infrastructure).
Advantages of Certificates
Certificates offer the following benefits.
• The ZyWALL/USG only has to store the certificates of the certification authorities that you decide
to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you
never need to transmit private keys.
Self-signed Certificates
You can have the ZyWALL/USG act as a certification authority and sign its own certificates.
Factory Default Certificate
The ZyWALL/USG generates its own unique self-signed certificate when you first turn it on. This
certificate is referred to in the GUI as the factory default certificate.
ZyWALL/USG Series User’s Guide
631
Chapter 35 Object
Certificate File Formats
Any certificate that you want to import has to be in one of these file formats:
• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters,
uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital
signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The
private key is not included. The ZyWALL/USG currently allows the importation of a PKS#7 file
that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase
letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable
form.
• Binary PKCS#12: This is a format for transferring public key and private key certificates. The
private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not
connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this
and you must provide it to decrypt the contents when you import the file into the ZyWALL/USG.
Note: Be careful not to convert a binary file to text during the transfer process. It is easy
for this to occur since many programs use text files by default.
35.11.2 Verifying a Certificate
Before you import a trusted certificate into the ZyWALL/USG, you should verify that you have the
correct certificate. You can do this using the certificate’s fingerprint. A certificate’s fingerprint is a
message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes
how to check a certificate’s fingerprint to verify that you have the actual certificate.
1
Browse to where you have the certificate saved on your computer.
2
Make sure that the certificate has a “.cer” or “.crt” file name extension.
Figure 428 Remote Host Certificates
3
Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll
down to the Thumbprint Algorithm and Thumbprint fields.
ZyWALL/USG Series User’s Guide
632
Chapter 35 Object
Figure 429 Certificate Details
4
Use a secure method to verify that the certificate owner has the same information in the
Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your
situation. Possible examples would be over the telephone or through an HTTPS connection.
35.11.3 The My Certificates Screen
Click Configuration > Object > Certificate > My Certificates to open the My Certificates
screen. This is the ZyWALL/USG’s summary list of certificates and certification requests.
Figure 430 Configuration > Object > Certificate > My Certificates
ZyWALL/USG Series User’s Guide
633
Chapter 35 Object
The following table describes the labels in this screen.
Table 280 Configuration > Object > Certificate > My Certificates
LABEL
DESCRIPTION
PKI Storage
Space in Use
This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently
in use. When the storage space is almost full, you should consider deleting expired or
unnecessary certificates before adding more certificates.
Add
Click this to go to the screen where you can have the ZyWALL/USG generate a certificate
or a certification request.
Edit
Double-click an entry or select it and click Edit to open a screen with an in-depth list of
information about the certificate.
Remove
The ZyWALL/USG keeps all of your certificates unless you specifically delete them.
Uploading a new firmware or default configuration file does not delete your certificates.
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so. Subsequent certificates move up by one when you take this
action.
Object References You cannot delete certificates that any of the ZyWALL/USG’s features are configured to
use. Select an entry and click Object References to open a screen that shows which
settings use the entry.
#
This field displays the certificate index number. The certificates are listed in alphabetical
order.
Name
This field displays the name used to identify this certificate. It is recommended that you
give each certificate a unique name.
Type
This field displays what kind of certificate this is.
REQ represents a certification request and is not yet a valid certificate. Send a
certification request to a certification authority, which then issues a certificate. Use the
My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate.
CERT represents a certificate issued by a certification authority.
Subject
This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or company)
and C (Country). It is recommended that each certificate have unique subject
information.
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department, organization or
company and country. With self-signed certificates, this is the same information as in the
Subject field.
Valid From
This field displays the date that the certificate becomes applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expired! message if the certificate has expired.
Import
Click Import to open a screen where you can save a certificate to the ZyWALL/USG.
Refresh
Click Refresh to display the current validity status of the certificates.
35.11.3.1 The My Certificates Add Screen
Click Configuration > Object > Certificate > My Certificates and then the Add icon to open
the My Certificates Add screen. Use this screen to have the ZyWALL/USG create a self-signed
certificate, enroll a certificate with a certification authority or generate a certification request.
ZyWALL/USG Series User’s Guide
634
Chapter 35 Object
Figure 431 Configuration > Object > Certificate > My Certificates > Add
The following table describes the labels in this screen.
Table 281 Configuration > Object > Certificate > My Certificates > Add
LABEL
DESCRIPTION
Name
Type a name to identify this certificate. You can use up to 31 alphanumeric and
;‘[email protected]#$%^&()_+[]{}’,.=- characters.
Subject Information
Use these fields to record information that identifies the owner of the certificate. You
do not have to fill in every field, although you must specify a Host IP Address, Host
IPv6 Address, Host Domain Name, or E-Mail. The certification authority may add
fields (such as a serial number) to the subject information when it issues a certificate.
It is recommended that each certificate have unique subject information.
Select a radio button to identify the certificate’s owner by IP address, domain name or
e-mail address. Type the IP address (in dotted decimal notation), domain name or email address in the field provided. The domain name or e-mail address is for
identification purposes only and can be any string.
A domain name can be up to 255 characters. You can use alphanumeric characters,
the hyphen and periods.
An e-mail address can be up to 63 characters. You can use alphanumeric characters,
the hyphen, the @ symbol, periods and the underscore.
Organizational Unit
Identify the organizational unit or department to which the certificate owner belongs.
You can use up to 31 characters. You can use alphanumeric characters, the hyphen
and the underscore.
ZyWALL/USG Series User’s Guide
635
Chapter 35 Object
Table 281 Configuration > Object > Certificate > My Certificates > Add (continued)
LABEL
DESCRIPTION
Organization
Identify the company or group to which the certificate owner belongs. You can use up
to 31 characters. You can use alphanumeric characters, the hyphen and the
underscore.
Town (City)
Identify the town or city where the certificate owner is located. You can use up to 31
characters. You can use alphanumeric characters, the hyphen and the underscore.
State, (Province)
Identify the state or province where the certificate owner is located. You can use up to
31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Country
Identify the nation where the certificate owner is located. You can use up to 31
characters. You can use alphanumeric characters, the hyphen and the underscore.
Key Type
Select RSA to use the Rivest, Shamir and Adleman public-key algorithm.
Select DSA to use the Digital Signature Algorithm public-key algorithm.
Key Length
Select a number from the drop-down list box to determine how many bits the key
should use (512 to 2048). The longer the key, the more secure it is. A longer key also
uses more PKI storage space.
Extended Key Usage
Server Authentication Select this to have ZyWALL/USG generate and store a request for server
authentication certificate.
Client Authentication
Select this to have ZyWALL/USG generate and store a request for client
authentication certificate.
IKE Intermediate
Select this to have ZyWALL/USG generate and store a request for IKE Intermediate
authentication certificate.
Create a self-signed
certificate
Select this to have the ZyWALL/USG generate the certificate and act as the
Certification Authority (CA) itself. This way you do not need to apply to a certification
authority for certificates.
Create a certification
request and save it
locally for later
manual enrollment
Select this to have the ZyWALL/USG generate and store a request for a certificate.
Use the My Certificate Details screen to view the certification request and copy it to
send to the certification authority.
Create a certification
request and enroll for
a certificate
immediately online
Select this to have the ZyWALL/USG generate a request for a certificate and apply to
a certification authority for a certificate.
Copy the certification request from the My Certificate Details screen (see Section
35.11.3.2 on page 637) and then send it to the certification authority.
You must have the certification authority’s certificate already imported in the Trusted
Certificates screen.
When you select this option, you must select the certification authority’s enrollment
protocol and the certification authority’s certificate from the drop-down list boxes and
enter the certification authority’s server address. You also need to fill in the
Reference Number and Key if the certification authority requires them.
OK
Click OK to begin certificate or certification request generation.
Cancel
Click Cancel to quit and return to the My Certificates screen.
If you configured the My Certificate Create screen to have the ZyWALL/USG enroll a certificate
and the certificate enrollment is not successful, you see a screen with a Return button that takes
you back to the My Certificate Create screen. Click Return and check your information in the My
Certificate Create screen. Make sure that the certification authority information is correct and that
your Internet connection is working properly if you want the ZyWALL/USG to enroll a certificate
online.
ZyWALL/USG Series User’s Guide
636
Chapter 35 Object
35.11.3.2 The My Certificates Edit Screen
Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open
the My Certificate Edit screen. You can use this screen to view in-depth certificate information
and change the certificate’s name.
Figure 432 Configuration > Object > Certificate > My Certificates > Edit
ZyWALL/USG Series User’s Guide
637
Chapter 35 Object
The following table describes the labels in this screen.
Table 282 Configuration > Object > Certificate > My Certificates > Edit
LABEL
DESCRIPTION
Name
This field displays the identifying name of this certificate. You can use up to 31
alphanumeric and ;‘[email protected]#$%^&()_+[]{}’,.=- characters.
Certification Path
This field displays for a certificate, not a certification request.
Click the Refresh button to have this read-only text box display the hierarchy of
certification authorities that validate the certificate (and the certificate itself).
If the issuing certification authority is one that you have imported as a trusted
certification authority, it may be the only certification authority in the list (along with
the certificate itself). If the certificate is a self-signed certificate, the certificate itself is
the only one in the list. The ZyWALL/USG does not trust the certificate and displays
“Not trusted” in this field if any certificate on the path has expired or been revoked.
Refresh
Click Refresh to display the certification path.
Certificate
Information
These read-only fields display detailed information about the certificate.
Type
This field displays general information about the certificate. CA-signed means that a
Certification Authority signed the certificate. Self-signed means that the certificate’s
owner signed the certificate (not a certification authority). “X.509” means that this
certificate was created and signed according to the ITU-T X.509 recommendation that
defines the formats for public-key certificates.
Version
This field displays the X.509 version number.
Serial Number
This field displays the certificate’s identification number given by the certification
authority or generated by the ZyWALL/USG.
Subject
This field displays information that identifies the owner of the certificate, such as
Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and
Country (C).
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as Common Name, Organizational Unit, Organization and Country.
With self-signed certificates, this is the same as the Subject Name field.
“none” displays for a certification request.
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate. The
ZyWALL/USG uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and
the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA
public-private key encryption algorithm and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. “none” displays for a
certification request.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expired! message if the certificate has expired. “none” displays for a
certification request.
Key Algorithm
This field displays the type of algorithm that was used to generate the certificate’s key
pair (the ZyWALL/USG uses RSA encryption) and the length of the key set in bits (1024
bits for example).
Subject Alternative
Name
This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail
address (EMAIL).
Key Usage
This field displays for what functions the certificate’s key can be used. For example,
“DigitalSignature” means that the key can be used to sign certificates and
“KeyEncipherment” means that the key can be used to encrypt text.
Basic Constraint
This field displays general information about the certificate. For example, Subject
Type=CA means that this is a certification authority’s certificate and “Path Length
Constraint=1” means that there can only be one certification authority in the
certificate’s path. This field does not display for a certification request.
ZyWALL/USG Series User’s Guide
638
Chapter 35 Object
Table 282 Configuration > Object > Certificate > My Certificates > Edit (continued)
LABEL
DESCRIPTION
MD5 Fingerprint
This is the certificate’s message digest that the ZyWALL/USG calculated using the MD5
algorithm.
SHA1 Fingerprint
This is the certificate’s message digest that the ZyWALL/USG calculated using the SHA1
algorithm.
Certificate in PEM
(Base-64) Encoded
Format
This read-only text box displays the certificate or certification request in Privacy
Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and
numerals to convert a binary certificate into a printable form.
You can copy and paste a certification request into a certification authority’s web page,
an e-mail that you send to the certification authority or a text editor and save the file
on a management computer for later manual enrollment.
You can copy and paste a certificate into an e-mail to send to friends or colleagues or
you can copy and paste a certificate into a text editor and save the file on a
management computer for later distribution (via floppy disk for example).
Export Certificate
Only
Use this button to save a copy of the certificate without its private key. Click this button
and then Save in the File Download screen. The Save As screen opens, browse to
the location that you want to use and click Save.
Password
If you want to export the certificate with its private key, create a password and type it
here. Make sure you keep this password in a safe place. You will need to use it if you
import the certificate to another device.
Export Certificate
with Private Key
Use this button to save a copy of the certificate with its private key. Type the
certificate’s password and click this button. Click Save in the File Download screen.
The Save As screen opens, browse to the location that you want to use and click Save.
OK
Click OK to save your changes back to the ZyWALL/USG. You can only change the
name.
Cancel
Click Cancel to quit and return to the My Certificates screen.
35.11.3.3 The My Certificates Import Screen
Click Configuration > Object > Certificate > My Certificates > Import to open the My
Certificate Import screen. Follow the instructions in this screen to save an existing certificate to
the ZyWALL/USG.
Note: You can import a certificate that matches a corresponding certification request that
was generated by the ZyWALL/USG. You can also import a certificate in PKCS#12
format, including the certificate’s public and private keys.
The certificate you import replaces the corresponding request in the My Certificates screen.
You must remove any spaces from the certificate’s filename before you can import it.
ZyWALL/USG Series User’s Guide
639
Chapter 35 Object
Figure 433 Configuration > Object > Certificate > My Certificates > Import
The following table describes the labels in this screen.
Table 283 Configuration > Object > Certificate > My Certificates > Import
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click Browse to find it.
You cannot import a certificate with the same name as a certificate that is already in the
ZyWALL/USG.
Browse
Click Browse to find the certificate file you want to upload.
Password
This field only applies when you import a binary PKCS#12 format file. Type the file’s password
that was created when the PKCS #12 file was exported.
OK
Click OK to save the certificate on the ZyWALL/USG.
Cancel
Click Cancel to quit and return to the My Certificates screen.
35.11.4 The Trusted Certificates Screen
Click Configuration > Object > Certificate > Trusted Certificates to open the Trusted
Certificates screen. This screen displays a summary list of certificates that you have set the
ZyWALL/USG to accept as trusted. The ZyWALL/USG also accepts any valid certificate signed by a
certificate on this list as being trustworthy; thus you do not need to import any certificate that is
signed by one of these certificates.
Figure 434 Configuration > Object > Certificate > Trusted Certificates
ZyWALL/USG Series User’s Guide
640
Chapter 35 Object
The following table describes the labels in this screen.
Table 284 Configuration > Object > Certificate > Trusted Certificates
LABEL
DESCRIPTION
PKI Storage
Space in Use
This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently
in use. When the storage space is almost full, you should consider deleting expired or
unnecessary certificates before adding more certificates.
Edit
Double-click an entry or select it and click Edit to open a screen with an in-depth list of
information about the certificate.
Remove
The ZyWALL/USG keeps all of your certificates unless you specifically delete them.
Uploading a new firmware or default configuration file does not delete your certificates.
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so. Subsequent certificates move up by one when you take this
action.
Object
References
You cannot delete certificates that any of the ZyWALL/USG’s features are configured to
use. Select an entry and click Object References to open a screen that shows which
settings use the entry.
#
This field displays the certificate index number. The certificates are listed in alphabetical
order.
Name
This field displays the name used to identify this certificate.
Subject
This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or company)
and C (Country). It is recommended that each certificate have unique subject
information.
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department, organization or
company and country. With self-signed certificates, this is the same information as in the
Subject field.
Valid From
This field displays the date that the certificate becomes applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expired! message if the certificate has expired.
Import
Click Import to open a screen where you can save the certificate of a certification
authority that you trust, from your computer to the ZyWALL/USG.
Refresh
Click this button to display the current validity status of the certificates.
35.11.4.1 The Trusted Certificates Edit Screen
Click Configuration > Object > Certificate > Trusted Certificates and then a certificate’s Edit
icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information
about the certificate, change the certificate’s name and set whether or not you want the ZyWALL/
USG to check a certification authority’s list of revoked certificates before trusting a certificate issued
by the certification authority.
ZyWALL/USG Series User’s Guide
641
Chapter 35 Object
Figure 435 Configuration > Object > Certificate > Trusted Certificates > Edit
ZyWALL/USG Series User’s Guide
642
Chapter 35 Object
The following table describes the labels in this screen.
Table 285 Configuration > Object > Certificate > Trusted Certificates > Edit
LABEL
DESCRIPTION
Name
This field displays the identifying name of this certificate. You can change the name.
You can use up to 31 alphanumeric and ;‘[email protected]#$%^&()_+[]{}’,.=- characters.
Certification Path
Click the Refresh button to have this read-only text box display the end entity’s
certificate and a list of certification authority certificates that shows the hierarchy of
certification authorities that validate the end entity’s certificate. If the issuing
certification authority is one that you have imported as a trusted certificate, it may be
the only certification authority in the list (along with the end entity’s own certificate).
The ZyWALL/USG does not trust the end entity’s certificate and displays “Not trusted”
in this field if any certificate on the path has expired or been revoked.
Refresh
Click Refresh to display the certification path.
Enable X.509v3 CRL
Distribution Points
and OCSP checking
Select this check box to turn on/off certificate revocation. When it is turned on, the
ZyWALL/USG validates a certificate by getting Certificate Revocation List (CRL) through
HTTP or LDAP (can be configured after selecting the LDAP Server check box) and
online responder (can be configured after selecting the OCSP Server check box).
OCSP Server
Select this check box if the directory server uses OCSP (Online Certificate Status
Protocol).
URL
Type the protocol, IP address and path name of the OCSP server.
ID
The ZyWALL/USG may need to authenticate itself in order to assess the OCSP server.
Type the login name (up to 31 ASCII characters) from the entity maintaining the server
(usually a certification authority).
Password
Type the password (up to 31 ASCII characters) from the entity maintaining the OCSP
server (usually a certification authority).
LDAP Server
Select this check box if the directory server uses LDAP (Lightweight Directory Access
Protocol). LDAP is a protocol over TCP that specifies how clients access directories of
certificates and lists of revoked certificates.
Address
Type the IP address (in dotted decimal notation) of the directory server.
Port
Use this field to specify the LDAP server port number. You must use the same server
port number that the directory server uses. 389 is the default server port number for
LDAP.
ID
The ZyWALL/USG may need to authenticate itself in order to assess the CRL directory
server. Type the login name (up to 31 ASCII characters) from the entity maintaining
the server (usually a certification authority).
Password
Type the password (up to 31 ASCII characters) from the entity maintaining the CRL
directory server (usually a certification authority).
Certificate
Information
These read-only fields display detailed information about the certificate.
Type
This field displays general information about the certificate. CA-signed means that a
Certification Authority signed the certificate. Self-signed means that the certificate’s
owner signed the certificate (not a certification authority). X.509 means that this
certificate was created and signed according to the ITU-T X.509 recommendation that
defines the formats for public-key certificates.
Version
This field displays the X.509 version number.
Serial Number
This field displays the certificate’s identification number given by the certification
authority.
Subject
This field displays information that identifies the owner of the certificate, such as
Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
ZyWALL/USG Series User’s Guide
643
Chapter 35 Object
Table 285 Configuration > Object > Certificate > Trusted Certificates > Edit (continued)
LABEL
DESCRIPTION
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as Common Name, Organizational Unit, Organization and Country.
With self-signed certificates, this is the same information as in the Subject Name
field.
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate. Some
certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption
algorithm and the SHA1 hash algorithm). Other certification authorities may use rsapkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. The text displays in
red and includes a Not Yet Valid! message if the certificate has not yet become
applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or has
already expired.
Key Algorithm
This field displays the type of algorithm that was used to generate the certificate’s key
pair (the ZyWALL/USG uses RSA encryption) and the length of the key set in bits (1024
bits for example).
Subject Alternative
Name
This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or email address (EMAIL).
Key Usage
This field displays for what functions the certificate’s key can be used. For example,
“DigitalSignature” means that the key can be used to sign certificates and
“KeyEncipherment” means that the key can be used to encrypt text.
Basic Constraint
This field displays general information about the certificate. For example, Subject
Type=CA means that this is a certification authority’s certificate and “Path Length
Constraint=1” means that there can only be one certification authority in the
certificate’s path.
MD5 Fingerprint
This is the certificate’s message digest that the ZyWALL/USG calculated using the MD5
algorithm. You can use this value to verify with the certification authority (over the
phone for example) that this is actually their certificate.
SHA1 Fingerprint
This is the certificate’s message digest that the ZyWALL/USG calculated using the SHA1
algorithm. You can use this value to verify with the certification authority (over the
phone for example) that this is actually their certificate.
Certificate
This read-only text box displays the certificate or certification request in Privacy
Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and
numerals to convert a binary certificate into a printable form.
You can copy and paste the certificate into an e-mail to send to friends or colleagues or
you can copy and paste the certificate into a text editor and save the file on a
management computer for later distribution (via floppy disk for example).
Export Certificate
Click this button and then Save in the File Download screen. The Save As screen
opens, browse to the location that you want to use and click Save.
OK
Click OK to save your changes back to the ZyWALL/USG. You can only change the
name.
Cancel
Click Cancel to quit and return to the Trusted Certificates screen.
35.11.4.2 The Trusted Certificates Import Screen
Click Configuration > Object > Certificate > Trusted Certificates > Import to open the
Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted
certificate to the ZyWALL/USG.
Note: You must remove any spaces from the certificate’s filename before you can import
the certificate.
ZyWALL/USG Series User’s Guide
644
Chapter 35 Object
Figure 436 Configuration > Object > Certificate > Trusted Certificates > Import
The following table describes the labels in this screen.
Table 286 Configuration > Object > Certificate > Trusted Certificates > Import
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click Browse to find it.
You cannot import a certificate with the same name as a certificate that is already in the
ZyWALL/USG.
Browse
Click Browse to find the certificate file you want to upload.
OK
Click OK to save the certificate on the ZyWALL/USG.
Cancel
Click Cancel to quit and return to the previous screen.
35.11.5 Certificates Technical Reference
OCSP
OCSP (Online Certificate Status Protocol) allows an application or device to check whether a
certificate is valid. With OCSP the ZyWALL/USG checks the status of individual certificates instead
of downloading a Certificate Revocation List (CRL). OCSP has two main advantages over a CRL. The
first is real-time status information. The second is a reduction in network traffic since the ZyWALL/
USG only gets information on the certificates that it needs to verify, not a huge list. When the
ZyWALL/USG requests certificate status information, the OCSP server returns a “expired”, “current”
or “unknown” response.
35.12 ISP Account Overview
Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP
interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP.
Use the Object > ISP Account screens (Section 35.12.1 on page 646) to create and manage ISP
accounts in the ZyWALL/USG.
ZyWALL/USG Series User’s Guide
645
Chapter 35 Object
35.12.1 ISP Account Summary
This screen provides a summary of ISP accounts in the ZyWALL/USG. To access this screen, click
Configuration > Object > ISP Account.
Figure 437 Configuration > Object > ISP Account
The following table describes the labels in this screen. See the ISP Account Edit section below for
more information as well.
Table 287 Configuration > Object > ISP Account
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific entry.
Profile Name
This field displays the profile name of the ISP account. This name is used to identify the
ISP account.
Protocol
This field displays the protocol used by the ISP account.
Authentication
Type
This field displays the authentication type used by the ISP account.
User Name
This field displays the user name of the ISP account.
35.12.1.1 ISP Account Edit
The ISP Account Edit screen lets you add information about new accounts and edit information
about existing accounts. To open this window, open the ISP Account screen. (See Section 35.12.1
on page 646.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below.
ZyWALL/USG Series User’s Guide
646
Chapter 35 Object
Figure 438 Configuration > Object > ISP Account > Edit
The following table describes the labels in this screen.
Table 288 Configuration > Object > ISP Account > Edit
LABEL
DESCRIPTION
Profile Name
This field is read-only if you are editing an existing account. Type in the profile name of the
ISP account. The profile name is used to refer to the ISP account. You may use 1-31
alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be
a number. This value is case-sensitive.
Protocol
This field is read-only if you are editing an existing account. Select the protocol used by
the ISP account. Options are:
pppoe - This ISP account uses the PPPoE protocol.
pptp - This ISP account uses the PPTP protocol.
Authentication
Type
Use the drop-down list box to select an authentication protocol for outgoing calls. Options
are:
CHAP/PAP - Your ZyWALL/USG accepts either CHAP or PAP when requested by this
remote node.
Chap - Your ZyWALL/USG accepts CHAP only.
PAP - Your ZyWALL/USG accepts PAP only.
MSCHAP - Your ZyWALL/USG accepts MSCHAP only.
MSCHAP-V2 - Your ZyWALL/USG accepts MSCHAP-V2 only.
Encryption
Method
This field is available if this ISP account uses the PPTP protocol. Use the drop-down list
box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:
nomppe - This ISP account does not use MPPE.
mppe-40 - This ISP account uses 40-bit MPPE.
mppe-128 - This ISP account uses 128-bit MMPE.
User Name
Type the user name given to you by your ISP.
Password
Type the password associated with the user name above. The password can only consist of
alphanumeric characters (A-Z, a-z, 0-9). This field can be blank.
Retype to
Confirm
Type your password again to make sure that you have entered is correctly.
Server IP
If this ISP account uses the PPPoE protocol, this field is not displayed.
If this ISP account uses the PPTP protocol, type the IP address of the PPTP server.
ZyWALL/USG Series User’s Guide
647
Chapter 35 Object
Table 288 Configuration > Object > ISP Account > Edit (continued)
LABEL
DESCRIPTION
Connection ID
This field is available if this ISP account uses the PPTP protocol. Type your identification
name for the PPTP server. This field can be blank.
Service Name
If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE
uses the specified service name to identify and reach the PPPoE server. This field can be
blank.
If this ISP account uses the PPTP protocol, this field is not displayed.
Compression
Select On button to turn on stac compression, and select Off to turn off stac compression.
Stac compression is a data compression technique capable of compressing data by a factor
of about four.
Idle Timeout
This value specifies the number of seconds that must elapse without outbound traffic
before the ZyWALL/USG automatically disconnects from the PPPoE/PPTP server. This value
must be an integer between 0 and 360. If this value is zero, this timeout is disabled.
OK
Click OK to save your changes back to the ZyWALL/USG. If there are no errors, the
program returns to the ISP Account screen. If there are errors, a message box explains
the error, and the program stays in the ISP Account Edit screen.
Cancel
Click Cancel to return to the ISP Account screen without creating the profile (if it is new)
or saving any changes to the profile (if it already exists).
35.13 SSL Application Overview
You use SSL application objects in SSL VPN. Configure an SSL application object to specify the type
of application and the address of the local computer, server, or web site SSL users are to be able to
access. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user
account/user group.
• Use the SSL Application screen (Section 35.13.2 on page 650) to view the ZyWALL/USG’s
configured SSL application objects.
• Use the SSL Application Edit screen to create or edit web-based application objects to allow
remote users to access an application via standard web browsers (Section 35.13.2.1 on page
651).
• You can also use the SSL Application Edit screen to specify the name of a folder on a Linux or
Windows file server which remote users can access using a standard web browser (Section
35.13.2.1 on page 651).
35.13.1 What You Need to Know
Application Types
You can configure the following SSL application on the ZyWALL/USG.
• Web-based
A web-based application allows remote users to access an intranet site using standard web
browsers.
ZyWALL/USG Series User’s Guide
648
Chapter 35 Object
Remote User Screen Links
Available SSL application names are displayed as links in remote user screens. Depending on the
application type, remote users can simply click the links or follow the steps in the pop-up dialog box
to access.
Remote Desktop Connections
Use SSL VPN to allow remote users to manage LAN computers. Depending on the functions
supported by the remote desktop software, they can install or remove software, run programs,
change settings, and open, copy, create, and delete files. This is useful for troubleshooting,
support, administration, and remote access to files and programs.
The LAN computer to be managed must have VNC (Virtual Network Computing) or RDP (Remote
Desktop Protocol) server software installed. The remote user’s computer does not use VNC or RDP
client software. The ZyWALL/USG works with the following remote desktop connection software:
RDP
• Windows Remote Desktop (supported in Internet Explorer)
VNC
• RealVNC
• TightVNC
• UltraVNC
For example, user A uses an SSL VPN connection to log into the ZyWALL/USG. Then he manages
LAN computer B which has RealVNC server software installed.
Figure 439 SSL-protected Remote Management
https://
SSL
A
B
Weblinks
You can configure weblink SSL applications to allow remote users to access web sites.
35.13.1.1 Example: Specifying a Web Site for Access
This example shows you how to create a web-based application for an internal web site. The
address of the web site is http://info with web page encryption.
1
Click Configuration > Object > SSL Application in the navigation panel.
ZyWALL/USG Series User’s Guide
649
Chapter 35 Object
2
Click the Add button and select Web Application in the Type field.
In the Server Type field, select Web Server.
Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”.
In the URLAddress field, enter “http://my-info”.
Select Web Page Encryption to prevent users from saving the web content.
Click OK to save the settings.
The configuration screen should look similar to the following figure.
Figure 440 Example: SSL Application: Specifying a Web Site for Access
35.13.2 The SSL Application Screen
The main SSL Application screen displays a list of the configured SSL application objects. Click
Configuration > Object > SSL Application in the navigation panel.
Figure 441 Configuration > Object > SSL Application
ZyWALL/USG Series User’s Guide
650
Chapter 35 Object
The following table describes the labels in this screen.
Table 289 Configuration > Object > SSL Application
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove
it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings use
the entry.
#
This field displays the index number.
Name
This field displays the name of the object.
Address
This field displays the IP address/URL of the application server or the location of a file share.
Type
This field shows whether the object is a file-sharing, web-server, Outlook Web Access, Virtual
Network Computing, or Remote Desktop Protocol SSL application.
35.13.2.1 Creating/Editing an SSL Application Object
You can create a web-based application that allows remote users to access an application via
standard web browsers. You can also create a file sharing application that specify the name of a
folder on a file server (Linux or Windows) which remote users can access. Remote users can access
files using a standard web browser and files are displayed as links on the screen.
To configure an SSL application, click the Add or Edit button in the SSL Application screen and
select Web Application or File Sharing in the Type field. The screen differs depending on what
object type you choose.
Note: If you are creating a file sharing SSL application, you must also configure the
shared folder on the file server for remote access. Refer to the document that
comes with your file server.
Figure 442 Configuration > Object > SSL Application > Add/Edit: Web Application
ZyWALL/USG Series User’s Guide
651
Chapter 35 Object
Figure 443 Configuration > Object > SSL Application > Add/Edit: File Sharing
The following table describes the labels in this screen.
Table 290 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing
LABEL
DESCRIPTION
Create new
Object
Use this to configure any new settings objects that you need to use in this screen.
Object
Type
Select Web Application or File Sharing from the drop-down list box.
Web Application
Server Type
This field only appears when you choose Web Application as the object type.
Specify the type of service for this SSL application.
Select Web Server to allow access to the specified web site hosted on the local network.
Select OWA (Outlook Web Access) to allow users to access e-mails, contacts, calenders
via Microsoft Outlook-like interface using supported web browsers. The ZyWALL/USG
supports one OWA object.
Select VNC to allow users to manage LAN computers that have Virtual Network
Computing remote desktop server software installed.
Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol
remote desktop server software installed.
Select Weblink to create a link to a web site that you expect the SSL VPN users to
commonly use.
Name
Enter a descriptive name to identify this object. You can enter up to 31 characters (“0-9”,
“a-z”, “A-Z”, “-” and “_”). Spaces are not allowed.
URL
This field only appears when you choose Web Application as the object type.
This field displays if the Server Type is set to Web Server, OWA, or Weblink.
Enter the Fully-Qualified Domain Name (FQDN) or IP address of the application server.
Note: You must enter the “http://” or “https://” prefix.
Remote users are restricted to access only files in this directory. For example, if you enter
“\remote\” in this field, remote users can only access files in the “remote” directory.
If a link contains a file that is not within this domain, then remote users cannot access it.
ZyWALL/USG Series User’s Guide
652
Chapter 35 Object
Table 290 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing
LABEL
DESCRIPTION
Preview
This field only appears when you choose Web Application or File Sharing as the object
type.
This field displays if the Server Type is set to Web Server, OWA or Weblink.
Note: If your Internet Explorer or other browser screen doesn’t show a preview, it may
be due to your web browser security settings. You need to add the ZyWALL/USG’s
IP address in the trusted sites of your web browser. For example, in Internet
Explorer, click Tools > Internet Options > Security > Trusted Sites > Sites
and type the ZyWALL/USG’s IP address, then click Add. For other web browsers,
please check the browser help.
Click Preview to access the URL you specified in a new web browser screen.
Entry Point
This field only appears when you choose Web Application as the object type.
This field displays if the Server Type is set to Web Server or OWA.
This field is optional. You only need to configure this field if you need to specify the name
of the directory or file on the local server as the home page or home directory on the user
screen.
Web Page
Encryption
This field only appears when you choose Web Application as the object type.
Shared Path
This field only appears when you choose File Sharing as the object type.
Select this option to prevent users from saving the web content.
Specify the IP address, domain name or NetBIOS name (computer name) of the file
server and the name of the share to which you want to allow user access. Enter the path
in one of the following formats.
“\\<IP address>\<share name>”
“\\<domain name>\<share name>”
“\\<computer name>\<share name>”
For example, if you enter “\\my-server\Tmp”, this allows remote users to access all files
and/or folders in the “\Tmp” share on the “my-server” computer.
OK
Click OK to save the changes and return to the main SSL Application Configuration
screen.
Cancel
Click Cancel to discard the changes and return to the main SSL Application
Configuration screen.
35.14 DHCPv6 Overview
This section describes how to configure DHCPv6 request type and lease type objects.
• The Request screen (see Section 35.14.1 on page 654) allows you to configure DHCPv6 request
type objects.
• The Lease screen (see Section 35.2.3 on page 569) allows you to configure DHCPv6 lease type
objects.
ZyWALL/USG Series User’s Guide
653
Chapter 35 Object
35.14.1 The DHCPv6 Request Screen
The Request screen allows you to add, edit, and remove DHCPv6 request type objects. To access
this screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 >
Request.
Figure 444 Configuration > Object > DHCPv6 > Request
The following table describes the labels in this screen.
Table 291 Configuration > Object > DHCPv6 > Request
LABEL
DESCRIPTION
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific object.
Name
This field displays the name of each request object.
Type
This field displays the request type of each request object.
Interface
This field displays the interface used for each request object.
Value
This field displays the value for each request object.
35.14.1.1 DHCPv6 Request Add/Edit Screen
The Request Add/Edit screen allows you to create a new request object or edit an existing one.
To access this screen, go to the Request screen (see Section 35.14.1 on page 654), and click
either the Add icon or an Edit icon.
Figure 445 Configuration > DHCPv6 > Request > Add
ZyWALL/USG Series User’s Guide
654
Chapter 35 Object
The following table describes the labels in this screen.
Table 292 Configuration > DHCPv6 > Request > Add
LABEL
DESCRIPTION
Name
Type the name for this request object. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Request Type
Select the request type for this request object. You can choose from Prefix
Delegation, DNS Server, NTP Server, or SIP Server.
Interface
Select the interface for this request object.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
35.14.2 The DHCPv6 Lease Screen
The Lease screen allows you to add, edit, and remove DHCPv6 lease type objects. To access this
screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 > Lease.
Figure 446 Configuration > Object > DHCPv6 > Lease
The following table describes the labels in this screen.
Table 293 Configuration > Object > DHCPv6 > Lease
LABEL
DESCRIPTION
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to
remove it before doing so.
Object
References
Select an entry and click Object References to open a screen that shows which settings
use the entry.
#
This field is a sequential value, and it is not associated with a specific object.
Name
This field displays the name of each lease object.
Type
This field displays the request type of each lease object.
Interface
This field displays the interface used for each lease object.
Value
This field displays the value for each lease object.
35.14.2.1 DHCPv6 Lease Add/Edit Screen
The Lease Add/Edit screen allows you to create a new lease object or edit an existing one.
To access this screen, go to the Lease screen (see Section 35.14.2 on page 655), and click either
the Add icon or an Edit icon.
ZyWALL/USG Series User’s Guide
655
Chapter 35 Object
Figure 447 Configuration > DHCPv6 > Lease > Add
The following table describes the labels in this screen.
Table 294 Configuration > DHCPv6 > Lease > Add
LABEL
DESCRIPTION
Name
Type the name for this lease object. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This value is
case-sensitive.
Lease Type
Select the lease type for this lease object. You can choose from Prefix Delegation,
DNS Server, Address, Address Pool, NTP Server, or SIP Server.
Interface
Select the interface for this lease object.
DUID
If you select Prefix Delegation or Address in the Lease Type field, enter the DUID of
the interface.
Prefix
If you select Prefix Delegation or Address in the Lease Type field, enter the IPv6
prefix of the interface.
DNS Server
If you select DNS Server in the Lease Type field, select a request object or User
Defined in the DNS Server field and enter the IP address of the DNS server in the
User Defined Address field below.
Starting IP Address
If you select Address Pool in the Lease Type field, enter the first of the contiguous
addresses in the IP address pool.
End IP Address
If you select Address Pool in the Lease Type field, enter the last of the contiguous
addresses in the IP address pool.
NTP Server
If you select NTP Server in the Lease Type field, select a request object or User
Defined in the NTP Server field and enter the IP address of the NTP server in the User
Defined Address field below.
SIP Server
If you select SIP Server in the Lease Type field, select a request object or User
Defined in the SIP field and enter the IP address of the SIP server in the User Defined
Address field below.
User Defined
Address
If you select DNS Server, NTP Server, or SIP Server as your lease type, you must
enter the IP address of the server your selected.
OK
Click OK to save your changes back to the ZyWALL/USG.
Cancel
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User’s Guide
656
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement