User Guide
Page 2
...37 Set Up an IPv6-in-IPv4 Tunnel Video Example 42 Content Filtering Video Example 56 ZyWALL IPSec VPN Client Configuration Provisioning Video Example 72 SSL VPN Video Example 74 Configuring L2TP VPN on configuring each screen.) It also contains a connection diagram and package contents list. ... Reference Guide explains how to use the Command-Line Interface (CLI) to connect the ZyWALL and access the Web Configurator wizards. (See the wizard real time help in Windows 7 Video Example 85 Bandwidth Management Video Example 100 AppPatrol Video Example 117 2 ZyWALL USG100-PLUS User's Guide
...37 Set Up an IPv6-in-IPv4 Tunnel Video Example 42 Content Filtering Video Example 56 ZyWALL IPSec VPN Client Configuration Provisioning Video Example 72 SSL VPN Video Example 74 Configuring L2TP VPN on configuring each screen.) It also contains a connection diagram and package contents list. ... Reference Guide explains how to use the Command-Line Interface (CLI) to connect the ZyWALL and access the Web Configurator wizards. (See the wizard real time help in Windows 7 Video Example 85 Bandwidth Management Video Example 100 AppPatrol Video Example 117 2 ZyWALL USG100-PLUS User's Guide
User Guide
Page 3
... 1.1 Overview ...5 1.2 Default Zones, Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network ...21 2.1 Wizard Overview ...21 ...Policy Configuration ...60 Create Secure Connections Across the Internet 63 4.1 IPSec VPN ...63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, and Windows 75 4.7 One-Time Password Version ...
... 1.1 Overview ...5 1.2 Default Zones, Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network ...21 2.1 Wizard Overview ...21 ...Policy Configuration ...60 Create Secure Connections Across the Internet 63 4.1 IPSec VPN ...63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, and Windows 75 4.7 One-Time Password Version ...
User Guide
Page 5
You may also create IPv6 policy routes and IPv6 objects. Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. Figure 2 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can...
You may also create IPv6 policy routes and IPv6 objects. Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. Figure 2 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can...
User Guide
Page 6
... server. Figure 3 Applications: VPN Connectivity ***** OTP PIN SafeWord 2008 Authentication Server File Server Email Server Web-based Application SSL VPN Network Access SSL VPN lets remote users use VPN solution. A user just browses to the ZyWALL's web address and enters his... user name and password to securely connect to the ZyWALL's network. Here full tunnel mode creates a virtual connection for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN...
... server. Figure 3 Applications: VPN Connectivity ***** OTP PIN SafeWord 2008 Authentication Server File Server Email Server Web-based Application SSL VPN Network Access SSL VPN lets remote users use VPN solution. A user just browses to the ZyWALL's web address and enters his... user name and password to securely connect to the ZyWALL's network. Here full tunnel mode creates a virtual connection for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN...
User Guide
Page 12
... and statistics information. Session Monitor Displays the status of the ZyWALL's DDNS domain names. See the Web Help for each physical port. DDNS Status Displays the status of all current sessions. VPN Monitor IPSec Displays and manages the active IPSec SAs. Anti-...out individual users and delete related session information. Login Users Lists the users currently logged into the VPN SSL client portal. You can re-arrange to the ZyWALL. IDP Collect and display statistics on the dashboard. Traffic Statistics Collect and display traffic statistics. ...
... and statistics information. Session Monitor Displays the status of the ZyWALL's DDNS domain names. See the Web Help for each physical port. DDNS Status Displays the status of all current sessions. VPN Monitor IPSec Displays and manages the active IPSec SAs. Anti-...out individual users and delete related session information. Login Users Lists the users currently logged into the VPN SSL client portal. You can re-arrange to the ZyWALL. IDP Collect and display statistics on the dashboard. Traffic Statistics Collect and display traffic statistics. ...
User Guide
Page 13
.... Zone Configure zones used to each supported interface. Session Limit Limit the number of IP addresses to which the ZyWALL does not apply IP/MAC binding. Static Route Create and manage IP static routing information. RIP Configure device-level RIP...virtual VLAN interfaces. Bridge Create and manage bridges and virtual bridge interfaces. Firewall Firewall Create and manage level-3 traffic rules. VPN ZyWALL USG100-PLUS User's Guide 13 Auth. System Protect Update system-protect signatures immediately or by a schedule. Tunnel Configure tunneling ...
.... Zone Configure zones used to each supported interface. Session Limit Limit the number of IP addresses to which the ZyWALL does not apply IP/MAC binding. Static Route Create and manage IP static routing information. RIP Configure device-level RIP...virtual VLAN interfaces. Bridge Create and manage bridges and virtual bridge interfaces. Firewall Firewall Create and manage level-3 traffic rules. VPN ZyWALL USG100-PLUS User's Guide 13 Auth. System Protect Update system-protect signatures immediately or by a schedule. Tunnel Configure tunneling ...
User Guide
Page 14
...-spam on or off and manage anti-spam policies. DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Concentrator Combine IPSec VPN connections into a single secure network Configuration Provisioning Set who can retrieve VPN rule settings from the ZyWALL using the ZyWALL IPSec VPN Client. Common Manage traffic of allowed web sites that apply to...
...-spam on or off and manage anti-spam policies. DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Concentrator Combine IPSec VPN connections into a single secure network Configuration Provisioning Set who can retrieve VPN rule settings from the ZyWALL using the ZyWALL IPSec VPN Client. Common Manage traffic of allowed web sites that apply to...
User Guide
Page 21
... connections and register your network in the CONFIGURATION navigation panel. Use these wizard screens to quickly configure an IPSec VPN or IPSec VPN configuration provisioning. ZyWALL USG100-PLUS User's Guide 21 Note: The tutorials featured here require a basic understanding of connecting to and using... the Web Configurator to set up your ZyWALL. CHAPTER 2 How to Set Up Your Network Here are examples of using the Web ...
... connections and register your network in the CONFIGURATION navigation panel. Use these wizard screens to quickly configure an IPSec VPN or IPSec VPN configuration provisioning. ZyWALL USG100-PLUS User's Guide 21 Note: The tutorials featured here require a basic understanding of connecting to and using... the Web Configurator to set up your ZyWALL. CHAPTER 2 How to Set Up Your Network Here are examples of using the Web ...
User Guide
Page 22
.... Figure 19 Ethernet Interface, Port Roles, and Zone Configuration Example 2.2.1 Configure a WAN Ethernet Interface You need to it. VPN Setup wizard (named WIZ_VPN). So you create a new zone and add WIZ_VPN to assign the ZyWALL's wan1 interface a static IP address of 1.2.3.4. • Add P5 (lan2) to apply specific security settings for a protected...
.... Figure 19 Ethernet Interface, Port Roles, and Zone Configuration Example 2.2.1 Configure a WAN Ethernet Interface You need to it. VPN Setup wizard (named WIZ_VPN). So you create a new zone and add WIZ_VPN to assign the ZyWALL's wan1 interface a static IP address of 1.2.3.4. • Add P5 (lan2) to apply specific security settings for a protected...
User Guide
Page 23
Chapter 2 How to Set Up Your Network 2.2.2 Configure Port Roles Here is assigned to the IPSec_VPN zone. VPN Setup wizard. ZyWALL USG100-PLUS User's Guide 23 By default, it to take the P5 port from the Member box and click OK. Do the following to move ...
Chapter 2 How to Set Up Your Network 2.2.2 Configure Port Roles Here is assigned to the IPSec_VPN zone. VPN Setup wizard. ZyWALL USG100-PLUS User's Guide 23 By default, it to take the P5 port from the Member box and click OK. Do the following to move ...
User Guide
Page 24
See www.zyxel.com for cellular WAN (Internet) connections. Select the 3G device's entry and click Edit....provider (0000 in the User Configuration section. 4 Enter VPN as the new zone's name. Then you can configure firewall rules to apply specific security settings to this example). 24 ZyWALL USG100-PLUS User's Guide It is highly recommended that you...reverse the sequence. 1 Make sure the 3G device's SIM card is installed. 2 Connect the 3G device to one of the ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. In this 3G connection. Leaving Zone set the Zone to ...
See www.zyxel.com for cellular WAN (Internet) connections. Select the 3G device's entry and click Edit....provider (0000 in the User Configuration section. 4 Enter VPN as the new zone's name. Then you can configure firewall rules to apply specific security settings to this example). 24 ZyWALL USG100-PLUS User's Guide It is highly recommended that you...reverse the sequence. 1 Make sure the 3G device's SIM card is installed. 2 Connect the 3G device to one of the ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. In this 3G connection. Leaving Zone set the Zone to ...
User Guide
Page 26
... PPPoE or PPTP in order to send and receive IPv6 packets through the appropriate interface or VPN tunnel. Chapter 2 How to Set Up Your Network This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to enable auto-configuration and ...prefix delegation. • DHCPv6 Setting - Ethernet interfaces are the same as the ones for defining other interfaces and network policies. Although the ZyWALL is "transparent" in this if you need your service provider to access the Internet or another network. Basically, these Ethernet, PPP, VLAN,...
... PPPoE or PPTP in order to send and receive IPv6 packets through the appropriate interface or VPN tunnel. Chapter 2 How to Set Up Your Network This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to enable auto-configuration and ...prefix delegation. • DHCPv6 Setting - Ethernet interfaces are the same as the ones for defining other interfaces and network policies. Although the ZyWALL is "transparent" in this if you need your service provider to access the Internet or another network. Basically, these Ethernet, PPP, VLAN,...
User Guide
Page 45
... destined for the LAN zone. The firewall also limits the number of the networks. CHAPTER 3 Protecting Your Network These sections cover configuring the ZyWALL to protect your network. • Firewall on page 45 • User-aware Access Control on page 46 • Endpoint Security (EPS... patrol to control services using static port numbers. However, the firewall blocks Telnet traffic initiated from the DMZ. The firewall allows VPN traffic between or within the LAN zone and the firewall allows the response. Firewall rules can initiate a Telnet session from within zones...
... destined for the LAN zone. The firewall also limits the number of the networks. CHAPTER 3 Protecting Your Network These sections cover configuring the ZyWALL to protect your network. • Firewall on page 45 • User-aware Access Control on page 46 • Endpoint Security (EPS... patrol to control services using static port numbers. However, the firewall blocks Telnet traffic initiated from the DMZ. The firewall allows VPN traffic between or within the LAN zone and the firewall allows the response. Firewall rules can initiate a Telnet session from within zones...
User Guide
Page 46
... or RADIUS must also enable the service in authenticating wireless clients, HTTP and HTTPS clients, IPSec gateways (extended authentication), L2TP VPN, and authentication policy. 3.2.1 What Can Go Wrong • The ZyWALL always authenticates the default admin account locally, regardless of users. When you create an interface, there is how to have configured...
... or RADIUS must also enable the service in authenticating wireless clients, HTTP and HTTPS clients, IPSec gateways (extended authentication), L2TP VPN, and authentication policy. 3.2.1 What Can Go Wrong • The ZyWALL always authenticates the default admin account locally, regardless of users. When you create an interface, there is how to have configured...
User Guide
Page 47
... myZyXEL.com account. Click Apply to create your service subscription. 1 You can directly create a myZyXEL.com account and register the ZyWALL on the reverse side of 1.4. • When authentication or SSL VPN policies use the endpoint security objects (Configuration > Auth. Fill in the fields marked in red in the list. 3.4 Device and...
... myZyXEL.com account. Click Apply to create your service subscription. 1 You can directly create a myZyXEL.com account and register the ZyWALL on the reverse side of 1.4. • When authentication or SSL VPN policies use the endpoint security objects (Configuration > Auth. Fill in the fields marked in red in the list. 3.4 Device and...
User Guide
Page 49
...). • Traffic through custom (non-standard) ports. This could be password-protected files or VPN traffic where the ZyWALL is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the Policies section. Chapter 3 Protecting Your Network 2 The policy configured ...in the previous step will display in the ALG screen. • ZIP file(s) within a ZIP file. ZyWALL USG100-PLUS User's Guide 49 For example, when you use FlashGet to download sections of a file using multiple connections. Select Enable AntiVirus and Anti...
...). • Traffic through custom (non-standard) ports. This could be password-protected files or VPN traffic where the ZyWALL is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the Policies section. Chapter 3 Protecting Your Network 2 The policy configured ...in the previous step will display in the ALG screen. • ZIP file(s) within a ZIP file. ZyWALL USG100-PLUS User's Guide 49 For example, when you use FlashGet to download sections of a file using multiple connections. Select Enable AntiVirus and Anti...
User Guide
Page 63
... also connect or disconnect IPSec VPN connections. • Use the VPN Gateway screens to manage the ZyWALL's VPN gateways. ZyWALL USG100-PLUS User's Guide 63 You can also activate or deactivate and connect or disconnect each VPN connection (each VPN gateway. • Use the VPN Connection screens to specify which IPSec VPN gateway an IPSec VPN connection policy uses, which...
... also connect or disconnect IPSec VPN connections. • Use the VPN Gateway screens to manage the ZyWALL's VPN gateways. ZyWALL USG100-PLUS User's Guide 63 You can also activate or deactivate and connect or disconnect each VPN connection (each VPN gateway. • Use the VPN Connection screens to specify which IPSec VPN gateway an IPSec VPN connection policy uses, which...
User Guide
Page 64
...physically disconnect these devices from the network before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. If you enable this, make sure they trust each VPN tunnel. • Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to look at the other 's certificates....must create a policy route for both routers side-by-side. Here are being sent and received by the ZyWALL and remote IPSec router (for example, by a CA, make sure your new VPN connection. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50....
...physically disconnect these devices from the network before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. If you enable this, make sure they trust each VPN tunnel. • Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to look at the other 's certificates....must create a policy route for both routers side-by-side. Here are being sent and received by the ZyWALL and remote IPSec router (for example, by a CA, make sure your new VPN connection. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50....
User Guide
Page 65
...255.255.255.0 • Disable Policy Enforcement Policy Route ZyWALL USG100-PLUS User's Guide 65 This reduces the number of VPN connections to set up but VPN traffic cannot be transmitted through the VPN tunnel, check the routing policies to see if they are... Internet • Multiple SAs connecting through the VPN tunnels. 4.2 VPN Concentrator Example A VPN concentrator uses hub-and-spoke VPN topology to combine multiple IPSec VPN connections into one VPN rule to access branch A's network only. Here a VPN concentrator connects ZLD-based ZyWALLs at headquarters (HQ) and branch offices A...
...255.255.255.0 • Disable Policy Enforcement Policy Route ZyWALL USG100-PLUS User's Guide 65 This reduces the number of VPN connections to set up but VPN traffic cannot be transmitted through the VPN tunnel, check the routing policies to see if they are... Internet • Multiple SAs connecting through the VPN tunnels. 4.2 VPN Concentrator Example A VPN concentrator uses hub-and-spoke VPN topology to combine multiple IPSec VPN connections into one VPN rule to access branch A's network only. Here a VPN concentrator connects ZLD-based ZyWALLs at headquarters (HQ) and branch offices A...
User Guide
Page 66
... 2 to an IPSec VPN concentrator. Branch Office B VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.3 • Peer Gateway Address: 10.0.0.1 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Firewall • Block...
... 2 to an IPSec VPN concentrator. Branch Office B VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.3 • Peer Gateway Address: 10.0.0.1 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Firewall • Block...