Manuale d’uso / di manutenzione del prodotto USG 300 del fabbricante ZyXEL
Vai alla pagina of 160
www .zyxel.com www .zyxel.com ZyW ALL USG Series Unified Security Gateway Copyright © 201 1 ZyXEL Communications Corporation V ersion 3.00 Edition 1, 12/2011 Default Login Details LAN IP Address https://192.
Videos ZyWALL USG 20-2000 U ser’s Guide 2 IMPORT ANT! READ CAREFULL Y BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Related Document ation •Q u i c k S t a r t G u i d e The Quick Start Guid shows how to connect the ZyW ALL and access the W eb Configurator wizards.
Contents ZyWALL USG 20-2000 User’s Guide 3 Contents Introduction ................................................. ..................................................... ............. ........................ 5 1.1 Overview ................ .........
Contents ZyWALL USG 20-2000 U ser’s Guide 4 5.1 How to Configure Bandwidth M anagement ...... ................ ............. ................ ............. ................ ..... 103 5.2 How to Configure a Tr unk for W AN Load Balancing . ..........
ZyWALL USG 20-2000 User’s Guide 5 C HAPTER 1 Introduction 1.1 Overview This guide covers the Z yWALL USG series and re fers to all models as “Z yWALL” . Features and interface names vary by model. K ey feature diffe rences between Z yWALL models are as follows.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 6 Figure 1 Applications: Security Router IPv6 Routing The ZyW ALL supports IPv6 Ethernet, P PP , VLAN, and bridge routing. Y ou may also create IPv6 policy routes and IPv6 objects. The Z yW ALL can also route IPv6 packets throu gh IPv4 networks using different tunneling methods.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 7 SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Z yWALL’ s web address and enters his user name and password to securely connect to the Z yWALL’ s network.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 8 1.2 Default Zones, Interfaces, and Port s The default configur ations for zones, interfaces, an d ports are as follows. R eferences to interfaces may be generic r ather than the specific name used in y our model.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 9 1.3 Management Overview Y ou can manage the Z yW ALL in the following ways. Web Configurator The W eb Configur ator allows easy ZyW ALL setup an d management using an Internet browser . This User’s Guide provides informat ion about the W eb Configur ator .
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 10 Command-Line Interface (CLI) The CLI allows you to use text -based commands to configure the Z yWALL. Access it using remote management (for example, SSH or T elnet) or via the physical or W eb Configurator console port.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 11 3 T ype the user name (default: “adm in”) and password (default: “1234”). If you hav e a O TP (One- Time P assword) token gener ate a number and enter it in the One-Time Password field.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 12 1.4.2 Web Configurator Introduction V ideo Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 13 The title bar icons in the upper right corner pro vide the following functions. 1.4.4 Navigation Panel Use the navigation panel menu item s to open status and configuratio n screens.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 14 Configuration Menu Use the configur ation menu screens to configure the Z yW ALL’ s features. T r affic Statistics Collect and display tr affic statistics. Session Monitor Displays the st atus of all current sessions.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 15 Interface Port Grouping Configure physical port groups. Port R ole Use this scre en to set t he ZyW ALL ’ s flexible ports as LAN1, WLAN, or DMZ. Ethernet Manage Ethernet interfaces an d virtual Ethernet interfaces.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 16 AppPatrol General Enable or disable traffi c mana gement by application and see registration and sign ature information. Common Manage traffic of the m ost commonly used web , file tran sfer and e- mail protocols.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 17 User/Group User Create and manage users. Group Create and manage groups of users. Setting Manage default settings for all us ers, general s ettings for user sessions, and rules to fo rce user authent ication.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 18 Maintenance Menu Use the maintenance menu screens to manage configur ation and firmw are files, run diagnostics, and reboot or shut down the Z yW ALL. 1.4.5 T ables and List s W eb Configur ator tables and lists are flexible with sev eral options for how to display their entries.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 19 • Group entries by field • Show entries in groups • Filter by mathematical operators (<, >, or =) or searching for text Figure 12 Common T able Column Options Select a column heading cell’s right bo rder and drag to re-size the column.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 20 Figure 16 Common T able Icons Here are descriptions for the most common table icons. Working with List s When a list of available entries displays next to a list of selected entries, you can often just double- click an entry to mov e it from one list to the other .
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 21 1.5 S topping the ZyW ALL Always use Maintenance > Shutdown > Shu tdown or the shutdown command before you turn off the Z yWALL or r emove the power . Not doing so can cause the firmw are to become corrupt.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 22 1.7 W all-mounting See T able 1 on page 5 for the ZyW ALL USG models that can be wall-mou nted. Do the following to attach your Z yW ALL to a wall. 1 Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 23 Figure 18 ZyW ALL Front Panel 1.8.1 Dual Personality Interfaces A dual personality interface is a 1000Base- T/min i-GBIC combo port. For each interface you can connect either to the 1000Base- T port or the mini -GBIC port.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 24 auto-crossover (auto-MDI/MDI - X) port automatically works with a straight -through or crossov er Ethernet cable.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 25 1 Press down on the top of the fiber-optic cable where it connects to the tr ansceiver to release it. Then pull the fiber- optic cable out. 2 Open the transceiver’ s latch (latch styles vary).
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 26 1.8.3 Front Panel LEDs The following tables describe the LEDs. T able 8 ZyWALL USG 20 ~ USG 100 0 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyW ALL is turned off . Green On The Z yWALL is turned on.
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 27 SYS Off The ZyW ALL is turned off . Green On The ZyW ALL is ready and operating normally . Flashing The ZyW ALL is self-testing. Red On The ZyW ALL is malfunctioning. AUX Off The AUX port is not connected.
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 28.
ZyWALL USG 20-2000 User’s Guide 29 C HAPTER 2 How to Set Up Your Network Here are examples of using the W eb Configurator to set up your network in the Zy WALL. Note: The tutorials featured here require a basic understanding of connecting to and using the W eb Configurator , see Section 1.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 30 •T h e wan1 interface uses a static IP address of 1.2.3.4. •A d d P5 (lan2) to the DMZ interface (Note: In USG 20/20W , use P4 (lan2) instead of P5 in th is example). The DMZ interface is used for a protected local network.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 31 2.2.2 Configure Port Roles Here is how to take the P5 port from the lan2 interface and add it to the dmz interface. 1 Click Configuration > Network > Interface > Port Role .
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 32 3 Back to the Configuration > Network > Zone screen and click Add in the User Configuration section . 4 Enter VPN as the new zone’ s name. Select WIZ_VPN and move it to the Member box and click OK .
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 33 Note: The Network Selection is set to auto by default. Thi s means that the 3G USB modem may connect to another 3G net work when your service provider is not in rang e or when necessary .
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 34 This way the Z yW ALL can automatically balance the traffic load am ongst the available W AN connections to enhance ov erall network throughput. Plus, if a WAN connection goes down, the Z yWALL still sends traffic through the remaining W AN connections.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 35 2 Edit this screen as follows. A (internal) name for the WLAN interface displa ys. Y ou can modify it if you w ant to. The Z yWALL’ s security settings are configured by zo nes.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 36 4 Configure your wireless clients to connect to the wireless network. 2.4.2.1 Wireless Client s Import the ZyW ALL’ s Certificate Y ou must import the ZyW ALL’ s certificate into the wireless clients if they are to validate the Z yW ALL’ s certif icate.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 37 The My Certificates screen indicates what type of information is being displayed, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 38 T able 10 Ethernet, PPP, VL AN, Bridge and Po licy Routing Screen Relationships Since firmware version 3.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 39 2.6.1 Setting Up th e W AN IPv6 Interface 1 In the CONFIGURATION > Network > Interface > Ethernet screen’ s IPv6 Configuration section, double-click the wan1 . 2 The Edit Ethernet screen appears.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 40 Y ou have completed the settings on the Z yW ALL. But if you want to request a network address prefix from your IS P for your computers on the LAN, you can configure prefix delegation (see Section Section 2.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 41 2.6.3 Pure IPv6 Routing Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 42 Figure 23 Pure IPv6 Network Example Using Prefix Delegation 2.6.4.2 Setting Up the W AN IPv6 Interface 1 In the Configuration > Network > Interface > Ethernet scre en’ s IPv6 Configuration section, double-click the wan1 .
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 43 2.6.4.3 Setting Up the LAN Interface 1 In the Configuration > Network > Interface > Ethern et screen, double-click the lan1 in the IPv6 Configuration section. 2 The Edit Ethernet screen appears.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 44 2.6.5 T est 1 Connect a computer to the Z yW ALL’s LAN1..
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 45 2 Enable IPv6 support on you computer . In Windows XP , you nee d to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. Y ou can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 46 2.6.7 What Can Go Wrong? 1 If you forgot to enable Auto-Configuration on the W AN1 IPv6 interface, you will not have an y default route to forward the LAN’ s IPv6 packets.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 47 Figure 25 6to4 T unnel Configuration Concept 2.7.2 Setting Up th e LAN IPv6 Interface 1 In the CONFIGURATION > Network > Interface > Ethernet screen’ s IPv6 Configuration section, double-click the lan1 .
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 48 2.7.3 Setting Up the 6to4 T unnel 1 Click Add in the CONFIGURATION > Network > Interface > Tunnel screen. 2 The Add Tunnel screen appears. Select Enable . Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode .
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 49 2.7.5 Set Up an IPv6 6t o4 T unnel V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 50 Note: For 6to4, y ou do not need to enable IPv6 in the wan1 since the IPv6 pack ets will be redirected into the 6to4 tunnel. 3 In Windows, some IPv6 related tunnels may be enabled by default such as T eredo and 6to4 tunnels.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 51 2.8.3 Setting Up the LAN IPv6 Interface 1 Select lan1 in the IPv6 Configuration section in the CONFIGURATION > Network > Interface > Ethernet screen and click Edit . 2 The Edit Ethernet screen appears.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 52 2.8.4 Setting Up the Policy Route 1 Go to the CONFIGURATION > Network > Routing screen and click Add in the IPv6 Configuration table. 2 The Add Policy Route screen appears.
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 53 2.8.5 T esting the IPv6-in-IPv4 T unnel 1 Connect a computer to the Z yWALL’ s LAN1. 2 Enable IPv6 support on you computer . In Windows XP , you nee d to use the IPv6 install command in a Command Prompt.
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 54 2.8.6 Set Up an IPv6-in-IPv4 T unnel Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
ZyWALL USG 20-2000 User’s Guide 55 C HAPTER 3 Protecting Your Network These sections cover configuring the Z yWALL to protect your network. • Firewall on page 55 • User-aw are Access Control on .
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 56 3.1.1 What Can Go Wrong • The Z yWALL checks the firew all rules in order and applies the first firewall rule the tr affic matches.
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 57 3.3 End p oint Security (EPS) Use endpoint security objects with authentication policies or SSL VPN to make sure users’ computers meet specific security requirements before they are allowed to access the network.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 58 3.5 Anti-V irus Policy Configuration This tutorial shows you how to configure an Anti- Virus policy . Note: Y ou need to first activ ate your Anti- Virus service license or trial.
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 59 2 The policy configured in the prev ious step will display in the Policies section.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 60 3.6 IDP Profile Configuration IDP (Intrusion, Detection and Prevention) detects malicious or suspicious packets and protects against network -based intrusions. Note: Y ou need to first activate your IDP service license or trial.
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 61 3 Edit the default log options and actions. 3.7 ADP Profile Configuration ADP (Anomaly Detection and Prevention) protects ag ainst anomalies based on violations of protocol standards (RFCs – R equests for Comments) and abnormal traffic flows such as port scans.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 62 1 Click Configuration > Anti-X > ADP > Profile and in the Profile Management section of this screen, click the Add icon. A pop-up screen will appear allowing you to choose a base profile.
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 63 3 Click the Protocol Anomaly tab. T ype a new profile Name . Enable or disable individual rules by selecting a row and clicking Activate or Inactivate . Edit the default log options and actions by selecting a row and maki ng a selection in the Log or Acti on drop-down menus.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 64 3.8 Content Filter Profile Configuration Content filter allows you to control access to specific web sites or filter web content by checking against an external database. This tutorial show s you how to configure a Content Filt er profile.
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 65 2 Click the General tab and in the Policies section click Add . In the Add Policy screen that appears, select the Filter Profile you created in the previous step. Click OK . 3 In the General screen, the configured policy will appear in the Policies section.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 66 3.8.1 Content Filtering Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 67 2 A welcome screen displays. Click your Z y W ALL’s model n ame and/or MAC address under Registered ZyXEL Products (the Z yW ALL 20W is shown as an example here). Y ou can change the descriptive name for your Z yWALL using the Renam e button in the Service Management screen.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 68 4 In the Web Filter Home screen, click Commtouch Report or BlueCoat Report . 5 Select items under Global Reports to view the corresponding reports.
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 69 7 A chart and/or list of requested web site cate gories display in the lower half of the screen. 8 Y ou can click a category in the Categories re p o rt o r c li c k URLs in the Report Home screen to see the URLs that were requested.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 70 3.10 Anti-S p am Policy Configuration This tutorial shows you how to configure an Anti-Spam policy with Mail Scan functions and DNS Black List (DNSBL).
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 71 3 Click the General tab. In the Policy Summary section, click Add to display the Add rule screen. Select from the list of available Scan Options and click OK to return to the General screen.
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 72.
ZyWALL USG 20-2000 User’s Guide 73 C HAPTER 4 Create Secure Connections Across the Internet These sections cover using VPN to create secure connections across the Internet.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 74 4.1.3 What Can Go Wrong If the IPSec tunnel does not build properly , the problem is likely a configuration error at one of the IPSec routers. Log into both IPSec routers and check the settings in each field methodically and slowly .
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 75 • Multiple SAs connecting through a secure gateway must ha ve the same negotiation mode.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 76 • Source: 192.168.11.0 • Destination: 192.168.12. 0 • Next Hop: VPN T unnel 1 Headquarters VPN Gateway (VPN T unnel 1): • My Address: 10.0.0.1 • Peer Gatew ay Address: 10.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 77 • Source: 192.168.12.0 • Destination: 192.168.11. 0 • Next Hop: VPN T unnel 2 4.2.1 What Can Go Wrong Consider the following when using the VPN concentrator .
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 78 • Primary R emote Gateway: 10.0.0.1 Network Policy (Phase 2): Local Network: 192 .168.167.0/255.255.255 .0; Remote Network: 192.168.168.0~192. 168.169.255 Headquarters (ZLD-based ZyW ALL): VPN Gateway (VPN T unnel 1): • My Address: 10.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 79 • The hub router must have at least one separate VPN rule for each spoke. In the local policy , specify the IP addresses of the hub-and-spoke netw orks with which the spoke is to be able to have a VPN tunnel.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 80 Now user Charlotte can access the network behind the ZyW A LL through the VPN tunnel.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 81 6 Click OK . The rule settings are now imported from th e Z yWALL into the Z yWALL IPSec VPN Client.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 82 4.4.3 ZyW ALL IPSec VPN Client Conf iguration Provisioning V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 83 • There’ s a network connectivity problem between the Z yWALL and the Z yWA LL IPSec VPN Client: Check that the correct ZyW ALL IP address and HTTPS port (if the default port was changed) was e nte red .
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 84 4.5.1 SSL VPN V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 85 • Using RDP requires Internet Explorer • Sun’ s Runtime Environment (JRE) v ersion 1.6 or later installed and enabled. • Changing the HT TP/HT TPS configuration disconne cts S SL VPN network extension sessions.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 86 Do the following to config ure the L2TP VPN example: 1 Click Configuration > VPN > IPSec VPN > VPN Gateway and double-click the Default_L2TP_VPN_GW entry .
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 87 3 Click Configuration > VPN > L2TP VPN and then Create New Object > Address to create an IP address pool for the L2TP VPN clients. This example uses L2TP_POOL with a range of 192.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 88 T o manage the Z yWALL through the L2TP VPN tu nnel, create a routing policy that sends the Z yWALL’ s return traffic back through the L2TP VPN tunnel. •S e t Incoming to ZyWALL.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 89 •S e t t h e Next-Hop Type to Trunk an d select the appropriate WAN trunk.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 90 4.6.3 Configuring L2TP VPN on the ZyW ALL Vide o Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 91 4.6.5 Configuring L2TP VPN in iOS T o configure L2TP VPN in an iOS device, go to Settings > VPN > Add VPN Configuration > L2TP and configure as follows.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 92 5 Enter your Z yWALL user name an d password and click Create . 6 Click Close . Configure the Connection Object 1 In the Network and Sharing Center screen, click Connect to a network .
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 93 3 Select Use preshared key for authentication and enter the pre-shared key of the VPN gateway entry the Z yWALL is using for L2TP VP N (top-secret in this example).
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 94 2 A window appears while the user name and password are verified. The Connect to a network screen shows Connected after the L2TP ov er IPSec VPN tunnel is built.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 95 6 Access a server or other network resource behind the Z yW ALL to make sure your access works. 4.6.6.2 Configuring L2TP VPN in Windows 7 V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 96 4.6.6.3 Configuring L2TP in Windows XP In Windows XP , first issue the following comman d from the Windows command prompt (including the quotes) to make sure the computer is running the Microsoft IPSec service.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 97 6 Select Do not dial the init ial connection and click Next . 7 Enter the domain name or W AN IP address configured as the My Address in the VPN gatew ay configuration that the Z yW ALL is using for L2TP VPN (172.
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 98 11 Select Optional encryption (connect even if no encryption) and the Allow thes e protocols radio button. Select Unencryp ted password (PAP) and clear all of the other check boxes.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 99 15 Enter the user name and password of your Z yW ALL account. Click Connect . 16 A window appears while the user name and password are verified. 17 A ZyW ALL-L2TP icon displays in y our system tra y .
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 100 19 Access a server or other network resource behind the Z yW ALL to make sure your access works.
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 101 1 Install the SafeW ord 2008 authentication server software on a compu ter . 2 Create user accounts on the ZyW ALL and in the SafeW ord 20 08 authentication server .
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 102.
ZyWALL USG 20-2000 User’s Guide 103 C HAPTER 5 Managing Traffic These sections cover controlling the tr affic going through the Z yWALL. • How to Configure Bandwidth Management on page 103 • How.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 104 5.1.1 Bandwid th Allocation Example Say a 10-person office has WAN1 connected to a 50 Mbps downstre am and 5 Mbps upstream VDSL line a.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 105 • Inbound and outbound traffic are both guar anteed 1000 kbps and limited to 2000 kbps. Figure 37 SIP Any-to- W AN Guaranteed / Maximum Bandwidths Example 1 In the Configuration > BWM screen, click Add .
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 106 Figure 38 HT TP Any-to- W AN Bandwidth Management Example 1 In the Configuration > BWM screen, click Add . 2 In the Add Policy screen, select Enable and type HTTP Any-to-WAN as the policy’ s name.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 107 5.1.6 FTP W AN-to-DMZ Bandwi d th Management Example Suppose the office has an FTP server on the DMZ. Here is how to limit WAN1 to DMZ FTP traffic so it does not interfere with SIP and HT TP tr affic.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 108 5.1.7 FTP LAN-to-DMZ Band wid th Management Example FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but giv e it lower priority and limit it to av oid interference with other traffic.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 109 1 In the Configuration > BWM screen, click Add . 2 In the Add Policy screen, select Enable and type FTP LAN-to-DMZ as the policy’ s name. Select lan1 as the incoming interface and dmz as the outgoing interface.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 0 5.1.8 Bandwid th Management V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 111 respectively . As these connections have different bandwidth, use the Weighted Round Robin algorithm to send traffic to w an1 and wan2 (or cellular1) in a 2:1 ratio.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 2 2 Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. 3 For 3G interface settings, go to Configuration > Network > Interface > Cellular . Double-click the cellular1 entry and set the egress bandwidth for cellular1 to 512 Kbps.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 3 3 Select the trunk as the default trunk and click Apply . 5.3 How to Use Multiple S t atic Public W AN IP Addresses for LAN-to-W AN T .
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 4 5.3.2 Configure the Policy Route Now you need to configure a policy rou te that has the Z yWALL use the r ange of public IP addresses as the source address for W AN to LAN traffic. Click Configuration > Network > Routing > Policy Route > Add (in IPv4 Confi guration ).
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 5 Management Access IP Addresses For each interface y ou can configure an IP address in the same subnet as the interface IP address to use to manage the Z yW ALL whether it is the master or the backup.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 6 5.4.2 Before Y ou S t art ZyW A L L A should already be configured. Y ou will use device HA to copy ZyW ALL A ’ s settings to B later (in Section 5.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 7 4 Click the General tab, enable device HA, and click Apply . 5.4.4 Configure the Backup ZyW ALL 1 Connect a computer to Z yW ALL B ’ s LAN interface and log into its W eb Configur ator .
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 8 4 Set the Device Rol e to Backup . Activate monitoring for the LAN and WAN interfaces. Set the Synchronization Server Address to 192.168.1 .1, the Port to 21, and the Password to “myS yncPassword” .
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 9 5.4.5 Depl oy the Backup ZyW ALL Connect Z yWALL B ’ s LAN interface to the LAN network. Connect Z yW ALL B ’ s WAN interface to the same router that Z yW ALL A ’s WA N interface uses for I nternet access.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 120 2 Click Add in the Configuration table. The following screen appears. Select Enable , enter *.example.com as the Query Domain Name . Enter 300 in the Time to Live field to have DNS query senders keep the resolved DNS entries on their computers for 5 minutes.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 121 5.6 How to Allow Public Access to a W eb Server This is an example of making an HT TP (web) serv er in the DMZ z one accessible from the Internet (the W AN zone). In this example you have public IP address 1.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 122 5.6.2 Set Up a Firewall Rule Create a firewall rule to allow the public to send HT TP tr affic to IP address 1.1.1.1 in order to access the HT TP server . If a domain name is registered for IP address 1.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 123 5.6.3 What Can Go Wrong • The Z yWALL checks the firew all rules in order and applies the first firewall rule the tr affic matches. If traffic matches a rule that comes ea rlier in the list, it may be unexpectedly blocke d.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 124 Figure 47 Configuration > Network > AL G 5.7.1.2 Set Up a NA T Policy For H.323 In this example, you need a NA T policy to forward H.323 (TCP port 1720) traffic received on the Z yWALL’ s 10.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 125 5.7.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) tr affic received on the WAN_IP-for -H323 IP address to go to LAN IP address 192.168.1.56.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 126 5.7.2 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the W AN zone). In this example you have public IP address 1.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 127 5.7.2.2 Set Up a NA T Policy for the IPPBX Click Configuration > Network > NAT > Add > Create New O bject > Address and create an IPv4 host address object for the IPPBX’s priv ate DMZ IP address of 1 92.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 128 5.7.2.4 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks tr affic from the DMZ zone to th e LAN1 z one by default so you need to create a firewall rule to allow the IPPBX to send SIP tr affic to the SIP clients on the LAN.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 129 5.8 How to Limit W eb Surfi ng and MSN to S pecific People The following is an example of using application patrol (AppP atrol) to enforce web surfing and MSN policies for the sales department of a company .
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 130 5 Click the Add icon in the policy list. In the new policy , select Sales as the user group allowed to browse the web. (The user group should be set in the Configuration > Object > User/Group > Group > Add screen.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 131 4 Now you will need to set up a recurring schedule object first. Click Configur ation > Object > Schedule . Click the Add icon for recurring schedules. 5 Give the schedule a descriptive name such as WorkHours .
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 132 Now only the sales group may use MSN during work hours on week days..
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 133 5.8.3 AppPatrol Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again.
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 134.
ZyWALL USG 20-2000 User’s Guide 135 C HAPTER 6 Maintenance These sections cover managing and maintaining the Z yWALL. • How to Allow Management Service from W AN on page 135 • How to Use a RADIU.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 136 2 Check the Admin Service Control and User Service Control sections: • accept under Action means that the user is to access the Z yW ALL from the specified computers. • ALL under Zone me ans that all Z yWALL z ones are allowed to use this service.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 137 In the Edit Fire wall Rule screen, you can also configure a schedule object, address object, or apply it to certain a user/user group. Refer to 24.1.4 Firewall Rule Configuration Example for details on firewall configuration.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 138 6.2 How to Use a RADIUS Se rver to Authenticate User Account s based on Group s The previous example showed how to have a RADIUS server authenticate individual user accounts.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 139 3 Repeat the steps above if you need to add other user groups. 6.3 How to Use SSH fo r Secure T elnet Access This section shows two examples using a command interface and a gr aphical interface SSH client program to remotely access the Z yW ALL.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 140 6.3.2 Example 2: Linux This section describes how to access the Z yW ALL using the OpenSSH client progr am that comes with most Linux distributions. 1 T est whether the SSH service is available on the Z yW ALL.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 141 The default configur ation files are: • system-default.conf: This file contains all of the Z yWALL settings. If you apply this file, the Z yWALL’ s default IP address and password will be restored.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 142 Y ou can find and download the latest firmware pa ckage for th e Zy WALL at www .zyxel.com in a *.zip file. After you unzip the file, you will find sev eral files contained in the package. The file that you should use for firmware upload is a *.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 143 6.6.1 What Can Go Wrong When you run a shell script, the Z yWALL processes th e file line-by-line. The ZyW ALL checks the first line and applies the line if no errors are detected . Then it continues with the next line.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 144 5 Use the handle to slide out the power module an d remove it. 6 Install the new ZyW ALL power module.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 145 8 Connect the power cord to the new Z yWALL power module. 9 Reconnect the power cord to the power outlet. 10 Push the Z yWALL power module switch to the on position. 6.8 How to Save System L ogs to a USB S torage Device The Z yWALL uses the memory space to store syst em logs.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 146 2 Go to Configuration > Syst em > USB S torage , select Activate USB storage service and click Apply to allow the ZyW ALL to save diagn ostic data to the connected USB device.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 147 5 In the Configuration > Log & Report > Log Setting screen, select the USB Storage entry again and click Activate . Click Apply to have the Z yW ALL start recording system logs to the USB device.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 148 6.8.1 What Can Go Wrong? • Before you physically remove a connected USB device, go t o Monitor > System Status > USB Storage and click Remove Now . • If you w ant to use the USB device and you hav e not physically remove it, click Use It in the same screen to mount the device.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 149 2 Go to Configuration > Syst em > USB S torage , select Activate USB storage service and click Apply . 3 In the Maintenance > Dia gnostics > Collect screen, select Copy the diagnostic file to USB storage .
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 150 2 Click the St op button to end the packet-capture session when you think y ou have captured enough packets. How long it may take depends on the pack et type and network behavior that you w ant to capture.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 151 The Z yWALL uses the flash space to store packet capture files. Once the flash is full, the Z yWALL stops generating the file or has new captured packets o verride old packets depending on your setting.
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 152 Figure 51 Packet Capture File Example 6.1 1 How to Get the ZyW ALL’ s Core Dump File When a process fails in the Z yWALL, it automatically gener ates a core dump file. Y ou can do the following to download it and pr ovide it to customer support.
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 153 1 Insert a USB storage device to any USB por t on your Z yWALL. In the Monitor > System Status > USB Storage screen, make sure the USB device’s file system doesn’t display “unknown” .
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 154.
ZyWALL USG 20-2000 User’s Guide 155 A PPENDIX A Legal Information Copyright Copyright © 2011 by Z yXEL Communicat ions Corporat ion. Th e co n te n ts o f t h is p ub l ic a t io n m a y n o t b e .
Appendix A Legal Information ZyWALL USG 20-2000 U ser’s Guide 156 Cet appareil numéri que de la classe B es t conforme à la no rme NMB-003 du Ca nada. Certifications (Cla ss A for ZyW ALL USG 300, 1000, and 2000) Federal Commu nications Commission (FCC) Inter ference St atement This device co mplies with Part 15 of FC C rules.
Appendix A Legal Informa tion ZyWALL USG 20-2000 User’s Guide 157 Regulatory Information European Union The following i nformation applies if you use the prod uct within the Europ ean Union. Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) Compliance I nformation for 2.
Appendix A Legal Information ZyWALL USG 20-2000 U ser’s Guide 158 Ce produit peut être utilisé dans tous les pays de l’UE (et da ns tous les pays ayan t tr ansposés la di rective 1999/5/CE) san.
Appendix A Legal Informa tion ZyWALL USG 20-2000 User’s Guide 159 • Do NOT o pen the device or unit. Opening or removing c overs can expos e you to dangerous high voltage poi nts or other risks. ONL Y qualified servi ce personnel s hould service or disas semble this de vice.
Appendix A Legal Information ZyWALL USG 20-2000 U ser’s Guide 160.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il ZyXEL USG 300 è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del ZyXEL USG 300 - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso ZyXEL USG 300 imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul ZyXEL USG 300 ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il ZyXEL USG 300, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del ZyXEL USG 300.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il ZyXEL USG 300. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo ZyXEL USG 300 insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.