Zyxel ZyWALL USG FLEX 50 USG FLEX Firewall
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Related Documentation support.zyxel.com Document Conventions Warnings and Notes Warnings tell you about things that could harm you or your device. Syntax Conventions Network > Interface > Ethernet Network Interface Icons Used in Figures bold Configuration Ethernet Configuration > Contents Overview Table of Contents Document Conventions ......................................................................................................................3 Contents Overview .............................................................................................................................4 Table of Contents .................................................................................................................................5 Part I: User's Guide.......................................................................................... 22 Chapter 1 Introduction ........................................................................................................................................23 Chapter 2 Initial Setup Wizard.............................................................................................................................57 Chapter 3 Hardware, Interfaces and Zones ......................................................................................................83 Chapter 4 Easy Mode ..........................................................................................................................................89 Chapter 5 Quick Setup Wizards........................................................................................................................153 Chapter 6 Dashboard ........................................................................................................................................199 Part II: Technical Reference......................................................................... 209 Chapter 7 Monitor ..............................................................................................................................................210 Chapter 8 Licensing ...........................................................................................................................................260 Chapter 9 Wireless .............................................................................................................................................263 Chapter 10 Interfaces ..........................................................................................................................................277 Chapter 11 Routing ..............................................................................................................................................376 Chapter 12 DDNS ................................................................................................................................................403 Chapter 13 NAT ....................................................................................................................................................409 Chapter 14 Redirect Service ...............................................................................................................................418 Chapter 15 ALG ....................................................................................................................................................424 Chapter 16 UPnP...................................................................................................................................................431 Chapter 17 IP/MAC Binding................................................................................................................................446 Chapter 18 Layer 2 Isolation ...............................................................................................................................451 Chapter 19 DNS Inbound LB................................................................................................................................455 Chapter 20 IPSec VPN .........................................................................................................................................461 Chapter 21 SSL VPN..............................................................................................................................................499 Chapter 22 L2TP VPN............................................................................................................................................505 Chapter 23 BWM (Bandwidth Management) .................................................................................................510 Chapter 24 Web Authentication ........................................................................................................................526 Chapter 25 Security Policy..................................................................................................................................559 Chapter 26 Content Filter ....................................................................................................................................589 Chapter 27 Anti-Spam .........................................................................................................................................631 Chapter 28 Object ...............................................................................................................................................647 Chapter 29 Mgmt. & Analytics...........................................................................................................................736 Chapter 30 System ...............................................................................................................................................748 Chapter 31 Log and Report.................................................................................................................................810 Chapter 32 File Manager ....................................................................................................................................823 Chapter 33 Diagnostics ......................................................................................................................................839 Chapter 34 Packet Flow Explore ........................................................................................................................855 Chapter 35 Shutdown ..........................................................................................................................................862 Part III: Appendices and Troubleshooting.................................................. 870 Chapter 36 Troubleshooting................................................................................................................................871 PART I User's Guide 1.1 Overview CHAPTER 1 Introduction 1.1.1 Model Feature Differences FEATURE/MODEL USG FLEX 50 (USG20-VPN) USG FLEX 20W (USG20W-VPN) FEATURE/MODEL USG FLEX 50 (USG20-VPN) USG FLEX 20W (USG20W-VPN) 1.2 On Premises Mode Initial Setup Wizard On Premises Mode Figure 1 Nebula Mode 1.3 Nebula Mode Initial Setup Wizard Figure 2 Nebula Mode On Premises Mode 1.3.1 NCC Portal https://nebula.zyxel.com Go Let's Start Native Mode Native Mode 1.3.2 Your Zyxel Device WAN LAN SYS Maintenance > File Manager > Configuration File Download startup-config.conf Native Mode 1.3.3 Your Email Account for ZTP Native Mode Reset 1.4 Change the Mode Nebula Mode On Premises Mode On Premises Mode Nebula Mode 1.4.1 From Nebula Mode to On Premises Mode https://nebula.zyxel.com Organization-wide > Configuration > Inventory Remove On Premises Mode Manager > Configuration File Upload Configuration File Browse Upload Maintenance > File startup-config.conf 1.4.2 From On Premises Mode to Nebula Mode Maintenance File Manager Configuration File Reset Nebula Mode Native Mode ZTP Native Mode 1.5 Registration at myZyxel Service Configuration Licensing Registration http://portal.myZyxel.com Figure 3 1.5.1 Applications Security Router Figure 4 IPv6 Routing Figure 5 VPN Connectivity Figure 6 SSL VPN Network Access Figure 7 User-Aware Access Control A B C Figure 8 Load Balancing Figure 9 1.6 Management Overview Web Configurator Figure 10 Figure 11 Command-Line Interface (CLI) SETTING VALUE FTP SNMP CloudCNM CloudCNM Management Authentication 1.7 Web Configurator 1.7.1 Web Configurator Access Login Language Configuration System Login Update Admin Info Configuration Object User/Group Setting Password Complexity Terms of Use Password must changed every (days) Apply Acknowledge Terms of Use Password Change Notification Group User Configuration Object User/ OK Network Risk Warning OK Never Update Admin Info Apply Ignore Installation Setup Wizard 1.7.2 Security Check for Web Interface Overview Login 1.7.2.1 Secure SSL Access from the Internet to the Zyxel Device AB C Figure 12 1.7.2.2 Secure SSL VPN Access from the Internet to the Network Behind the Zyxel Device Figure 13 ABBREVIATION COUNTRY 1.7.2.3 Change the Default IPSec VPN Provisioning Port Figure 14 1.7.2.4 Change the Default Port for Two-Factor VPN Access Authentication Figure 15 Object Auth. Method Two-factor Authentication VPN Access Overall Port Configuration Example REMOTE MANAGEMENT SSL VPN IPSEC VPN PROVISIONING TWO-FACTOR VPN ACCESS AUTHENTICATION 1.7.2.5 Other Security Measures Setting Maintenance Firmware Management Enable Password Complexity Object User/Grou 1.7.3 The Security Check for Web Interface Screen Figure 16 LABEL DESCRIPTION LABEL DESCRIPTION OK Cancel 1.7.4 Remote Access to the Zyxel Device Networks Monitor Network Status Device Insight Configuration Object Device Insight 1.7.5 Web Configurator Screens Overview A B C Figure 17 Figure 18 Title Bar Figure 19 LABEL DESCRIPTION LABEL DESCRIPTION Off Refresh All Notifications Initial Setup Wizard Easy Mode Easy Mode About About Figure 20 Figure 21 LABEL DESCRIPTION Site Map Site MAP Figure 22 Web Console Web Console Figure 23 Reference Reference Refresh Reference Figure 24 LABEL DESCRIPTION N/A Cancel CLI Messages CLI Figure 25 1.7.6 Navigation Panel Figure 26 Dashboard Monitor Menu FOLDER OR LINK TAB FUNCTION FOLDER OR LINK TAB FUNCTION Configuration Menu FOLDER OR LINK TAB FUNCTION FOLDER OR LINK TAB FUNCTION FOLDER OR LINK TAB FUNCTION FOLDER OR LINK TAB FUNCTION Maintenance Menu FOLDER OR LINK TAB FUNCTION 1.7.7 Tables and Lists Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 LABEL DESCRIPTION Add Edit Remove Activate Inactivate Connect Disconnect References Move Working with Lists Figure 33 CHAPTER 2 Initial Setup Wizard 2.1 Initial Setup Wizard: Select Management Mode Initial Setup Wizard Logout Initial Setup Wizard On Premises Mode Next Nebula Mode Initial Setup Wizard Finish Figure 34 2.1.1 Welcome Screen On Premises Mode Figure 35 Welcome 2.1.2 Internet Access Setup - WAN Interface I have two ISPs VLAN Tagged Encapsulation PPPoE PPTP L2TP MTU Ethernet WAN Interface Zone IP Address Assignment Static DHCP Option 60 Auto Auto IP Address Assignment Figure 36 2.1.3 Internet Access: Ethernet IP Address Assignment · VLAN ID Encapsulation MTU First WAN Interface Zone: IP Address Assignment DHCP Option 60 IP Address Assignment Static, Auto Auto Auto Auto IP Address IP Address Assignment IP Subnet Mask Gateway IP Address First / Second DNS Server 2.1.3.1 Possible Errors Figure 37 2.1.4 Internet Access: PPPoE 2.1.4.1 Internet Access - First WAN Interface · VLAN ID 2.1.4.2 ISP Parameters · VLAN ID Encapsulation MTU Service Name Authentication Type Chap/PAP Chap PAP MSCHAP MSCHAP-V2 User Name Password Nailed-Up Idle Timeout 2.1.4.3 WAN IP Address Assignments WAN Interface Zone: IP Address Assignment First / Second DNS Server Auto Auto IP Address 2.1.4.4 Possible Errors Service Name Authentication Type Figure 38 2.1.5 Internet Access: PPTP 2.1.5.1 ISP Parameters MTU Authentication Type Chap/PAP Chap PAP MSCHAP MSCHAP-V2 User Name Password Nailed-Up 2.1.5.2 PPTP Configuration Base Interface Base IP Address IP Subnet Mask Gateway IP Address Server IP Connection ID 2.1.5.3 WAN IP Address Assignments First WAN Interface Zone IP Address Assignment First / Second DNS Server Idle Timeout Auto IP Address 2.1.5.4 Possible Errors Address, Connection ID Service IP Base IP Address, IP Subnet Mask, Gateway IP Authentication Type Figure 39 2.1.6 Internet Access: L2TP 2.1.6.1 ISP Parameters Authentication Type Chap/PAP Chap PAP MSCHAP MSCHAP-V2 User Name Password Nailed-Up 2.1.6.2 L2TP Configuration Base Interface Base IP Address IP Subnet Mask Idle Timeout Gateway IP Address Server IP 2.1.6.3 WAN IP Address Assignments WAN Interface Zone: IP Address Assignment First / Second DNS Server Auto Auto IP Address 2.1.6.4 Possible Errors Authentication Type Server IP Subnet Mask Gateway IP Address, IP Subnet Mask Figure 40 2.1.7 Internet Access Setup - Second WAN Interface I have two ISPs Second WAN Interface First WAN Interface Figure 41 2.1.8 Internet Access: Congratulations Connection Test Back Figure 42 2.1.9 Date and Time Settings Figure 43 Sync. Now 2.1.10 Register Device Register Figure 44 Figure 45 Refresh Configuration > Licensing > Registration Nebula Mode Next Figure 46 2.1.11 Activate Service Figure 47 Refresh Refresh 2.1.12 Service Settings I have read SecuReporter GDPR and agree policy Content Filter Email Security SecuReporter Figure 48 2.1.13 Service Settings: SecuReporter Server Status Connected Timeout Fail Device Name Organization Select from existing organization Create new organization Partially Anonymous Fully Anonymous Non-Anonymous Figure 49 Figure 50 2.1.14 Wireless Settings: Management Mode Management Mode Next Figure 51 AP Controller Built-in AP 2.1.15 Wireless Settings: AP Controller Yes No Figure 52 2.1.16 Wireless Settings: SSID & Security SSID Setting SSID Security Mode Pre-Shared Key Pre-Shared Key Hidden SSID Enable Intra-BSS Traffic Blocking For Zyxel Devices with Built - in AP Only Bridged to Figure 53 None 2.1.17 Remote Management Policy Control Figure 54 Allow secure remote management from WAN Restrict access only to trusted host Allow SSL VPN access from WAN Restrict access by GeoIP Figure 55 Policy Control 2.2 Nebula Mode Initial Setup Wizard Nebula Mode Figure 56 2.2.1 Connect to Internet (WAN) I have two ISPs VLAN Tagged Encapsulation PPPoE MTU Ethernet WAN Interface IP Address Assignment Static Auto DHCP Option 60 Figure 57 Auto IP Address Assignment 2.2.2 Internet Access: Ethernet IP Address Assignment · VLAN ID Encapsulation MTU First WAN Interface IP Address Assignment DHCP Option 60 IP Address Assignment Static, Auto Auto Auto Auto IP Address IP Address Assignment IP Subnet Mask Gateway IP Address First / Second DNS Server 2.2.2.1 Possible Errors Figure 58 2.2.3 Internet Access: PPPoE Internet Access - First WAN Interface · VLAN ID ISP Parameters Encapsulation MTU Service Name Authentication Type Chap/PAP Chap PAP MSCHAP MSCHAP-V2 User Name Password IP Address Assignments WAN Interface IP Address Auto IP Address Assignment Auto IP Subnet Mask Gateway IP Address First / Second DNS Server 2.2.3.1 Possible Errors Figure 59 2.2.4 Internet Access: Congratulations Connection Test Back Next On Premises Mode Next Figure 60 2.2.5 QR Code Figure 61 Native Mode Finish Nebula Mode Go to Nebula Figure 62 Back CHAPTER 3 Hardware, Interfaces and Zones 3.1 Hardware Overview 3.1.1 Front Panels Figure 63 Figure 64 LED COLOR STATUS DESCRIPTION LED COLOR STATUS DESCRIPTION LABEL DESCRIPTION SYS 3.1.2 Rear Panels Figure 65 Maintenance > Diagnostics > System Log Configuration > System > USB Storage LABEL DESCRIPTION 3.2 Installation Scenarios WARNING! Do NOT block the ventilation holes on the Zyxel Device. Allow 100 mm clearance for the ventilation holes to prevent your Zyxel Device from overheating. Do not store things on the Zyxel Device. Do not place a Zyxel Device on another high temperature device. Overheating could affect the performance of your Zyxel Device, or even damage it. 3.2.1 Desk-mounting Figure 66 3.2.2 Wall-mounting MODEL NAME DISTANCE "X" Figure 67 Figure 68 Figure 69 Wall-mount the Zyxel Device horizontally. The Zyxel Device's side panels with ventilation slots should not be facing up or down as this position is less safe. 3.3 Default Zones, Interfaces, and Ports PORT / INTERFACE P1 P2 P3 P4 P5 P6 P7 P8 ZONE / INTERFACE WAN LAN1 LAN2 DMZ NO OPT DEFAULT ZONE 3.4 Stopping the Zyxel Device Maintenance > Shutdown > Shutdown 4.1 Overview Easy Mode Expert Mode Easy Mode LAN1 Expert Mode WAN2 Expert Mode Figure 70 CHAPTER 4 Easy Mode WAN1 WAN1 Expert Mode Network Interface Port Role OPT OPT P6 guest Expert Mode Configuration 4.1.1 Objects and Rules Easy Mode EZ_ Expert Mode EZ_ Expert Mode EZ_ Easy Mode EZ_ OBJECT/ RULE SCREEN EZ_ Easy Mode Easy Mode EZ_ EZ_ Expert Mode EZ_ EZ_ Expert Mode EDIT DELETE 4.1.2 Wizards and Links < Back Figure 71 Easy Mode Exit X Next > Initial Setup Wizard VPN Wizard Port Forwarding Wizard Wi-Fi and Guest Wizard Security Service Wizard MyZyxel Portal One Security Portal Expert Mode 4.1.3 Easy Mode Settings Easy Mode Settings Figure 72 Create Recovery Point Create Recovery Point Restore Last Recovery Point Restart Shutdown 4.1.4 Easy Mode Dashboard Cloud Helper What's New Now Figure 73 Upgrade Now Upgrade Easy Mode Figure 74 System Internet VPN Security · Network Client Name + LAN1 Guest IP Address, MAC Address LAN Guest Network Wi-Fi Guest Network Client 4.2 Initial Setup Wizard - Language and Overview Figure 75 Easy Mode Expert Mode 4.2.1 Initial Setup Wizard - Internet Figure 76 DHCP Ethernet Fixed IP PPPoE 4.2.2 Initial Setup Wizard - Internet Access Errors WAN 1 Down WAN1 WAN1 PPPoE Error DHCP Error Ethernet Fixed IP Error 4.2.3 Initial Setup Wizard - Date and Time Figure 77 Synch Now 4.2.4 Initial Setup Wizard - Register Device Figure 78 Figure 79 Register 4.2.5 Initial Setup Wizard - Activate Services Figure 80 Figure 81 Refresh Refresh 4.2.6 Initial Setup Wizard - Wi-Fi Figure 82 Enable Wi-Fi Network Password Password Enable Guest Wi-Fi Network Password Wi-Fi Wi-Fi Wi-Fi and Guest Wizard 4.2.7 Initial Setup Wizard - Congratulations Figure 83 Initial Wizard Finish Initial Wizard Finish Security Service Port Forwarding Guest LAN Continue VPN Security Service (Content Filter, IDP, Anti Virus) Port Forwarding Guest LAN (Wired Network) OPT VPN restore point 4.3 Initial Setup Wizard - Security Service Figure 84 Enable Content Filter Chat Chat Dating & Personals Gambling Games Hacking Illegal Software Chat Instant Messaging Job Search Pornography/Sexually Explicit Social Networking Streaming Media & Downloads Tasteless Violence Enable IDP Enable Anti-Virus Security Service Wizard 4.4 Initial Setup Wizard - Port Forwarding Figure 85 FTP HTTP HTTPS Member Client Available Port Forwarding Wizard 4.5 Initial Setup Wizard - Guest LAN Figure 86 Add here Enable Guest Network (for wired clients) LAN/DMZ OPT P6 OPT P6 LAN/DMZ Enable Guest Network (for wired clients) OPT P6 4.5.1 Connecting AP Scenarios Wi-Fi Network Guest LAN (Wired Network) Enable Guest 4.6 Initial Setup Wizard - VPN Figure 87 Launch Initial Setup Wizard Exit IPSec VPN Settings IPSec VPN Settings for Configuration Provisioning VPN Settings for L2TP VPN Settings 4.6.1 VPN Setup Wizard: Wizard Type Express Advanced Figure 88 4.6.2 VPN Express Wizard - Scenario Express Figure 89 IKE Version Rule Name SITE-TO-SITE SITE-TO-SITE WITH DYNAMIC PEER REMOTE ACCESS (SERVER ROLE) REMOTE ACCESS (CLIENT ROLE) Site-to-site Site-to-site with Dynamic Peer Remote Access (Server Role) Remote Access (Client Role) 4.6.3 VPN Express Wizard - Configuration Figure 90 My Address (interface) Secure Gateway Any Pre-Shared Key Local Policy (IP/Mask) Remote Policy (IP/Mask) Any 4.6.4 VPN Express Wizard - Summary Figure 91 Rule Name Secure Gateway Any Pre-Shared Key Local Policy Remote Policy Any Configuration for Secure Gateway 4.6.5 VPN Express Wizard - Finish > VPN Gateway VPN > IPSec VPN VPN > IPSec VPN > VPN Connection Figure 92 Close 4.6.6 VPN Advanced Wizard - Scenario Advanced Figure 93 IKE Version Rule Name Site-to-site Site-to-site with Dynamic Peer Remote Access (Server Role) Remote Access (Client Role) 4.6.7 VPN Advanced Wizard - Phase 1 Settings Figure 94 Secure Gateway Any My Address (interface) Negotiation Mode Main Aggressive Main Aggressive Encryption Algorithm 3DES AES Authentication Algorithm MD5 3DES ES128 SHA512 Key Group DH5 DH1 DH2 SA Life Time NAT Traversal Dead Peer Detection (DPD) Authentication Method Pre-Shared Key 4.6.8 VPN Advanced Wizard - Phase 2 Figure 95 Certificate Active Protocol ESP Encapsulation Tunnel Encryption Algorithm 3DES AES Null Authentication Algorithm MD5 AH Transport AES SHA512 SA Life Time Perfect Forward Secrecy (PFS) DH5 DH1 DH2 Local Policy (IP/Mask) Remote Policy (IP/Mask) Nailed-Up 4.6.9 VPN Advanced Wizard - Summary Figure 96 Rule Name Secure Gateway Pre-Shared Key Local Policy Remote Policy Configuration for Remote Gateway Save 4.6.10 VPN Advanced Wizard - Finish > VPN Figure 97 VPN > IPSec VPN VPN > IPSec VPN > VPN Connection Close 4.7 VPN Settings for Configuration Provisioning Wizard: Wizard Type Use VPN Settings for Configuration Provisioning Figure 98 not AH NULL SHA512 Express Advanced Figure 99 4.7.1 Configuration Provisioning Express Wizard - VPN Settings Express Figure 100 IKE Version Rule Name Application Scenario Remote Access (Server Role) 4.7.2 Configuration Provisioning VPN Express Wizard - Configuration Next Figure 101 · My Address (interface) Secure Gateway Any Pre-Shared Key Local Policy (IP/Mask) Remote Policy (IP/Mask) Any 4.7.3 VPN Settings for Configuration Provisioning Express Wizard - Summary Figure 102 Rule Name Secure Gateway Any Pre-Shared Key Local Policy Remote Policy Any Configuration for Secure Gateway Save 4.7.4 VPN Settings for Configuration Provisioning Express Wizard - Finish > VPN Gateway VPN > IPSec VPN VPN > IPSec VPN > VPN Connection Figure 103 Close 4.7.5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Advanced Figure 104 IKE Version Rule Name Application Scenario Remote Access (Server Role) Next 4.7.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings Figure 105 Secure Gateway Any My Address (interface) Negotiation Mode Main Aggressive Main Aggressive Encryption Algorithm 3DES AES Authentication Algorithm SHA256 Key Group DH5 DH5 SA Life Time MD5 DH1 DH2 SHA1 Authentication Method Pre-Shared Key Certificate 4.7.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2 Figure 106 Active Protocol ESP Encapsulation Tunnel Encryption Algorithm 3DES Authentication Algorithm AES Null SHA256 SA Life Time Perfect Forward Secrecy (PFS): DH5 AH Transport MD5 AES SHA1 DH1 DH2 Local Policy (IP/Mask) Remote Policy (IP/Mask) ny Nailed-Up 4.7.8 VPN Settings for Configuration Provisioning Advanced Wizard Summary Figure 107 Rule Name Secure Gateway ny Pre-Shared Key Local Policy Remote Policy Any Negotiation Mode Main Aggressive Main Aggressive Encryption Algorithm DES 3DES AES128 AES192 AES256 Authentication Algorithm MD5 SHA1 SHA256 Key Group DH1 DH2 DH5 Active Protocol Encapsulation Encryption Algorithm ESP Tunnel DES 3DES AES128 AES192 AES256 Null Authentication Algorithm DH5 AH Transport DH1 DH2 MD5 SHA1 SHA256 Configuration for Secure Gateway Save 4.7.9 VPN Settings for Configuration Provisioning Advanced Wizard- Finish > VPN VPN > IPSec VPN VPN > IPSec VPN > VPN Connection Figure 108 Close 4.8 VPN Settings for L2TP VPN Settings Wizard VPN Settings for L2TP VPN Settings Figure 109 Configuration > Quick Setup > VPN Setting Figure 110 VPN Settings for L2TP VPN Settings Next 4.8.1 L2TP VPN Settings 1 Figure 111 Rule Name My Address (interface) Pre-Shared Key Next 4.8.2 L2TP VPN Settings 2 Figure 112 IP Address Pool Starting IP Address End IP Address First DNS Server (Optional) Second DNS Server (Optional) Allow L2TP traffic Through WAN Next 4.8.3 VPN Settings for L2TP VPN Setting Wizard - Summary Figure 113 Rule Name Secure Gateway Any" Pre-Shared Key My Address (Interface) IP Address Pool Save 4.8.4 VPN Settings for L2TP VPN Setting Wizard Completed Figure 114 VPN > IPSec VPN > VPN Connection VPN Gateway VPN > L2TP VPN 4.9 Port Forwarding Figure 115 FTP HTTP HTTPS Member Client Available 4.9.1 Port Forwarding > Add Client Edit Client List Name IP Address MAC Address List 4.9.2 Port Forwarding > Add Service Edit Add Service List Ending Port Edit Client Service Name Starting Port 4.9.3 Port Forwarding > UPnP Enable UPnP Enable UPnP Refresh Finish Port Forwarding Wizard 4.10 Wi-Fi and Guest Network Wizard Figure 116 Enable Wi-Fi Network Password Enable Guest Wi-Fi Network Wi-Fi Password Guest Wi-Fi Network Wi-Fi Duration Duration 4.10.1 Guest LAN (Wired Network) Figure 117 Enable Guest Network (for wired clients) LAN/DMZ OPT P6 OPT P6 Enable Guest Network (for wired clients) OPT P6 LAN/DMZ 4.10.2 Connecting AP Scenarios Wi-Fi Network Guest LAN (Wired Network) Enable Guest 4.11 Security Service Wizard Figure 118 Figure 119 Refresh portal.myzyxel.com Refresh 4.11.1 Security Service Wizard 2 - Content Filter Categories Figure 120 Enable Content Filter with following contents blocked Chat Chat Enable IDP Enable Anti-Virus 4.11.2 Security Service Wizard 3 - Websites Figure 121 Add 4.11.3 Security Service Wizard 4 - Exemptions Figure 122 Add Client Address Client List Name IP Address MAC Address 4.11.4 Security Service Wizard 5 - IDP/AV Figure 123 4.12 MyZyxel Portal Figure 124 MyZyxel Portal MyZyxel Portal 4.13 One Security Portal Figure 125 ONESECURITY ICON SCREEN ONESECURITY ICON SCREEN CHAPTER 5 Quick Setup Wizards 5.1 Quick Setup Overview Figure 126 Quick Setup Quick Setup · WAN Interface · Remote Access VPN Setup Zyxel VPN Client L2TP over IPSec Client · VPN Setup VPN Setup Use VPN Settings for Configuration Provisioning · Wireless Setup VPN Settings for L2TP VPN Settings · Wizard Help 5.2 WAN Interface Quick Setup WAN Interface Welcome Figure 127 Quick Setup WAN Interface Quick Setup Wizard Next 5.2.1 Choose an Ethernet Interface Next Figure 128 5.2.2 Select WAN Type WAN Type Selection PPPoE PPTP L2TP Figure 129 Ethernet 5.2.3 Configure WAN IP Settings Figure 130 Figure 131 WAN Interface Zone IP Address Assignment Static Auto 5.2.4 ISP and WAN and ISP Connection Settings Ethernet IP Address Assignment Auto PPTP PPPoE IP Address Assignment Static Figure 132 Figure 133 Figure 134 ISP Parameter Encapsulation Service Name Authentication Type: CHAP/PAP CHAP PAP MSCHAP MSCHAP-V2 User Name Password: Retype to Confirm Nailed-Up Nailed-Up Idle Timeout PPTP Configuration Base Interface Base IP Address IP Subnet Mask Gateway IP Address Server IP Connection ID: IP Address Assignment WAN Interface Zone IP Address IP Subnet Mask Gateway IP Address First DNS Server / Second DNS Server 5.2.5 Quick Setup Interface Wizard: Summary Figure 135 0.0.0.0 Encapsulation Service Name Server IP User Name Nailed-Up No Idle Timeout: Connection ID WAN Interface Zone IP Address Assignment IP Address IP Subnet Mask Gateway IP Address: First DNS Server /Second DNS Server Yes IP Address Assignment Static 5.3 Remote Access VPN Setup-Scenario IKEv2 IPSec Client Auto L2TP over IPSec Client Figure 136 5.3.1 IKEv2 IPSec Client- VPN Configuration Tunnel Figure 137 Full Tunnel Split Full Tunnel Interface Domain Name/ IPv4 Auto Manual Full Tunnel Host IP Address Host Domain Name IP Address Domain Name IP Address Domain Name Configuration Object Certificate My Certificate IP Address Domain Name Allow Client VPN Traffic Through WAN Allow Client VPN Traffic Through WAN Split Tunnel LAN DMZ guest Figure 138 IP Address Pool Customer Defined Second DNS Server Upload Bandwidth Limit Upload Bandwidth Limit IPSec VPN Configuration Provisioning 5.3.2 IKEv2 IPSec Client- User Authentication Figure 139 Configuration VPN User/Group User Add A User 5.3.3 IKEv2 IPSec Client- Summary Member Configuration Object Figure 140 Save RemoteAccess_Wiz VPN IPSec VPN VPN Gateway 5.3.4 IKEv2 IPSec Client-Config Provision Non SecuExtender VPN Client Figure 141 RemoteAccess_Wiz VPN PSec VPN VPN Connection 5.3.5 L2TP over IPSec Client-VPN Configuration L2TP over IPSec Client Full Tunnel Figure 142 Pre-Shared Key Interface Domain Name/ IPv4 Full Tunnel WAN Allow Client VPN Traffic Through WAN Allow Client VPN Traffic Through Figure 143 IP Address Pool Defined Second DNS Server 5.3.6 L2TP over IPSec Client- User Authentication Customer Figure 144 User/Group User Add A User 5.3.7 L2TP over IPSec Client- Summary Figure 145 Member Configuration Object RemoteAccess_L2TP_Wiz Save RemoteAccess_L2TP_Wiz 5.3.8 L2TP over IPSec Client-Config Provision Figure 146 VPN L2TP VPN 5.4 VPN Setup Wizard VPN Setup Quick Setup 5.4.1 Welcome Welcome VPN Settings Configuration > VPN > IPSec VPN > VPN Gateway Configuration > VPN > IPSec VPN > VPN Connection VPN Settings for Configuration Provisioning VPN Settings for L2TP VPN Settings Figure 147 5.4.2 VPN Setup Wizard: Wizard Type Express Advanced Figure 148 5.4.3 VPN Express Wizard - Scenario Express Figure 149 IKE (Internet Key Exchange) Version: IKEv1 and IKEv2 Scenario Rule Name Site-to-site Site-to-site with Dynamic Peer Remote Access (Server Role) Remote Access (Client Role) 5.4.4 VPN Express Wizard - Configuration Figure 150 My Address (interface) Secure Gateway Any Pre-Shared Key Local Policy (IP/Mask) Remote Policy (IP/Mask) Any 5.4.5 VPN Express Wizard - Summary Figure 151 Rule Name Secure Gateway Any Pre-Shared Key Local Policy Remote Policy Any Configuration for Secure Gateway 5.4.6 VPN Express Wizard - Finish > VPN Gateway VPN > IPSec VPN VPN > IPSec VPN > VPN Connection Figure 152 Close 5.4.7 VPN Advanced Wizard - Scenario Advanced Figure 153 IKE (Internet Key Exchange) Version: IKEv1 and IKEv2 Scenario Rule Name Site-to-site Site-to-site with Dynamic Peer Remote Access (Server Role) Remote Access (Client Role) 5.4.8 VPN Advanced Wizard - Phase 1 Settings Figure 154 Secure Gateway Any My Address (interface) Negotiation Mode Main Aggressive Main Aggressive Encryption Algorithm 3DES AES Authentication Algorithm MD5 3DES AES128 SHA512 Key Group DH5 DH1 DH2 SA Life Time NAT Traversal Dead Peer Detection (DPD) Authentication Method Pre-Shared Key 5.4.9 VPN Advanced Wizard - Phase 2 Figure 155 Certificate Active Protocol ESP Encapsulation Tunnel Encryption Algorithm 3DES AES Null Authentication Algorithm MD5 SA Life Time Perfect Forward Secrecy (PFS) DH5 AH Transport AES SHA512 DH1 DH2 Local Policy (IP/Mask) Remote Policy (IP/Mask) Nailed-Up 5.4.10 VPN Advanced Wizard - Summary Figure 156 Rule Name Secure Gateway Pre-Shared Key Certificate Local Policy Remote Policy Negotiation Mode Main Aggressive Main Aggressive Encryption Algorithm DES 3DES AES128 AES192 AES256 Authentication Algorithm MD5 SHA1 SHA256 Key Group DH1 DH2 DH5 Active Protocol Encapsulation Encryption Algorithm ESP Tunnel DES 3DES AES128 AES192 AES256 Null Authentication Algorithm MD5 SHA1 SHA256 DH5 AH Transport DH1 DH2 Configuration for Remote Gateway Save 5.4.11 VPN Advanced Wizard - Finish > VPN Figure 157 VPN > IPSec VPN VPN > IPSec VPN > VPN Connection Close 5.5 VPN Settings for Configuration Provisioning Wizard: Wizard Type Use VPN Settings for Configuration Provisioning not AH NULL SHA512 Express Advanced Figure 158 5.5.1 Configuration Provisioning Express Wizard - VPN Settings Express Figure 159 IKE IKEv2 Rule Name Application Scenario Remote Access (Server Role) 5.5.2 Configuration Provisioning VPN Express Wizard - Configuration Next Figure 160 My Address (interface) Secure Gateway Any Pre-Shared Key Local Policy (IP/Mask) Remote Policy (IP/Mask) Any 5.5.3 VPN Settings for Configuration Provisioning Express Wizard - Summary Figure 161 Rule Name Secure Gateway Any Pre-Shared Key Local Policy Remote Policy Any Configuration for Secure Gateway Save 5.5.4 VPN Settings for Configuration Provisioning Express Wizard - Finish VPN > IPSec VPN > VPN Gateway > IPSec VPN > VPN Connection Configuration > Configuration > VPN Figure 162 Close 5.5.5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Advanced Figure 163 IKE IKEv2 Rule Name Application Scenario Remote Access (Server Role) Next 5.5.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings Figure 164 Secure Gateway Any My Address (interface) Negotiation Mode Main Aggressive Main Aggressive Encryption Algorithm 3DES AES Authentication Algorithm SHA256 Key Group DH5 DH5 SA Life Time MD5 DH1 DH2 Authentication Method Pre-Shared Key SHA1 Certificate 5.5.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2 Figure 165 Active Protocol ESP Encapsulation Tunnel Encryption Algorithm 3DES Authentication Algorithm AES Null SHA256 AH Transport MD5 AES SHA1 SA Life Time Perfect Forward Secrecy (PFS): DH5 DH1 DH2 Local Policy (IP/Mask) Remote Policy (IP/Mask) Any Nailed-Up 5.5.8 VPN Settings for Configuration Provisioning Advanced Wizard Summary Figure 166 Rule Name Secure Gateway ny Pre-Shared Key Local Policy Remote Policy Any Negotiation Mode Main Main Aggressive Aggressive Encryption Algorithm DES 3DES AES128 AES192 AES256 Authentication Algorithm MD5 SHA1 SHA256 Key Group DH1 DH2 DH5 Active Protocol Encapsulation Encryption Algorithm ESP Tunnel DES 3DES AES128 AES192 AES256 Null Authentication Algorithm MD5 SHA1 SHA256 Configuration for Secure Gateway Save DH5 DH1 DH2 AH Transport 5.5.9 VPN Settings for Configuration Provisioning Advanced Wizard - Finish > VPN VPN > IPSec VPN VPN > IPSec VPN > VPN Connection Figure 167 Close 5.6 VPN Settings for L2TP VPN Settings Wizard VPN Settings for L2TP VPN Settings VPN Setup VPN Settings for L2TP VPN Settings Configuration > Quick Setup > Figure 168 Next 5.6.1 L2TP VPN Settings Figure 169 Rule Name My Address (interface) Pre-Shared Key Next 5.6.2 L2TP VPN Settings Figure 170 IP Address Pool RANGE SUBNET Starting IP Address End IP Address Network Netmask First DNS Server (Optional) Second DNS Server (Optional) Allow L2TP traffic Through WAN Next SUBNET 5.6.3 VPN Settings for L2TP VPN Setting Wizard - Summary Figure 171 Rule Name Secure Gateway: Any Pre-Shared Key My Address (Interface) IP Address Pool Save 5.6.4 VPN Settings for L2TP VPN Setting Wizard - Completed Figure 172 VPN > L2TP VPN Gateway Configuration > Configuration > VPN > IPSec VPN > VPN Connection VPN 5.7 Wireless Setup Wizard Wireless Setup Figure 173 Quick Setup Summary 5.7.1 SSID SSID Edit Figure 174 Activate Wireless Name SSID) Outgoing Interface Security Mode WPA2 Configuration > Wireless WPA2, Pre-Shared Key Open OK 5.7.2 Radio Next Radio WEP WPA Cancel Figure 175 Figure 176 DCS Output Power Manual 20 MHz 20/40MHz 20/40/80MHz 5.7.3 Summary Figure 177 Summary Back Summary Save 5.7.4 Wizard Completed Wizard Completed Figure 178 Close CHAPTER 6 Dashboard 6.1 Overview Dashboard 6.1.1 What You Can Do in this Chapter Dashboard Dashboard 6.2 The General Screen Dashboard Dashboard Figure 179 LABEL DESCRIPTION LABEL DESCRIPTION Inactive Down Speed / Duplex Full Half none Inactive Connected Disconnected 6.2.1 Device Information Screen Device Information Figure 180 Figure 181 LABEL DESCRIPTION Host Name LABEL DESCRIPTION 6.2.2 System Status Screen Figure 182 Firmware Package LABEL DESCRIPTION OK Firmware update OK Problematic configuration after firmware update System default configuration Fallback to lastgood configuration Fallback to system default configuration Booting in progress 6.2.3 Tx/Rx Statistics Date/Time Figure 183 LABEL DESCRIPTION 6.2.4 The Latest Logs Screen Figure 184 LABEL DESCRIPTION 6.2.5 System Resources Screen Figure 185 LABEL DESCRIPTION Show CPU Usage Show Memory Usage 6.2.6 DHCP Table Screen Detail Session Monitor Show Active Sessions Figure 186 LABEL DESCRIPTION Apply Apply 6.2.7 Number of Login Users Screen Figure 187 LABEL DESCRIPTION ext-user 6.2.8 Current Login User Figure 188 6.2.9 VPN Status Figure 189 LABEL DESCRIPTION 6.2.10 SSL VPN Status Figure 190 Figure 191 6.3 The VPN Screen Figure 192 Configuration VPN IPSec VPN Refresh PART II Technical Reference CHAPTER 7 Monitor 7.1 Overview Monitor 7.1.1 What You Can Do in this Chapter Monitor Traffic Statistics > Port Statistics Traffic Statistics > Port Statistics > Graph View Traffic Statistics > Interface Status Traffic Statistics > Traffic Statistics Traffic Statistics > Session Monitor Network Status > DHCP Table Network Status Device Insight Network Status > Login Users Network Status > IGMP Statistics Network Status > DDNS Status Network Status > IP/MAC Binding Network Status > Cellular Status Network Status > UPnP Port Status Network Status > USB Storage · Network Status > Ethernet Neighbor Network Status > FQDN Object Wireless > AP Information Radio List Wireless > SSID Info Wireless > Station Info Station List Wireless > Station Info Top N Stations Wireless > Station Info Single Station VPN Monitor IPSec VPN Monitor > SSL VPN Monitor > L2TP over IPSec Security Statistics > Content Filter Security Statistics > Anti-Spam Summary Security Statistics > Anti-Spam Status Log > View Log 7.2 The Port Statistics Screen Monitor > Traffic Statistics Port Statistics Figure 193 LABEL DESCRIPTION Poll Interval Poll Interval Set Interval Down Speed / Duplex Full Half Set Interval 7.2.1 The Port Statistics Graph Screen Port Statistics Status Switch to Graphic View Button Figure 194 LABEL DESCRIPTION 7.3 Interface Status Screen Traffic Statistics > Interface Summary Monitor > Figure 195 LABEL DESCRIPTION Expand LABEL DESCRIPTION Inactive Down Speed / Duplex Inactive Connected Disconnected Connected Disconnected Up Down Full Half Up Up Static DHCP Client relay DHCP server DDNS RIP OSPF Connect DHCP n/a Renew n/a LABEL DESCRIPTION Remote Gateway Address Expand Inactive Down Speed / Duplex Inactive Connected Disconnected Connected Disconnected Up Down Full Half Up Up LABEL DESCRIPTION relay DHCP server DDNS RIP OSPF Connect DHCP n/a Renew n/a Down Speed / Duplex Full Half Connected Expand 7.4 The Traffic Statistics Screen Monitor > Traffic Statistics > Traffic Statistics Traffic Statistics Traffic Statistics Traffic Statistics Figure 196 LABEL DESCRIPTION Apply Reset Refresh Host IP Address/User Service/Port Web Site Hits Country Ingress Egress Direction Ingress Traffic Type Host IP Address/User Direction Egress LABEL DESCRIPTION Traffic Type Service/Port Ingress Egress Direction Ingress Direction Egress Traffic Type Web Site Hits Ingress Egress Direction Ingress Ingress Egress Traffic Type Country Direction Egress LABEL DESCRIPTION 7.5 The Session Monitor Screen Session Monitor Monitor > Traffic Statistics > Session Monitor Figure 197 LABEL DESCRIPTION sessions by users sessions by services sessions by source IP session by source region sessions by destination IP sessions by destination region all sessions Address User Service Source Address Destination LABEL DESCRIPTION User Service Source Address Destination Address, Source Country Country Destination View all sessions View all sessions View View View View all sessions all sessions all sessions all sessions Clear Clear All Log > View Log sessions by users all sessions +- sessions by services +- sessions by source IP +- sessions by destination IP +- 7.6 The DHCP Table Screen Monitor > Network Status > DHCP Table Figure 198 LABEL DESCRIPTION Export Save Configuration Network Interface Ethernet VLAN DCHP Setting. LABEL DESCRIPTION IP address Yes 7.7 The Device Insight Screen Device Insight Device Insight Device Insight Device Insight A Figure 199 B C Monitor Device Inventory Figure 200 LABEL DESCRIPTION Description Edit Remove Device Insight Remove Add to block list Remove from block list Feedback Category Operating System Type LABEL DESCRIPTION 7.7.1 The Device Insight Edit Screen Insight Edit Figure 201 Monitor Network Status Device LABEL DESCRIPTION 7.7.2 The Device Insight Feedback Screen Insight Feedback Figure 202 Monitor Network Status Device LABEL DESCRIPTION 7.8 The Login Users Screen Monitor > Network Status > Login Users Figure 203 LABEL DESCRIPTION unlimited Private IP extuser LABEL DESCRIPTION Accounting-on Accounting-off N/A 7.9 IGMP Statistics Figure 204 Monitor Network Status IGMP Statistics LABEL DESCRIPTION 7.10 The DDNS Status Screen DDNS Status Network Status > DDNS Status Figure 205 Monitor > LABEL DESCRIPTION Updating 7.11 IP/MAC Binding Monitor > Network Status > IP/MAC Binding IP/MAC Binding Figure 206 LABEL DESCRIPTION 7.12 Cellular Status Screen Status Figure 207 Monitor > Network Status > Cellular LABEL DESCRIPTION LABEL DESCRIPTION No device No Service Limited Service Device detected Device error Probe device fail Probe device ok Init device fail Init device ok Check lock fail Device locked SIM error SIM locked-PUK SIM locked-PIN Unlock PUK fail Unlock PIN fail Unlock device fail Device unlocked Get dev-info fail Get dev-info ok Searching network Get signal fail Network found Apply config Inactive Active Incorrect device Correct device Set band fail Set band ok Set profile fail Set profile ok PPP fail Need auth-password Device ready Limited Service LABEL DESCRIPTION UMTS UMTS/HSDPA GPRS EDGE 1xRTT EVDO Rev.0 EVDO Rev.A 7.12.1 More Information > Cellular Status > More Information Figure 208 Monitor > Network Status LABEL DESCRIPTION Limited Service LABEL DESCRIPTION UMTS UMTS/HSDPA GPRS EDGE 1xRTT EVDO Rev.0 EVDO Rev.A Signal Quality 7.13 The UPnP Port Status Screen Figure 209 Monitor > Network Status > UPnP Port Status LABEL DESCRIPTION LABEL DESCRIPTION Internal Client Internal Port External Port Internal Client Internal Port Port Internal Client Internal Port Internal Client Internal Client Internal Internal Client 7.14 USB Storage Screen > USB Storage Figure 210 Monitor > Network Status LABEL DESCRIPTION LABEL DESCRIPTION Unknown Ready Remove Now Unused Remove Now Use It none Deactivated OutofSpace Mounting Removing none 7.15 Ethernet Neighbor Screen System > ZON System > ZON Monitor > Network Status > Ethernet Neighbor Figure 211 LABEL DESCRIPTION Port Role Network > Interface > Ethernet > Edit Port Role 7.16 FQDN Object Screen Monitor > Network Status > FQDN Object FQDN Object Configuration > Object > Address/Geo IP > Address Configuration > Object > Address/Geo IP > Address Group Security Policy > Policy Control > Add Object > Address Figure 212 LABEL Configuration DESCRIPTION Configuration > Object > Address/Geo IP IPv4 Address Configuration Configuration > Object > Address/Geo IP IPv6 Address LABEL DESCRIPTION 7.17 AP Information: Radio List Monitor > Wireless > AP Information > Radio List Figure 213 Radio List LABEL DESCRIPTION UnderLoad OverLoad LABEL DESCRIPTION AP Mode N/A N/A n/a Wall Ceiling 7.17.1 Radio List: More Information Information Figure 214 Radio List More LABEL DESCRIPTION Local Bridge Tunnel 7.18 SSID Info Figure 215 Monitor > Wireless > SSID Info LABEL DESCRIPTION Station List List Refresh Station Info > Station Info > Station 7.19 Station Info: Station List Station Info Station List Top N Stations Single Station Monitor > Wireless > Station Info > Station List Figure 216 LABEL DESCRIPTION LABEL DESCRIPTION Refresh 7.20 Station Info: Top N Stations Wireless > Station Info > Top N Stations Figure 217 Monitor > LABEL DESCRIPTION Refresh 7.21 Station Info: Single Station Station Info > Single Station Figure 218 Monitor > Wireless > LABEL DESCRIPTION Refresh 7.22 The IPSec Screen IPSec Monitor Monitor > VPN Monitor IPSec Figure 219 LABEL DESCRIPTION Search Search N/A LABEL DESCRIPTION N/A 7.22.1 Regular Expressions in Searching IPSec SAs 7.23 The SSL Screen > VPN Monitor > SSL Figure 220 Monitor LABEL DESCRIPTION Refresh 7.24 The L2TP over IPSec Screen Monitor > VPN Monitor > L2TP over IPSec Figure 221 LABEL DESCRIPTION Refresh 7.25 The Content Filter Screen Monitor > Security Statistics > Content Filter 7.25.1 Web Content Filter Figure 222 LABEL DESCRIPTION Flush Data Apply LABEL DESCRIPTION Apply Reset 7.25.2 DNS Content Filter Figure 223 LABEL DESCRIPTION Flush Data Apply Apply Reset 7.26 The Anti-Spam Screens Anti-Spam Summary Status 7.26.1 Anti-Spam Summary Monitor > Security Statistics > Anti-Spam Summary Figure 224 LABEL DESCRIPTION Apply Reset Flush Data Apply LABEL DESCRIPTION Security > Status Email Security > Summary Security > Status Email Security > Summary Sender IP Sender Email Address Email Email Sender IP Sender Email Address 7.26.2 The Anti-Spam Status Screen Monitor > Security Statistics > Anti-Spam Status Anti-Spam Status Anti-Spam Status Figure 225 LABEL DESCRIPTION 7.27 Log Screens 7.27.1 View Log Debug Log Monitor > Log Figure 226 All Logs View Log LABEL DESCRIPTION Category Email Log Now Refresh Clear Category Priority Source Address Destination Address Source Interface Destination Interface Service Keyword Protocol Search Debug Log All Logs crit error warn notice info Category Debug Log any emerg alert Source Destination Note Message Reset Send Log To Log Settings Active Priority Category LABEL DESCRIPTION x x Message CHAPTER 8 Licensing 8.1 Registration Overview Configuration > Licensing > Registration Registration Service 8.1.1 What you Need to Know Subscription Services Available Configuration > Licensing > Registration > Service 8.1.2 Registration Screen Refresh Refresh Configuration > Licensing > Registration Figure 227 8.1.3 Service Screen Activate Configuration > Licensing > Registration Service Figure 228 LABEL DESCRIPTION LABEL DESCRIPTION Not Activated Expired Default Expired Not Licensed Status Default Standard Activated Trial N/A Standard Activate Buy Renew CHAPTER 9 Wireless 9.1 Overview Wireless 9.1.1 What You Can Do in this Chapter Built-in AP Licenses 9.2 Built-in AP Configuration > Wireless > Built-in AP Figure 229 Built-in AP Mode LABEL DESCRIPTION LABEL DESCRIPTION Inactivate Edit Activate Apply Reset 9.2.1 Wireless > Built-in AP > General >Add/Edit SSID Add Edit Configuration > Wireless > Built-in AP then Figure 230 LABEL DESCRIPTION Activate Inactivate LABEL DESCRIPTION disable WMM WMM_VOICE WMM_VIDEO WMM_BEST_EFFORT WMM_BACKGROUND Auth. Method open wep wpa2 wpa2-mix RADIUS Server Type Internal Configuration > Object > auto aes Enable Disable Security Mode wpa2 wpa2-mix LABEL DESCRIPTION aes wpa2 Security Mode Cipher Type Optional Required Internal allow deny External LABEL DESCRIPTION OK Cancel 9.2.2 Wireless > Built-in AP > Radio Wireless > Built-in AP > Radio Configuration > Figure 231 Figure 232 LABEL DESCRIPTION Advanced Settings LABEL DESCRIPTION 11b/g 11b/g/n 20MHz 20/40MHz DCS Manual Channel Selection Manual Channel Selection DCS auto Deployment manual Selection Method manual Channel Selection DCS Channel Selection DCS 2.4 GHz Channel 2.4 GHz Channel LABEL DESCRIPTION Selection Method auto Three-Channel Deployment Channel Selection DCS 2.4 GHz Channel Four-Channel Deployment Channel Selection DCS 20/40MHz 20/40/80MHz Short Long LABEL DESCRIPTION Multicast to Unicast Fixed Multicast Rate LABEL DESCRIPTION 11a 11a/n 11ac 20 MHz 20/40 MHz 20/40/80 MHz 11ax 802.11 Mode DCS Manual OK Cancel 9.3 Technical Reference 9.3.1 Dynamic Channel Selection 11ac Channel Selection Manual Figure 233 Figure 234 Figure 235 9.3.2 Load Balancing Load balancing by station number Load balancing by traffic level CHAPTER 10 Interfaces 10.1 Interface Overview Interface Ports Interfaces Zones 10.1.1 What You Can Do in this Chapter Port Role Port Configuration Ethernet PPP Cellular Tunnel VLAN Bridge VTI Trunk 10.1.2 What You Need to Know Interface Characteristics Types of Interfaces Ethernet interfaces Tunnel interfaces VLAN interfaces Bridge interfaces Interface > Port Roles Interface > Port Groups PPP interfaces Cellular interfaces Virtual interfaces virtual Ethernet interfaces virtual VLAN interfaces Trunk interfaces virtual bridge interfaces CHARACTERISTICS ETHERNET ETHERNET PPP CELLULAR x VLAN x BRIDGE x VIRTUAL CHARACTERISTICS ETHERNET ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUAL x Relationships Between Interfaces INTERFACE REQUIRED PORT / INTERFACE INTERFACE REQUIRED PORT / INTERFACE IPv6 Overview IPv6 Addressing Prefix and Prefix Length Link-local Address Subnet Masking Stateless Autoconfiguration Prefix Delegation IPv6 Router Advertisement DHCPv6 10.1.3 What You Need to Do First Configuration System IPv6 10.2 Port Role Configuration > Network > Interface > Port Role Port Role dmz lan1 lan2 ext-wlan, ext-lan Figure 236 Apply Reset 10.3 Port Configuration Figure 237 Configuration Network Interface Port Configuration LABEL DESCRIPTION Auto Negotiate 1000Mbps-Full Duplex 100Mbps-Full Duplex 100Mbps-Half Duplex 10Mbps-Full Duplex 10Mbps-Half Duplex Auto Negotiate Apply Reset 10.4 Ethernet Summary Screen Configuration System IPv6 Interface > Ethernet Configuration > Network Figure 238 LABEL DESCRIPTION Configuration IPv6 Configuration Edit Remove Activate Inactivate Create Virtual Interface References LABEL DESCRIPTION STATIC STATIC Apply Reset 10.4.1 Ethernet Edit Ethernet Edit Edit Ethernet Summary Edit Configuration DHCP LINK LOCAL SLAAC DHCP 10.4.1.1 IGMP Proxy Figure 239 Figure 240 Figure 241 Figure 242 LABEL DESCRIPTION internal external general OPT internal external LABEL DESCRIPTION Interface Type external general Interface Type external general Interface Type external general Interface Type external general IGMP Upstream IGMP Downstream LABEL DESCRIPTION References OK N/A Client Server Relay LABEL DESCRIPTION Client References Relay Relay Client Server Low Medium High LABEL DESCRIPTION Interface Type internal OK LABEL DESCRIPTION Interface Properties External General icmp tcp Check Method tcp any one all None DHCP Relay DHCP Server Interface Type internal general DHCP Relay DHCP Server LABEL DESCRIPTION Pool Size Static DHCP Table Start Address Subnet Mask IP Pool Start Address Subnet Mask IP Pool Custom Defined From ISP Zyxel Device DHCP Server Custom Defined infinite days, hours, and minutes DHCP server LABEL DESCRIPTION DHCP Server IP Pool Start Address Pool Size Monitor System Status DHCP Table Export Monitor System Status DHCP Table Browse Upload LABEL DESCRIPTION BiDir In-Only Out-Only 12 1 and 2 12 1 and 2 None Same-as-Area None Text MD5 Authentication Text Authentication MD5 Authentication MD5 Interface Properties External General Clone by host LABEL DESCRIPTION Add Range IPv4 Address IPv4 CIDR IPv4 Address Remove IPv4 10.4.2 Proxy ARP PPPoE/PPTP VLAN WAN TRUNK Policy Route Interface Type internal external OK Cancel general Interface Type Proxy ARP Figure 243 Figure 244 Add Edit Add Proxy ARP LABEL DESCRIPTION IPv4 Address IPv4 CIDR OK Cancel IPv4 Address 10.4.3 Virtual Interfaces IPv4 Range Figure 245 Create Virtual Interface LABEL DESCRIPTION LABEL DESCRIPTION OK Cancel 10.4.4 References References References References Figure 246 LABEL DESCRIPTION N/A Cancel 10.4.5 Add/Edit DHCPv6 Request/Release Options Configuration > Network > Interface > Ethernet > Edit DHCPv6 Server DHCPv6 Client DHCPv6 Setting DHCPv6 Lease Options Figure 247 Add DHCPv6 Request Options Cancel Select one object OK 10.4.6 Add/Edit DHCP Extended Options Network > Interface > Ethernet > Edit Edit Extended Options Figure 248 DHCP Server DHCP Setting Configuration > Add LABEL DESCRIPTION Option Option User Defined User Defined User Defined User Defined Option LABEL DESCRIPTION (66) TEXT TFTP Server Name Time Server (4) NTP Server (41) SIP Server (120) CAPWAP AC (138) TFTP Server (150) VIVC (124) VIVS (125) VIVC (124) VIVS (125) Cancel OPTION NAME CODE DESCRIPTION 10.5 PPP Interfaces Figure 249 10.5.1 PPP Interface Summary Interface PPP Configuration > Network Figure 250 LABEL DESCRIPTION System Default User Configuration System Default Edit Remove Activate Inactivate Connect Dial-on-Demand Disconnect References LABEL DESCRIPTION Apply Reset 10.5.2 PPP Interface Add or Edit System IPv6 Add Edit Configuration Figure 251 LABEL DESCRIPTION Create new Object Show Advanced Settings Hide Advanced Settings Use Fixed IP Address LABEL DESCRIPTION Use Fixed IP Address References OK Client N/A LABEL DESCRIPTION References icmp tcp LABEL DESCRIPTION WAN TRUNK Policy Route OK Cancel Check Method tcp 10.6 Cellular Configuration Screen 3G 4G NAME TYPE MOBILE PHONE AND DATA STANDARDS GSM-BASED CDMA-BASED DATA SPEED Configuration > Network > Interface Cellular Figure 252 LABEL DESCRIPTION Edit Remove Activate Inactivate Connect Disconnect References LABEL DESCRIPTION Apply Reset 10.6.1 Cellular Choose Slot Edit Add Cellular configuration Configuration > Network > Interface Cellular > Add 10.6.2 Add / Edit Cellular Configuration Figure 253 LABEL DESCRIPTION none Device Custom Profile 1 Device Custom LABEL DESCRIPTION None: CHAP PAP Device Device Device None None None LABEL DESCRIPTION icmp tcp WAN TRUNK Policy Route Check Method tcp Use Fixed IP Address LABEL DESCRIPTION auto GPRS / EDGE (GSM) only UMTS / HSDPA (WCDMA) only LTE only Home Auto Download Upload Download/Upload LABEL DESCRIPTION None Log Log Log-alert Log-alert recurring every Allow Keep New connection Allow Disallow Drop Current connection Drop New connection Disallow Current connection Keep None Log-alert recurring every OK Cancel 10.7 Tunnel Interfaces GRE Tunneling Figure 254 Log Log Log-alert IPv6 Over IPv4 Tunnels Figure 255 IPv6-in-IPv4 Tunneling Figure 256 6to4 Tunneling Figure 257 IPv6 IPv4 Internet IPv6 IPv6 10.7.1 Configuring a Tunnel Interface Tunnel Figure 258 Network LABEL DESCRIPTION Edit LABEL DESCRIPTION Remove Activate Inactivate References Remote Gateway Address GRE IPv6-in-IPv4 6to4 Apply Reset 10.7.2 Tunnel Add or Edit Screen Add Edit Configuration > Network > Interface > Tunnel > Figure 259 LABEL DESCRIPTION LABEL DESCRIPTION x x GRE IPv6-in-IPv4 6to4 Relay Router 6to4 Prefix 6to4 Prefix LABEL DESCRIPTION Automatic 6to4 icmp tcp OK Cancel Check Method tcp 10.8 VLAN Interfaces Figure 260 Figure 261 AB C AB VLAN Interfaces Overview 10.8.1 VLAN Summary Screen VLAN Figure 262 Configuration System IPv6 Configuration > Network > Interface LABEL DESCRIPTION Configuration Virtual Interface Edit Remove Activate Inactivate References IPv6 Configuration Create DHCP Apply Reset 10.8.2 VLAN Add/Edit STATIC Edit Add Figure 263 LABEL DESCRIPTION internal external general LABEL DESCRIPTION Configuration > BWM Use Fixed IP Address Use Fixed IP Address Use Fixed IP Address IGMP Upstream IGMP Downstream LABEL DESCRIPTION References OK N/A Client Server Relay LABEL DESCRIPTION Client References Relay Relay Client Server Low Medium High LABEL DESCRIPTION References OK LABEL DESCRIPTION icmp tcp Check Method tcp any one all None DHCP Relay DHCP Server Pool Size DHCP Relay DHCP Server Add Static DHCP LABEL DESCRIPTION IP Pool Start Address Subnet Mask IP Pool Start Address Subnet Mask Custom Defined From ISP Zyxel Device DHCP Server Custom Defined infinite days, hours, and minutes DHCP server IP Pool Start Address Pool Size LABEL DESCRIPTION Monitor System Status DHCP Table Export Monitor System Status DHCP Table Browse Upload BiDir In-Only Out-Only 12 1 and 2 12 1 and 2 None LABEL DESCRIPTION Same-as-Area None Text MD5 Authentication Text Authentication MD5 Authentication MD5 Interface Properties External General Add Range IPv4 Address IPv4 CIDR IPv4 Address Remove WAN TRUNK Policy Route IPv4 LABEL DESCRIPTION OK Cancel 10.9 Bridge Interfaces Bridge Overview MAC ADDRESS PORT MAC ADDRESS PORT Bridge Interface Overview IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION 10.9.1 Bridge Summary Bridge Configuration System IPv6 Configuration Network Interface Figure 264 LABEL DESCRIPTION Configuration Edit Remove Activate Inactivate Create Virtual Interface References IPv6 Configuration DHCP Apply Reset STATIC 10.9.2 Bridge Add/Edit Bridge Summary Add Edit Figure 265 LABEL DESCRIPTION internal external general x x >> << LABEL DESCRIPTION Use Fixed IP Address Use Fixed IP Address Use Fixed IP Address IGMP Upstream IGMP Downstream LABEL DESCRIPTION References OK N/A Client Server Relay Client LABEL DESCRIPTION References Relay Relay Client Server Low Medium High LABEL DESCRIPTION References OK None DHCP Relay DHCP Server DHCP Relay LABEL DESCRIPTION Pool Size DHCP Server Add Static DHCP IP Pool Start Address Subnet Mask IP Pool Start Address Subnet Mask Custom Defined From ISP Zyxel Device DHCP Server Custom Defined infinite days, hours, and minutes DHCP server LABEL DESCRIPTION DHCP Server IP Pool Start Address Pool Size icmp tcp LABEL DESCRIPTION any one all Check Method tcp Add Range IPv4 Address IPv4 CIDR IPv4 Address Remove IPv4 10.10 VTI WAN TRUNK Policy Route OK Cancel Figure 266 10.10.1 Restrictions for IPSec Virtual Tunnel Interface 10.10.2 VTI Screen Figure 267 Configuration > Network > Interface > VTI LABEL DESCRIPTION Edit Remove Activate Inactivate References Apply Reset 10.10.3 VTI Add/Edit VPN Tunnel Interface Add Edit VPN Tunnel Interface Network > Interface > VTI Figure 268 LABEL DESCRIPTION LABEL DESCRIPTION VPN Tunnel Interface VPN Tunnel Interface IGMP Upstream IGMP Downstream vpn-rule icmp tcp Check Method tcp LABEL DESCRIPTION BiDir In-Only Out-Only 12 1 and 2 12 1 and 2 None Same-as-Area None Text MD5 Authentication Text Authentication MD5 Authentication MD5 WAN TRUNK Policy Route OK Cancel 10.11 Trunk Overview Trunk Add Trunk Add System Default 10.11.1 What You Need to Know A B B A A A Load Balancing Algorithms Least Load First Figure 269 INTERFACE OUTBOUND AVAILABLE (A) MEASURED (M) LOAD BALANCING INDEX (M/A) Weighted Round Robin Figure 270 Spillover Figure 271 10.12 The Trunk Summary Screen Configuration > Network > Interface > Trunk Trunk Figure 272 LABEL DESCRIPTION LABEL DESCRIPTION SYSTEM_DEFAULT_WAN_TRUNK User Configuration Edit References Remove 10.12.1 Configuring a User-Defined Trunk Configuration > Network > Interface > Trunk following Figure 273 User Configuration Add Edit LABEL DESCRIPTION Weighted Round Robin Least Load First Spillover Outbound Inbound Least Load First Spillover Outbound + Inbound Add Edit Remove Move Passive Active LABEL DESCRIPTION OK Cancel 10.12.2 Configuring the System Default Trunk Configuration > Network > Interface > Trunk Edit following System Default Figure 274 LABEL DESCRIPTION Weighted Round Robin Least Load First Spillover Active Passive OK Cancel 10.13 Interface Technical Reference IP Address Assignment Figure 275 IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION Interface Parameters DHCP Settings START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS WINS PPPoE/PPTP/L2TP Overview CHAPTER 11 Routing 11.1 Policy and Static Routes Overview Figure 276 A A R1 R2 R3 11.1.1 What You Can Do in this Chapter Policy Route Static Route 11.1.2 What You Need to Know Policy Routing How You Can Use Policy Routing WAN Static Routes Policy Routes Versus Static Routes DiffServ DSCP Marking and Per-Hop Behavior 11.2 Policy Route Screen Configuration > Network > Routing Policy Route Configuration System IPv6 Figure 277 LABEL DESCRIPTION IPv4 Configuration IPv6 Configuration Edit Remove Activate Inactivate Add Move LABEL DESCRIPTION any default af none any any any any any af preserve default af af none Apply Reset 11.2.1 Policy Route Edit Screen Configuration > Network > Routing IPv4 Configuration IPv6 Configuration Address Translation Policy Route Add Edit Add Policy Route Policy Route Edit Figure 278 Figure 279 LABEL DESCRIPTION Auto Destination Address LABEL DESCRIPTION User Define any default af af User Define none Auto Gateway Gateway VPN Tunnel Trunk Interface Gateway Type VPN Tunnel Type VPN Tunnel Type Trunk Type Interface Type LABEL DESCRIPTION af preserve default none outgoing-interface Create new Object Interface Trunk Type Type User Define af Interface Gateway OK Cancel 11.3 IP Static Route Screen Configuration > Network > Routing > Static Route Figure 280 Static Route Configuration System IPv6 LABEL DESCRIPTION IPv4 Configuration Edit Remove IPv6 Configuration 11.3.1 Static Route Add/Edit Screen Add Edit Figure 281 Figure 282 LABEL DESCRIPTION Prefix Length Interface Subnet Mask Prefix Length Destination IP Gateway IP Interface Gateway IP OK Cancel 11.4 Policy Routing Technical Reference NAT and SNAT Assured Forwarding (AF) PHB for DiffServ CLASS 1 CLASS 2 CLASS 3 CLASS 4 Maximize Bandwidth Usage 11.5 Routing Protocols Overview RIP OSPF OSPF Area Add/Edit BGP 11.5.1 What You Need to Know RIP OSPF 11.6 The RIP Screen Authentication Metric redistribute RIP Configuration > Network Routing > RIP Figure 283 LABEL DESCRIPTION None Text MD5 Authentication Text Authentication MD5 Authentication MD5 11.7 The OSPF Screen OSPF Areas Figure 284 OSPF Routers SOURCE \ TYPE OF AREA NORMAL NSSA STUB Figure 285 Virtual Links Figure 286 OSPF Configuration 11.7.1 Configuring the OSPF Screen OSPF Add/Edit Configuration > Network Routing > OSPF Figure 287 LABEL DESCRIPTION Default User Defined User Define. Type 1 Type 2 Type 1 Normal NSSA Type 2 Metric Metric Stub LABEL DESCRIPTION Refresh Edit Remove References Type Type 11.7.2 OSPF Area Add/Edit Screen OSPF Area Add/Edit OSPF Edit Figure 288 Add LABEL DESCRIPTION Normal Stub NSSA None Text MD5 Authentication Text Authentication MD5 Authentication MD5 Type Normal Edit Remove LABEL DESCRIPTION Same as Area None Text MD5 Same as Area OK Cancel 11.7.3 Virtual Link Add/Edit Screen Virtual Link Add/Edit Add Figure 289 Authentication Edit LABEL DESCRIPTION Same as Area None Text MD5 Same as Area OK Cancel Authentication Authentication Text Authentication MD5 Authentication MD5 11.8 BGP (Border Gateway Protocol) Figure 290 11.8.1 Allow BGP Packets to Enter the Zyxel Device Configuration > Object > Service > Service Group Default_Allow_WAN_To_ZyWALL Edit Available Member OK Figure 291 11.8.2 Configuring the BGP Screen Configuration > Network Routing > BGP Figure 292 LABEL DESCRIPTION Connected Edit Remove Edit LABEL DESCRIPTION Remove 11.8.3 The BGP Neighbors Screen Configuration > Network Routing > BGP > Add Neighbors Figure 293 LABEL DESCRIPTION LABEL DESCRIPTION Gateway Interface None Time Hold Time Keepalive Time Keepalive Time Keepalive Hold Time OK Cancel 11.8.4 Example Scenario 11.8.4.1 Scenario: CE - PE (MLPS) MPLS CE PE CE PE MPLS: Figure 294 11.8.4.2 CE - PE Configuration Process Configuration > Network Routing > BGP Configuration > Network Routing > BGP > Add Neighbors CHAPTER 12 DDNS 12.1 DDNS Overview 12.1.1 What You Can Do in this Chapter DDNS DDNS Add/Edit 12.1.2 What You Need to Know PROVIDER SERVICE TYPES SUPPORTED WEBSITE 12.2 The DDNS Screen DDNS Figure 295 Configuration > Network > DDNS LABEL DESCRIPTION Edit Remove Activate Inactivate from interface auto detected custom from interface auto detected custom LABEL DESCRIPTION 12.2.1 The Dynamic DNS Add/Edit Screen DDNS Add/Edit Edit Configuration > Network > DDNS Add Figure 296 Figure 297 LABEL DESCRIPTION User custom URL Additional DDNS Options DYNDNS Server LABEL DESCRIPTION Any Interface Auto Backup Binding Address Primary Binding Address Interface Custom Any Interface Auto IP Address Custom Primary Binding Interface None Backup Binding Address Interface Custom IP Address Custom LABEL DESCRIPTION OK Cancel User custom User custom User custom DDNS Type DDNS Type DDNS Type 13.1 Overview Network > NAT 13.2 NAT Overview B Figure 298 CHAPTER 13 NAT A C 13.2.1 What You Can Do in this Chapter NAT 13.2.2 What You Need to Know Well-known Ports PORT TCP/UDP DESCRIPTION 13.3 The NAT Screen NAT Configuration > Network > NAT Figure 299 LABEL DESCRIPTION SiteToSite VPN 1-1 SNAT (SiteToSite VPN Static-Dynamic Route 1-1 SNAT) Edit Remove Activate Inactivate Move Virtual Server 1:1 NAT Many 1:1 NAT LABEL DESCRIPTION any any any 13.3.1 The NAT Add/Edit Screen NAT Add/Edit NAT Figure 300 Add Edit LABEL DESCRIPTION Virtual Server 1:1 NAT Many 1:1 NAT - any User Defined any User Defined User Defined Internal IP User Defined External IP User Defined Many 1:1 NAT LABEL DESCRIPTION User Defined User Defined Internal IP User Defined Many 1:1 NAT Any Port Ports Original IP Service Service-Group Object > Service > Service Group Mapping Type Port Ports Mapping Type Port Mapping Type Port Mapping Type Ports Mapping Type Ports Mapping Type Ports Mapping Type Ports Object > Service > Service TCP UDP Any Incoming Interface Internal IP Internal IP External IP Internal IP LABEL DESCRIPTION Security Policy OK Cancel NAT User-Defined External IP External Port OK No 13.4 NAT Technical Reference NAT Loopback Figure 301 Figure 302 Figure 303 CHAPTER 14 Redirect Service 14.1 Overview 14.1.1 HTTP Redirect A Figure 304 LAN1 A A A DMZ 14.1.2 SMTP Redirect LAN2 lan1 A LAN1 lan2 A A Figure 305 14.1.3 What You Can Do in this Chapter Redirect Service 14.1.4 What You Need to Know Web Proxy Server HTTP Redirect, Security Policy and Policy Route SMTP lan1 dmz dmz wan1 lan1 A lan1 dmz A dmz wan1 SMTP Redirect, Firewall and Policy Route lan1 lan2 lan2 wan1 lan1 lan1 lan2 A lan2 wan1 A 14.2 The Redirect Service Screen Configuration > Network > HTTP Redirect Figure 306 LABEL DESCRIPTION Edit Remove Activate Inactivate Move LABEL DESCRIPTION Apply Reset 14.2.1 The Redirect Service Edit Screen Network > Redirect Service Redirect Service Edit Figure 307 Redirect Service any Add Edit LABEL DESCRIPTION HTTP Redirect SMTP redirect. LABEL DESCRIPTION any OK Cancel 15.1 ALG Overview CHAPTER 15 ALG Figure 308 1 2 AB 15.1.1 What You Need to Know Application Layer Gateway (ALG), NAT and Security Policy FTP ALG H.323 ALG Figure 309 SIP ALG Configuration > BWM Peer-to-Peer Calls and the Zyxel Device VoIP Calls from the WAN with Multiple Outgoing Calls BC Figure 310 1 1 2 BC A A A VoIP with Multiple WAN IP Addresses 1 B A B 2 A 2 Figure 311 15.1.2 Before You Begin 15.2 The ALG Screen Configuration > Network > ALG ALG Figure 312 LABEL DESCRIPTION LABEL DESCRIPTION Add Apply Reset 15.3 ALG Technical Reference ALG ALG and Trunks FTP H.323 SIP RTP CHAPTER 16 UPnP 16.1 UPnP and NAT-PMP Overview 16.2 What You Need to Know 16.2.1 NAT Traversal 16.2.2 Cautions with UPnP and NAT-PMP 16.3 UPnP Screen Configuration > Network > UPnP Figure 313 LABEL DESCRIPTION Available Member Apply Reset 16.4 Technical Reference 16.4.1 Turning on UPnP in Windows 7 Example Member Control Panel Network and Sharing Center. Change Advanced Sharing Settings Turn on network discovery Save Changes 16.4.1.1 Auto-discover Your UPnP-enabled Network Device Windows Explorer Figure 314 Network Properties Internet Connection Properties Settings Figure 315 Figure 316 Add Figure 317 OK Figure 318 Figure 319 Open Network and Sharing Center Local Area Network 16.4.2 Turn on UPnP in Windows 10 Example Network Setting > Home Networking > UPnP Settings Network & Internet Network and Sharing Center Change advanced sharing settings Domain Turn on network discovery Save Changes 16.4.3 Auto-discover Your UPnP-enabled Network Device File Explorer Figure 320 Network Properties Internet Connection Properties Figure 321 Settings Add Figure 322 Figure 323 OK Figure 324 Connections Open Network & Internet settings Network and Sharing Center Figure 325 16.4.4 Web Configurator Easy Access in Windows 7 Windows Explorer Network Figure 326 Figure 327 Network Infrastructure View device webpage Properties Network Device Figure 328 16.4.5 Web Configurator Easy Access in Windows 10 File Explorer Network Figure 329 Figure 330 Network Infrastructure View device webpage Figure 331 Properties Network Device CHAPTER 17 IP/MAC Binding 17.1 IP/MAC Binding Overview Figure 332 17.1.1 What You Can Do in this Chapter Summary Edit Exempt List 17.1.2 What You Need to Know DHCP Interfaces Used With IP/MAC Binding 17.2 IP/MAC Binding Summary Configuration > Network > IP/MAC Binding Figure 333 IP/MAC Binding Summary LABEL DESCRIPTION Edit Activate Inactivate LABEL DESCRIPTION Apply Reset 17.2.1 IP/MAC Binding Edit Configuration > Network > IP/MAC Binding > Edit Figure 334 IP/MAC Binding Edit LABEL DESCRIPTION Edit LABEL DESCRIPTION Remove OK Cancel 17.2.2 Static DHCP Edit Configuration > Network > IP/MAC Binding > Edit Add Edit Figure 335 IP/MAC Binding Edit LABEL DESCRIPTION OK Cancel 17.3 IP/MAC Binding Exempt List Configuration > Network > IP/MAC Binding > Exempt List Figure 336 IP/MAC Binding Exempt List LABEL DESCRIPTION Edit Remove Add Remove Apply 18.1 Overview CHAPTER 18 Layer 2 Isolation C D C B A Figure 337 18.1.1 What You Can Do in this Chapter General Allow List 18.2 Layer-2 Isolation General Screen Configuration > Network > Layer 2 Isolation Figure 338 LABEL DESCRIPTION Available Member Apply Reset 18.3 Allow List Screen Member Configuration > Network > Layer 2 Isolation > Allow List Figure 339 LABEL DESCRIPTION Activate Inactivate Apply Reset 18.3.1 Add/Edit Allow List Rule Add Edit Figure 340 LABEL DESCRIPTION OK Cancel CHAPTER 19 DNS Inbound LB 19.1 DNS Inbound Load Balancing Overview A D D Z B Figure 341 1 2 3 1 2 3 19.1.1 What You Can Do in this Chapter Inbound LB Inbound LB Add/Edit 19.2 The DNS Inbound LB Screen Inbound LB Configuration > Network > Inbound LB Figure 342 LABEL DESCRIPTION Edit Remove Activate Inactivate Move LABEL DESCRIPTION Weighted Round Robin Least Connection Least Load - Outbound Least Load - Inbound Least Load - Total 19.2.1 The DNS Inbound LB Add/Edit Screen Add DNS Load Balancing Configuration > Network > Inbound LB Add Edit Query From Figure 343 LABEL DESCRIPTION LABEL DESCRIPTION Weighted Round Robin Least Connection Least Load - Outbound Least Load - Inbound Least Load - Total Edit Remove Weighted Round Robin OK Cancel 19.2.2 The DNS Inbound LB Add/Edit Member Screen Add Load Balancing Member Configuration > Network > DNS Inbound LB > Add or Edit Add Edit Figure 344 LABEL DESCRIPTION OK Cancel Static DHCP Client Weighted Round Robin Dynamic Monitor Interface CHAPTER 20 IPSec VPN 20.1 Virtual Private Networks (VPN) Overview IPSec VPN Figure 345 X Y A B Internet Key Exchange (IKE): IKEv1 and IKEv2 Aggressive Mode Main Mode VPN Connection Main Mode Aggressive Mode VPN Gateway SSL VPN Figure 346 L2TP VPN Figure 347 20.1.1 What You Can Do in this Chapter VPN Connection VPN Gateway VPN Concentrator Configuration Provisioning 20.1.2 What You Need to Know Figure 348 A AB XY B XY Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH DYNAMIC PEER REMOTE ACCESS (SERVER ROLE) REMOTE ACCESS VPN TUNNEL (CLIENT ROLE) INTERFACE Finding Out More 20.1.3 Before You Begin 20.2 The VPN Connection Screen Configuration > VPN > IPSec VPN VPN Connection VPN Connection Figure 349 LABEL DESCRIPTION Edit Remove Activate Inactivate Connect Disconnect LABEL DESCRIPTION References Apply Reset 20.2.1 The VPN Connection Add/Edit Screen VPN Connection Add/Edit Gateway Configuration > VPN Connection Add Edit Figure 350 LABEL DESCRIPTION Custom Size Auto Tunnel Interface VPN Gateway Narrowed VPN LABEL DESCRIPTION Site-to-site Site-to-site with Dynamic Peer Remote Access (Server Role) Remote Access (Client Role) VPN Tunnel Interface Configuration > Network > Interface > VTI Create Object Create new Object Create new Object Remote Access (Server Role) VPN Gateway Access (Server Role) Remote LABEL DESCRIPTION AH Authentication ESP Authentication AH ESP Tunnel Transport AH AH ESP Encryption LABEL DESCRIPTION NULL DES 3DES AES128 AES192 AES256 Active Protocol ESP SHA1 SHA256 SHA512 MD5 none DH1 DH2 DH5 DH14 MD5 icmp tcp LABEL DESCRIPTION Check Method tcp any one all Object Create Object Object SNAT Source SNAT Create Source Create Object Create Object Object SNAT Source SNAT Source Create Create LABEL DESCRIPTION Add Move OK Cancel TCP UDP TCP UDP 20.3 The VPN Gateway Screen VPN Gateway Configuration > VPN Network IPSec VPN VPN Gateway TCP UDP All Figure 351 LABEL DESCRIPTION Edit Remove Activate Inactivate References IKEv2 Apply Reset IKEv1 IKEv2 IKEv1 20.3.1 The VPN Gateway Add/Edit Screen VPN Gateway Add/Edit Add Figure 352 VPN Gateway summary Edit LABEL DESCRIPTION IKEv1 IKEv2 IKEv1 Interface Domain Name / IP Static Address Fall back to Primary Peer Gateway when possible Dynamic Address Fallback Check Interval LABEL DESCRIPTION unmasked My Certificates Trusted Certificates User-Based PSK IPv4 IPv6 DNS E-mail LABEL DESCRIPTION Local ID Type IP My Address DNS E-mail IP DNS E-mail Any Subject Name Local ID Type LABEL DESCRIPTION IP DNS E-mail Peer ID Type Any Peer ID Type IP DNS E-mail Subject Name Peer ID Type IP Address Secure Gateway Peer ID Type Main Aggressive LABEL DESCRIPTION DES 3DES AES128 AES192 AES256 SHA1 SHA256 SHA512 MD5 x DH1 DH2 DH5 DH14 MD5 LABEL DESCRIPTION Protocol IKEv2 X-Auth IKEv1 Extended Authentication Password Client Mode Client Mode User Name IKEv2 Allowed User LABEL DESCRIPTION Password Client Mode Client Mode User Name VPN Access Object Auth. Method Two-factor Authentication Show Advanced Settings IKEv1 IKE Version X-Auth IPSec VPN Add VPN Gateway Mode Config IPSec VPN Add VPN Connection Show Advanced Settings IKEv2 IKE Version Authentication Protocol IPSec VPN Add VPN Gateway Payload IPSec VPN Add VPN Connection Extended Configuration Configuration VPN L2TP VPN OK Cancel 20.4 VPN Concentrator Figure 353 1 2 BCD E A 20.4.1 VPN Concentrator Requirements and Suggestions 20.4.2 VPN Concentrator Screen VPN Concentrator Configuration > VPN IPSec VPN Concentrator Figure 354 LABEL DESCRIPTION 20.4.3 The VPN Concentrator Add/Edit Screen VPN Concentrator Add/Edit VPN Concentrator summary Edit Figure 355 Add LABEL DESCRIPTION Member Available LABEL DESCRIPTION OK Cancel 20.5 Zyxel Device IPSec VPN Client Configuration Provisioning Configuration > VPN > IPSec VPN > Configuration Provisioning not AH NULL SHA512 Quick Setup VPN Settings for Configuration Provisioning Figure 356 LABEL DESCRIPTION default Object > User/Group Connection Allowed User User Object > Auth Method. VPN VPN Connection Allowed LABEL DESCRIPTION Add Add Move Move Add Edit Remove Activate Enable Configuration Provisioning Inactivate Apply Move Enable Configuration Provisioning Upload Bandwidth Limit Upload Bandwidth Limit admin limited-admin 6in4 4in6 4in4 Apply Reset 20.6 IPSec VPN Background Information IKE SA Overview IP Addresses of the Zyxel Device and Remote IPSec Router IKE SA Proposal Figure 357 Diffie-Hellman (DH) Key Exchange Figure 358 Authentication Figure 359 ZYXEL DEVICE REMOTE IPSEC ROUTER ZYXEL DEVICE REMOTE IPSEC ROUTER Any Additional Topics for IKE SA Negotiation Mode VPN, NAT, and NAT Traversal A X Y Figure 360 A A X Y A A X Y X Y A X Y X-Auth / Extended Authentication Certificates IPSec SA Overview Local Network and Remote Network Active Protocol Encapsulation Figure 361 Original Packet Figure 361 Transport Mode Packet Tunnel Mode Packet IPSec SA Proposal and Perfect Forward Secrecy Additional Topics for IPSec SA Authentication and the Security Parameter Index (SPI) NAT for Inbound and Outbound Traffic Figure 362 Source Address in Outbound Packets (Outbound Traffic, Source NAT) M B M M M B A Source Address in Inbound Packets (Inbound Traffic, Source NAT) B A Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) A B A IPSec VPN Example Scenario Figure 363 CHAPTER 21 SSL VPN 21.1 Overview 21.1.1 What You Can Do in this Chapter VPN > SSL VPN > Access Privilege VPN > SSL VPN Global Setting 21.1.2 What You Need to Know Full Tunnel Mode Figure 364 SSL Access Policy SSL Access Policy Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION 21.2 The SSL Access Privilege Screen VPN > SSL VPN Access Privilege Figure 365 LABEL DESCRIPTION Edit Remove Activate Inactivate References Add Move Apply Reset 21.2.1 The SSL Access Privilege Policy Add/Edit Screen Add Edit Access Privilege Figure 366 LABEL DESCRIPTION LABEL DESCRIPTION Selectable User/Group Objects Selected User/Group Objects Selected User/Group Objects Network List Objects OK Cancel 21.3 The SSL Global Setting Screen VPN > SSL VPN Global Setting Selectable Address Selected Address Objects Selected Address Objects Access Privilege Access Privilege LABEL DESCRIPTION Apply Reset 22.1 Overview Figure 367 CHAPTER 22 L2TP VPN 22.1.1 What You Can Do in this Chapter L2TP VPN VPN Setup Wizard Quick Setup 22.1.2 What You Need to Know IPSec Configuration Required for L2TP VPN Pre-Shared Key Secure Gateway 0.0.0.0 Using the Quick Setup VPN Setup Wizard VPN Setup Wizard Configuration Quick Setup VPN Setup VPN Settings for L2TP VPN Settings Policy Route Setup Allow L2TP traffic through WAN Figure 368 Quick Setup VPN 22.2 L2TP VPN Screen Configuration > VPN > L2TP VPN Figure 369 LABEL DESCRIPTION Create new Object My Certificates LABEL DESCRIPTION Create new Object any Custom Defined From ISP Apply Reset 22.2.1 Example: L2TP and Zyxel Device Behind a NAT Router Figure 370 Configuration > Object > Address/GEO IP > Address Configuration > VPN > IPSec VPN > VPN Connection Add IPv4 Configuration Remote Access (Server Role) Local Policy Configuration > VPN > L2TP VPN VPN Connection 23.1 Overview CHAPTER 23 BWM (Bandwidth Management) 23.1.1 What You Can Do in this Chapter BWM 23.1.2 What You Need to Know BWM Type Shared Per user Per-Source-IP Shared Per user Per-Source-IP Figure 371 Per user AB C DiffServ and DSCP Marking Connection and Packet Directions Figure 372 Outbound and Inbound Bandwidth Limits Figure 373 Bandwidth Management Priority Maximize Bandwidth Usage Bandwidth Management Behavior AB A B Figure 374 Configured Rate Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE Priority Effect A B POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE Maximize Bandwidth Usage Effect A B A B POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE Priority and Over Allotment of Bandwidth Effect A B POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 23.2 The Bandwidth Management Configuration Configuration > BWM Figure 375 LABEL DESCRIPTION Add Activate Inactivate Move default Shared Per User Per-Source-IP any LABEL DESCRIPTION any default af App Application Object Obj Service Object In no Out no Pri none any any af Application Object Service Object Pri Pri In Out preserve default af af LABEL DESCRIPTION Apply Reset 23.2.1 The Bandwidth Management Add/Edit Screen Configuration > Bandwidth Management Add/Edit 802.1P Marking Priority Code TPID Priority VID Configuration > Bandwidth Management Add Edit Figure 376 Figure 377 LABEL DESCRIPTION any default af any any none Create new Object Create Object any any User Defined Create new Object Create new Object af Service Object LABEL DESCRIPTION Application Object BitTorrent af af preserve default 0 0 User Defined LABEL DESCRIPTION BWM Type Shared Maximize Bandwidth Usage no OK Cancel 23.2.1.1 Adding Objects for the BWM Policy User Schedule Add Create New Object Add User Address log log alert Configuration BWM Figure 378 LABEL DESCRIPTION LABEL Figure 379 DESCRIPTION Use Default Lease Time Reauthentication Time LABEL DESCRIPTION Time or Recurring. One Figure 380 LABEL DESCRIPTION CHAPTER 24 Web Authentication 24.1 Web Auth Overview Figure 381 24.1.1 What You Can Do in this Chapter Configuration > Web Authentication Configuration > Web Authentication > SSO 24.1.2 What You Need to Know Single Sign-On Forced User Authentication Login Login Login Google Authentication Summary of User Authentication Methods CLIENT SINGLE SIGNON GOOGLE AUTHENTICATOR USER AUTHENTICATION STEPS 24.2 Web Authentication General Screen Web Authentication General Figure 382 LABEL DESCRIPTION LABEL DESCRIPTION User Agreement Add Figure 383 Remove Edit Remove Activate Inactivate Add Move LABEL DESCRIPTION Default unnecessary required force Creating Exceptional Services -> OK Cancel none n/a Authentication n/a unnecessary Add Exceptional Services <Web Authentication Web Authentication Figure 384 Creating/Editing an Authentication Policy Configuration > Web Authentication > General Edit Web Authentication Policy Summary Add/Edit Figure 385 Add Auth. Policy LABEL DESCRIPTION any any none unnecessary required any any none Force User Authentication default-web-portal default-user-agreement OK Cancel 24.2.1 User-aware Access Control Example 24.2.1.1 Set Up User Accounts Configuration > Object > User/Group > User Figure 386 Add OK User Type ext-user 24.2.1.2 Set Up User Groups Configuration > Object > User/Group > Group Add Member Object Leo OK Figure 387 24.2.1.3 Set Up User Authentication Using the RADIUS Server Configuration > Object > AAA Server > RADIUS radius OK Figure 388 Configuration > Object > Auth. Method group radius OK Figure 389 default Add Configuration > Web Authentication Web Authentication Web Authentication > General Apply Enable Figure 390 Web Authentication Policy Summary Add Enable Policy required Force User Authentication Authentication OK Figure 391 24.2.1.4 User Group Authentication Using the RADIUS Server Configuration > Object > AAA Server > RADIUS Class radius Group Membership Attribute Figure 392 Group > User Add Configuration > Object > User/ User Type ext-group-user Group Identifier Associated AAA Server Object radius Figure 393 24.2.2 Authentication Type Screen Figure 394 Configuration > Web Authentication Authentication Type LABEL DESCRIPTION Edit Remove Add LABEL DESCRIPTION System > WWW > Login Page System Default Page External Page Reset Add/Edit an Authentication Type Profile Add Edit Web Authentication > Authentication Type Figure 395 Type Figure 396 LABEL DESCRIPTION User Agreement Type Web Portal Configuration > Web Authentication > Web Portal Customize File LABEL DESCRIPTION Type User Agreement Idle timeout Enable Idle Detection Configuration > Web Authentication > User Agreement Customize File LABEL DESCRIPTION OK Cancel 24.2.3 Custom Web Portal / User Agreement File Screen Configuration > Web Authentication Agreement File Figure 397 Custom Web Portal File Custom User Figure 398 LABEL DESCRIPTION Remove Download Browse... 24.2.4 Facebook Wi-Fi Screen Upload Configuration > Web Authentication: General Configuration > Web Authentication Figure 399 Facebook Wi-Fi LABEL DESCRIPTION Apply Configure User idle timeout Apply Reset 24.2.4.1 How to Configure Facebook for Facebook Wi-Fi Configure Create Page Get Started Save Settings 24.2.4.2 How to use the Zyxel Device's Facebook Wi-Fi Wi-Fi code Bypass Mode Require Continue Browsing 24.3 SSO Overview U Figure 400 DC Configuration > Web Authentication 24.4 SSO - Zyxel Device Configuration SCREEN ZYXEL DEVICE FIELD SCREEN SSO FIELD 24.4.1 Configuration Overview 24.4.2 Configure the Zyxel Device to Communicate with SSO Configuration > Web Authentication > SSO SSO Figure 401 LABEL DESCRIPTION Gateway Port Agent Listening Port LABEL DESCRIPTION 24.4.3 Enable Web Authentication Web Authentication Agent Listening Port Enable Policy, Single Sign-On any source address required Authentication 24.4.4 Create a Security Policy Configuration > Security Policy > Policy Control 24.4.5 Configure User Information User ext-group-user Group Identifier Group Membership 24.4.6 Configure an Authentication Method group ad 24.4.7 Configure Active Directory AAA Setup Base DN Bind DN 24.5 SSO Agent Configuration Configure Zyxel SSO Agent Agent Listening Port AD server Gateway Identifier Server Address Port Base DN Bind DN Login Name Attribute Group Membership Group Membership Group Gateway IP Gateway Port PreShareKey Configuration > Web Authentication > SSO Check PreShareKey Generate Key Zyxel SSO Agent Enable 25.1 Overview CHAPTER 25 Security Policy Figure 402 25.2 One Security Figure 403 1 2 3 4 Figure 404 1 2 3 2 Figure 405 3 ONESECURITY ICON SCREEN ONESECURITY ICON SCREEN 25.3 What You Can Do in this Chapter Security Policy Control Anomaly Detection and Prevention Session Control 25.3.1 What You Need to Know Stateful Inspection Zones Default Directional Security Policy Behavior FROM ZONE TO ZONE BEHAVIOR FROM ZONE TO ZONE BEHAVIOR To-Device Policies Device To Zone From Any To Device Global Security Policies from any from any to any Security Policy Rule Criteria User Specific Security Policies to any Session Limits 25.4 The Security Policy Screen Asymmetrical Routes A A Subnet 2 Subnet 1 Figure 406 25.4.1 Configuring the Security Policy Control Screen Configuration > Security Policy > Policy Control Security Policy Figure 407 LABEL DESCRIPTION Show Filter LABEL DESCRIPTION any Clone Clone Edit Remove Activate Inactivate Add Move LABEL DESCRIPTION Default LAN LAN any any any any ZyWALL To Zone From Zone none deny no Apply Reset allow log 25.4.2 The Security Check for Web Interface Screen Secure It reject log alert Figure 408 LABEL DESCRIPTION LABEL DESCRIPTION OK Cancel 25.4.3 The Security Policy Control Add/Edit Screen Security Policy Control Edit Add Figure 409 Security Policy Edit or Add LABEL DESCRIPTION any Device any any Configuration Object Device Insight any any deny reject allow any none log log alert no LABEL DESCRIPTION Configuration > Security Service none Log log log alert no none Configuration > Security Service > Content Filter none Configuration > Security Service > SSL Inspection OK Cancel 25.5 Anomaly Detection and Prevention Overview Traffic Anomalies Protocol Anomalies Configuration > Security Policy > ADP Profile Configuration > Security Policy > ADP General 25.5.1 The Anomaly Detection and Prevention General Screen Configuration > Security Policy > ADP > General Figure 410 LABEL DESCRIPTION Add Priority Activate Inactivate Move LABEL DESCRIPTION From From LAN From WAN ZyWALL 25.5.2 Creating New ADP Profiles Configuration > Security Policy > ADP > Profile OK Configuration > Security Policy > ADP > Profile Figure 411 LABEL DESCRIPTION > ADP > Profile Add none none all Configuration > Security Policy none all Base Profile Log no Action Log log Action block Clone References Refresh Clone 25.5.3 Traffic Anomaly Profiles Configuration > Security Policy > ADP > Profile Traffic Anomaly Edit Add Figure 412 LABELS DESCRIPTION LABELS DESCRIPTION none block Activate Inactivate Log log log alert no Action Name Log Action OK Cancel Save OK 25.5.4 Protocol Anomaly Profiles Teardrop IP Spoofing Figure 413 LABEL DESCRIPTION Activate Inactivate Log log log alert no original setting none drop reject-sender Action reject-receiver reject-both Name LABEL DESCRIPTION Log Action OK Cancel Save OK 25.5.5 The ADP Allow List Screen Configuration Security Policy ADP Allow List Figure 414 LABEL DESCRIPTION Edit Remove Activate Inactivate Add LABEL DESCRIPTION Apply Reset 25.5.6 Creating New ADP Allow List Rule Configuration > Security Policy > ADP > Allow List Figure 415 LABEL DESCRIPTION OK Cancel any any any 25.6 The Session Control Screen Configuration > Security Policy > Session Control Figure 416 Security Policy Session Control LABEL DESCRIPTION LABEL DESCRIPTION Edit Remove Activate Inactivate Add Move Apply Reset 25.6.1 The Session Control Add/Edit Screen Configuration > Security Policy > Session Control Figure 417 Add Edit Add or Edit LABEL DESCRIPTION any any any Security Policy Session Control OK Cancel any Default Session per Host 25.7 Security Policy Example Applications Figure 418 # USER SOURCE DESTINATION SCHEDULE SERVICE ACTION Figure 419 # USER SOURCE DESTINATION SCHEDULE SERVICE ACTION # USER SOURCE DESTINATION SCHEDULE SERVICE ACTION # USER SOURCE DESTINATION SCHEDULE SERVICE ACTION Figure 420 Figure 421 CHAPTER 26 Content Filter 26.1 Overview 26.1.1 What You Can Do in this Chapter Web Content Filter General Web Content Filter Trusted Web Sites Web Content Filter Forbidden Web Sites DNS Content Filter General DNS Content Filter Allow List DNS Content Filter Block List 26.1.2 What You Need to Know Web Content Filter Web Content Filtering Process Web Content Filtering Policies Web Content Filtering Profiles Web Content Filtering Configuration Guidelines External Web Filtering Service HTTPS Domain Filter Keyword Blocking URL Checking DNS Content Filter DNS Content Filter Process Finding Out More 26.1.3 Before You Begin Licensing Registration 26.2 Web Content Filter General Screen Configuration > Security Service> Content Filter > Web Content Filter> General Content Filter General Web Content Filter Figure 422 LABEL DESCRIPTION LABEL DESCRIPTION Redirect URL References Configuration > Security Policy > Policy Control Apply Reset 26.2.1 Apply to a Security Policy Action Configuration > Security Policy > Policy Control Figure 423 LABEL DESCRIPTION Show Filter any LABEL DESCRIPTION Default LAN LAN any any any any ZyWALL To Zone From Zone deny no OK Cancel allow none log reject log alert 26.2.2 Web Content Filter Add Category Service Configuration > Security Service > Content Filter > Web Content Filter > General > Add or Edit Add Figure 424 LABEL DESCRIPTION https://www.google.com.tw/?gws_rd=ssl#q=porn&safe=active Pass Block Content Filter General Log Pass Block Warn Log Content Filter General LABEL DESCRIPTION Pass Block Warn Content Filter Server Unavailable Timeout Log Block Warn Pages Action for Unrated Web Pages Unavailable Log Action for Managed Web Action When Category Server is Monitor Log View Log Priority URL to test OK Cancel CATEGORY DESCRIPTION 26.2.3 Content Filter Add Filter Profile Custom Service Configuration > Security Service > Content Filter > Web Content Filter> General > Add or Edit > Custom Service Custom Service Figure 425 LABEL DESCRIPTION Trusted Web Sites LABEL DESCRIPTION Trusted Web Sites LABEL DESCRIPTION OK Cancel 26.3 Web Content Filter Trusted Web Sites Screen Configuration > Security Service > Content Filter > Web Content Filter > Trusted/Forbidden Web Sites> Trusted Web Sites Trusted Web Sites Web Content Filter Profiles Common Trusted Web Sites Figure 426 LABEL DESCRIPTION Apply Reset 26.4 Web Content Filter Forbidden Web Sites Screen Configuration > Security Service > Content Filter > Web Content Filter > Trusted/Forbidden Web Sites> Forbidden Web Sites Forbidden Web Sites Filter Profiles Common Forbidden Web Sites Figure 427 LABEL DESCRIPTION Apply Reset 26.5 DNS Content Filter General Screen Configuration > Security Service> Content Filter > DNS Content Filter> General DNS Content Filter General Content Filter Figure 428 LABEL DESCRIPTION default custom defined References Configuration > Security Policy > Policy Control Apply Reset 26.5.1 DNS Content Filter Add Profile Configuration > Security Service > Content Filter > DNS Content Filter > General > Add or Edit Add Figure 429 LABEL DESCRIPTION pass redirect log alert none CATEGORY OK Cancel DESCRIPTION 26.6 DNS Content Filter Allow List Screen Configuration > Security Service > Content Filter > DNS Content Filter > Allow List List Content Filter Profiles Figure 430 Allow DNS LABEL DESCRIPTION Activate Inactivate 26.7 DNS Content Filter Block List Screen Configuration > Security Service > Content Filter > DNS Content Filter > Block List List Filter Profiles Block DNS Content Figure 431 LABEL DESCRIPTION Activate Inactivate 26.8 Content Filter Technical Reference External Content Filter Server Lookup Procedure Figure 432 Content Filter Cache CHAPTER 27 Anti-Spam 27.1 Overview llow List Block List 27.1.1 What You Can Do in this Chapter General Profile Mail Scan Block/Allow List DNSBL 27.1.2 What You Need to Know Allow List Block List SMTP and POP3 E-mail Headers File > Properties > Details E-mail Header Buffer Size DNSBL Finding Out More 27.2 Before You Begin Message Source 27.3 The Anti-Spam Profile Screen Configuration > Security Service Anti-Spam Anti-Spam Profile Figure 433 LABEL DESCRIPTION Forward Session Drop Session Refresh References Add LABEL DESCRIPTION Activated Expired Expired Not Licensed Activate Renew Activated Not Buy Standard None Standard Trial Apply Reset 27.3.1 The Anti-Spam Profile Add or Edit Screen Add Edit Configuration > Security Service Anti-Spam > Profile Figure 434 LABEL DESCRIPTION no log log alert LABEL DESCRIPTION drop forward forward with tag forward forward with tag OK Cancel 27.4 The Mail Scan Screen Configuration > Security Service Anti-Spam > Mail Scan Mail Scan Configuration > Security Service Anti-Spam > Profile > Add/Edit Figure 435 LABEL DESCRIPTION drop forward forward with tag forward forward with tag Actions when Query Timeout Apply Reset 27.5 The Anti-Spam Block List Screen Configuration > Security Service Anti-Spam > Block/Allow List Anti-Spam Block List Figure 436 LABEL DESCRIPTION Apply Reset Activate Inactivate 27.5.1 The Anti-Spam Block or Allow List Add/Edit Screen Block List Allow List Add Edit Figure 437 LABEL DESCRIPTION Subject IP Address IPv6 Address E-Mail Address Mail Header Subject IP Address IPv6 Address IP E-Mail LABEL DESCRIPTION Mail Header Mail Header OK Cancel 27.5.2 Regular Expressions in Block or Allow List Entries 27.6 The Anti-Spam Allow List Screen Configuration > Security Service Anti-Spam > Block/Allow List Anti-Spam Allow List Allow List Figure 438 LABEL DESCRIPTION Apply Reset Activate Inactivate 27.7 The DNSBL Screen Configuration > Security Service > Anti-Spam > DNSBL Figure 439 DNSBL LABEL DESCRIPTION first N IPs last N IPs LABEL DESCRIPTION drop forward forward with tag forward forward with tag Actions when Query Timeout Activate Inactivate Apply Reset 27.8 Anti-Spam Technical Reference DNSBL Figure 440 Figure 441 Figure 442 CHAPTER 28 Object 28.1 The Device Insight Screen Configuration Security Policy Policy Control. Device Insight Device Insight Policy Control Configuration Object Device Insight Figure 443 LABEL DESCRIPTION Edit References Remove 28.1.1 Device Insight Add/Edit Screen Device Insight Add/Edit Configuration Object Device Insight Add/Edit Figure 444 LABEL DESCRIPTION 28.1.2 Example: Block a Profile LAN2_To_LAN1 PROFILE NAME DESCRIPTION CATEGORY OPERATING SYSTEM APPLIED POLICY TO FROM Object Device Insight ACTION Add OK DEVICE INSIGHT PROFILE Configuration Security Policy Policy Control LAN2_To_LAN1 Add Add Policy From To Action deny OK Device 28.2 Zones Overview Figure 445 Zone 28.2.1 What You Need to Know Intra-zone Traffic Inter-zone Traffic Extra-zone Traffic C Any All 28.2.2 The Zone Screen Zone Figure 446 Configuration > Object > Zone LABEL DESCRIPTION System Default User Configuration Edit References Remove 28.2.2.1 Zone Edit Zone Edit Add Edit Zone Figure 447 LABEL DESCRIPTION Available Member OK Cancel 28.3 User/Group Overview User Group Setting MAC Address 28.3.1 What You Need To Know User Account User Types TYPE ABILITIES LOGIN METHOD(S) admin Ext-User Accounts ext-user ext-user ext-user ext-user ext-user ext-user User ad-users ldap-users Ext-Group-User Accounts Ext-Group-User Dynamic-Guest Accounts radius-users billing-users ua-users billing-users trial-users trial-users User Groups ua-users admin User Awareness Finding Out More 28.3.2 User/Group User Summary Screen User Figure 448 Configuration > Object > User/Group LABEL DESCRIPTION Edit Remove References LABEL DESCRIPTION - limited-admin dynamic-guest user guest ext-user ext-group-user guest-manager Account Generator 28.3.3 User Add/Edit General Screen User Add/Edit General 28.3.3.1 Rules for User Names Edit Figure 449 User Add Figure 450 LABEL DESCRIPTION Local Administrator limited-admin user guest ext-user ext-group-user ext-user ext-group-user Password Complexity Configuration > Object > User/Group > Setting Enable ext-user ext-group-user LABEL DESCRIPTION ext-group-user Group Membership Attribute ext-group-user Figure 451 Figure 452 admin limited-admin Use Default Settings Use Manual Settings LABEL DESCRIPTION Use Default Settings Use Manual Settings Authentication Timeout Settings Renew Use Default Settings Use Manual Settings Authentication Timeout Settings Lease Time ext-group-user ext-group-user OK Cancel User Name Test Save Two-factor Authentication 28.3.4 User Add/Edit Two-factor Authentication Screen User Add/Edit Two-factor Authentication ACCESS TYPE TWO-FACTOR AUTHENTICATION METHODS FACTOR 2 PASSWORD ACCESS TYPE TWO-FACTOR AUTHENTICATION METHODS FACTOR 2 PASSWORD factor Authentication > VPN Access Access. Object > Auth. Method > TwoObject > Auth. Method > Two-factor Authentication > Admin Object > User/Group > User Add Edit Figure 453 Figure 454 LABEL DESCRIPTION Object > Auth. Method > Two-factor Authentication > VPN Access. · SSL VPN Access · IPSec VPN Access L2TP/IPSec VPN Access Authentication > Admin Access. · Web · SSH · TELNET Default User Defined Authenticator Google Authenticator Object > Auth. Method > Two-factor PIN code by SMS/Email Google Scan Barcode Verify your device Download LABEL DESCRIPTION Access OK Cancel 28.3.5 User/Group Group Summary Screen Group Object > User/Group > Group Figure 455 Regenerate backup codes Admin Configuration > LABEL DESCRIPTION Edit Remove References 28.3.5.1 Group Add/Edit Screen Group Add/Edit Group Edit Add Figure 456 LABEL DESCRIPTION Member OK Cancel 28.3.6 User/Group Setting Screen Setting Setting Member Available Available Configuration > Object > User/Group > Figure 457 LABEL DESCRIPTION Edit LABEL DESCRIPTION admin limited-admin user guest ext-user ext-group-user timeout Renew Lease Time Updating lease time automatically Enable user idle detection User idle Custom Default LABEL DESCRIPTION Limit ... for administration account Limit ... for access account Enable logon retry limit lockout period Enable logon retry limit maximum retry count logon retry limit Apply Reset 28.3.6.1 Default User Authentication Timeout Settings Edit Screens Default Authentication Timeout Settings Edit Figure 458 Configuration > Object > User/Group > Setting Default Authentication Timeout Settings Edit LABEL DESCRIPTION admin limited-admin dynamic-guest user guest ext-user ext-group-user guest-manager OK Cancel 28.3.6.2 User Aware Login Example Account Generator Renew Lease Time Figure 459 LABEL DESCRIPTION User-defined lease time Lease time User Add/Edit Lease time Setting Setting Allow renewing lease time automatically Renew 28.3.7 User/Group MAC Address Summary Screen Address Configuration > Object > User/Group > MAC Figure 460 LABEL DESCRIPTION Edit Remove 28.3.7.1 MAC Address Add/Edit Screen MAC Address Figure 461 Add Edit LABEL DESCRIPTION OK Cancel 28.3.8 User /Group Technical Reference Setting up User Attributes in an External Server KEYWORD Figure 462 CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR User Type Lease Time Reauthentication Time Figure 463 Creating a Large Number of Ext-User Accounts Ext-User Built-in System Accounts Configuration > Device HA> Device HA Pro > Password 28.4 Address/Geo IP Overview Address Address Add/Edit Address Group Edit Geo IP 28.4.1 What You Need To Know Address Group Add/ 28.4.2 Address Summary Screen HOST RANGE SUBNET INTERFACE IP INTERFACE SUBNET INTERFACE GATEWAY GEOGRAPHY FQDN IP Address to define a Starting IP Address Network Ending IP Address Netmask HTTP:// WWW. Address Configuration > Object Address > Address ZYXEL. FQDN COM Figure 464 LABEL DESCRIPTION Edit Remove References INTERFACE LABEL DESCRIPTION Edit Remove References INTERFACE 28.4.2.1 IPv4 Address Add/Edit Screen Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv4) Address Add Edit IPv4 Address Configuration Figure 465 LABEL DESCRIPTION Address Type HOST Address Type RANGE LABEL DESCRIPTION Address Type RANGE Address Type SUBNET Address Type SUBNET INTERFACE IP INTERFACE SUBNET INTERFACE GATEWAY Address Type GEOGRAPHY Address Type GEOGRAPHY Configuration Object Address/Geo IP Geo IP GEOGRAPHY Geography Address Type FQDN OK Cancel Address Type 28.4.2.2 IPv6 Address Add/Edit Screen Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv6) Address Add Edit IPv6 Address Configuration Figure 466 LABEL DESCRIPTION Address Type HOST LABEL DESCRIPTION Address Type RANGE Address Type RANGE Address Type SUBNET INTERFACE IP INTERFACE SUBNET INTERFACE GATEWAY STATIC DHCPv6 Geography Address Type FQDN Address Type OK Cancel LINK LOCAL SLAAC Address Type 28.4.3 Address Group Summary Screen Address Group Configuration > Object Address/Geo IP > Address Group Figure 467 LABEL DESCRIPTION Edit Remove References LABEL DESCRIPTION Edit Remove References 28.4.3.1 Address Group Add/Edit Screen Address Group Add/Edit Address Group Add Edit IPv4 Address Group Configuration Configuration IPv6 Address Group Figure 468 LABEL DESCRIPTION LABEL DESCRIPTION Member Member Available OK Cancel 28.4.4 Geo IP Summary Screen Available Figure 469 LABEL DESCRIPTION Apply Remove HOST RANGE SUBNET. Region to Continent Region List Apply Reset 28.4.4.1 Add Custom IPv4/IPv6 Address to Geography Screen Geo IP Geography Rules Custom IPv6 to Geography Rules Add Custom IPv4 to Figure 470 LABEL DESCRIPTION OK Cancel 28.5 Service Overview Address Type HOST HOST RANGE SUBNET Address Type RANGE Address Type RANGE Address Type SUBNET Address Type SUBNET Service Service Group 28.5.1 What You Need to Know IP Protocols Service Objects and Service Groups 28.5.2 The Service Summary Screen Service Service Configuration > Object > Service > Figure 471 LABEL DESCRIPTION Edit Remove References 28.5.2.1 The Service Add/Edit Screen Service Add/Edit Service Edit Add Figure 472 LABEL DESCRIPTION IP Protocol TCP UDP TCP UDP ICMP ICMPv6 User Defined IP Protocol ICMP ICMPv6 IP Protocol User Defined OK Cancel 28.5.3 The Service Group Summary Screen Service Group Service Group Figure 473 HTTP HTTPS, SSH, TELNET Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL WAN_to_Device Configuration > Object Service LABEL DESCRIPTION Edit Remove References Service Group Add/Edit 28.5.3.1 The Service Group Add/Edit Screen Service Group Add/Edit Service Group Add Edit Figure 474 LABEL DESCRIPTION Member Member Available OK Cancel 28.6 Schedule Overview Schedule One-Time Schedule Add/Edit Recurring Schedule Add/Edit 28.6.1 What You Need to Know One-time Schedules Recurring Schedules Available 28.6.2 The Schedule Screen Schedule Configuration > Object Schedule Figure 475 LABEL DESCRIPTION Edit Remove References Edit Remove References 28.6.2.1 The One-Time Schedule Add/Edit Screen One-Time Schedule Add/Edit Schedule Add Edit One Time Figure 476 LABEL DESCRIPTION Year Month Day Hour Minute Year Month Day Hour Minute OK Cancel 28.6.2.2 The Recurring Schedule Add/Edit Screen Recurring Schedule Add/Edit Schedule Add Edit Recurring Figure 477 Year Month Day LABEL DESCRIPTION Hour Minute Hour Minute OK Cancel 28.6.3 The Schedule Group Screen Schedule Group Configuration > Object Schedule >Group Figure 478 LABEL DESCRIPTION Edit Remove References 28.6.3.1 The Schedule Group Add/Edit Screen Schedule Group Add/Edit Schedule Schedule Group Add Edit Figure 479 LABEL DESCRIPTION Member Member Available OK Cancel 28.7 AAA Server Overview Available AAA Server 28.7.1 Directory Service (AD/LDAP) Figure 480 28.7.2 RADIUS Server Figure 481 28.7.3 ASAS Configuration > Object > AAA Server Configuration > Object > AAA Server > Active Directory LDAP Configuration > Object > AAA Server > RADIUS 28.7.4 What You Need To Know AAA Servers Supported by the Zyxel Device Directory Structure Figure 482 Distinguished Name (DN) Base DN Bind DN 28.7.5 Active Directory or LDAP Server Summary Active Directory LDAP Configuration > Object > AAA Server > Active Directory LDAP LDAP Active Directory Figure 483 LABEL DESCRIPTION Edit Remove References 28.7.5.1 Adding an Active Directory or LDAP Server Object > AAA Server > Active Directory LDAP Add Edit Active Directory LDAP Figure 484 LABEL DESCRIPTION LABEL DESCRIPTION LDAP Use SSL ext-group-user Enable Active Directory Active Directory Active Directory Active Directory Active Directory ext-group-user LABEL DESCRIPTION OK Cancel 28.7.6 RADIUS Server Summary RADIUS Username Configuration > Object > AAA Server > RADIUS Figure 485 Test RADIUS LABEL DESCRIPTION Edit Remove References 28.7.6.1 Adding a RADIUS Server Configuration > Object > AAA Server > RADIUS Edit RADIUS Add Figure 486 LABEL DESCRIPTION LABEL DESCRIPTION LABEL DESCRIPTION ext-group-user OK Cancel 28.8 Auth. Method Overview ext-group-user Configuration > Object > Auth. Method Configuration > Object > Auth. Method > Two-Factor Authentication 28.8.1 Before You Begin 28.8.2 Example: Selecting a VPN Authentication Method Gateway Auth. Method VPN Configuration > VPN > IPSec VPN > VPN Gateway Edit Show Advance Setting Enable Extended Authentication Server Mode OK Figure 487 28.8.3 Authentication Method Objects Configuration > Object > Auth. Method Figure 488 LABEL DESCRIPTION Edit Remove References 28.8.3.1 Creating an Authentication Method Object Configuration > Object > Auth. Method Add Add Method List Name Method List OK Figure 489 Cancel LABEL DESCRIPTION Edit Remove Add LABEL DESCRIPTION Server OK Cancel 28.8.4 Two-Factor Authentication 28.8.4.1 Overview Move AAA Figure 490 VPN Access Via a VPN tunnel Valid Time Admin Access Via the Web Configurator, SSH, or Telnet Valid Time 28.8.4.2 Pre-configuration Object > User/Group > User > Edit > Two-factor Authentication Object > Auth. Method > Two-factor Authentication HTTP HTTPS System > WWW > Service Control SSH Telnet System > SSH System > TELNET HTTP HTTPS, SSH, TELNET Default_Allow_WAN_To_ZyWALL WAN_to_Device Object > Service > Service Group > Email Authentication Mail Server System > Notification > Mail Server. SMS Authentication Mail Server System > Notification > Mail Server. SMS System > Notification > SMS. Google Authentication System > Notification > SMS System > Notification > Mail Server Authentication > VPN Access Valid Time Configuration > Object > Auth. Method > Two-factor Google Authenticator Settings 28.8.5 Two-Factor Authentication VPN Access Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access Figure 491 LABEL DESCRIPTION LABEL DESCRIPTION Selectable User/Group Objects Selectable User/Group Objects Selected User/Group Objects Object > User/Group > User Object > User/Group > User Configuration Object User/Group User Add Two-factor Authentication http https HTTP From Interface User-Defined: User-Defined HTTPS System > WWW > Service Control wan1 2 Multilingual file Upload Use Download the default 2FA-msg.txt example Restore Customized File to Default Select a File Path Apply Reset 28.8.6 Two-Factor Authentication Admin Access Web SSH TELNET Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access Figure 492 LABEL DESCRIPTION All SMS Object > User/Group > User Email Object > User/Group > User Apply Reset 28.9 Certificate Overview My Certificates Trusted Certificates 28.9.1 What You Need to Know Advantages of Certificates Self-signed Certificates Factory Default Certificate Certificate File Formats 28.9.2 Verifying a Certificate Figure 493 Thumbprint Algorithm Figure 494 Certificate Thumbprint Details Algorithm Thumbprint 28.9.3 The My Certificates Screen Configuration > Object > Certificate > My Certificates Thumbprint My Certificates Figure 495 LABEL DESCRIPTION Edit Remove References Figure 496 LABEL DESCRIPTION Mail Subject Mail To Send Certificate with Private Key Password E-mail Content Compress as a ZIP File Send Email Cancel Figure 497 LABEL DESCRIPTION REQ Import SELF CERT My Certificate Import Refresh 28.9.3.1 The My Certificates Add Screen Configuration > Object > Certificate > My Certificates Certificates Add Subject Add My Figure 498 LABEL DESCRIPTION Address Host Domain Name E-Mail Host IP Address Host IPv6 LABEL DESCRIPTION My Certificate Details OK Cancel My Certificate Create My Certificate Create Return My Certificate Details My Certificates Return My Certificate Create 28.9.3.2 The My Certificates Edit Screen Configuration > Object > Certificate > My Certificates Edit My Certificate Edit Figure 499 LABEL DESCRIPTION Refresh Refresh LABEL DESCRIPTION Subject Name LABEL DESCRIPTION Save File Download Save Save As OK Cancel Save File Download Save My Certificates Save As 28.9.3.3 The My Certificates Import Screen Configuration > Object > Certificate > My Certificates > Import My Certificate Import Figure 500 My Certificates LABEL DESCRIPTION Browse OK Cancel My Certificates 28.9.4 The Trusted Certificates Screen Configuration > Object > Certificate > Trusted Certificates Browse Trusted Certificates Figure 501 LABEL DESCRIPTION Edit Remove References LABEL DESCRIPTION Import 28.9.4.1 The Trusted Certificates Edit Screen Configuration > Object > Certificate > Trusted Certificates Trusted Certificates Edit Subject Edit Figure 502 LABEL DESCRIPTION Refresh Refresh LDAP Server OCSP Server Subject Name LABEL DESCRIPTION OK Cancel Save File Download Save Trusted Certificates 28.9.4.2 The Trusted Certificates Import Screen Configuration > Object > Certificate > Trusted Certificates > Import Import Save As Trusted Certificates Figure 503 LABEL DESCRIPTION Browse OK Cancel 28.9.5 Certificates Technical Reference OCSP Browse 28.10 ISP Account Overview Object ISP Account 28.10.1 ISP Account Summary Configuration > Object ISP Account Figure 504 LABEL DESCRIPTION Edit Remove References 28.10.1.1 ISP Account Add/Edit ISP Account Add/Edit Add Edit ISP Account ISP Account Edit Figure 505 LABEL DESCRIPTION pppoe pptp l2tp CHAP/PAP Chap PAP MSCHAP MSCHAP-V2 nomppe mppe-40 mppe-128 PPTP LABEL DESCRIPTION PPTP On Off OK ISP Account ISP Account Edit Cancel ISP Account CHAPTER 29 Mgmt. & Analytics 29.1 Mgmt. & Analytics Overview ID Nebula CNM 29.1.1 What You Can Do in this Chapter Mgmt. & Analytics > SecuManager Mgmt. & Analytics > SecuReporter Mgmt. & Analytics > Nebula 29.2 Cloud CNM SecuManager Figure 506 Configuration > Cloud CNM > SecuManager Figure 507 LABEL DESCRIPTION CNM ID Auto CNM ID CNM URL CNM URL HTTPS Transfer Protocol CNM ID CNM URL HTTP HTTPS Transfer Protocol CNM URL CNM ID CNM URL HTTP LABEL DESCRIPTION Apply Reset 29.3 Cloud CNM SecuReporter Figure 508 How to activate and enable SecuReporter Service Status Activated Configuration Cloud CNM SecuReporter Configuration > Licensing > Registration > Service Figure 509 Configuration Cloud CNM SecuReporter Enable SecuReporter Apply How to add this Zyxel Device to SecuReporter Settings Organization & Devices Add Organization SecuReporter Banner Unclaimed Device Figure 510 Continue Server Status Connected Timeout Fail Device Name Organization Select from existing organization Create new organization Partially Anonymous Fully Anonymous Non-Anonymous Figure 511 Configuration Cloud CNM SecuReporter Figure 512 LABEL DESCRIPTION Standard Trial Activated Expired Expired Not Licensed Standard Apply Reset Activated Not Trial 29.4 Nebula 29.4.1 Scenario A-Native Mode Access Nebula Internet Test Apply & Go to Nebula Apply & Go To Nebula Configuration Mgmt. & Analytics Nebula Figure 513 LABEL DESCRIPTION P2 P3 Port 2 Port 3 LABEL DESCRIPTION Inactive Down Speed/Duplex Up Down Connected Disconnected Full Halt Static Dynamic DHCP Client Test 29.4.2 Scenario B-Zero Touch Provisioning (ZTP) Figure 514 CHAPTER 30 System 30.1 Overview 30.1.1 What You Can Do in this Chapter System > Host Name System > USB Storage System > Date/Time System > Console Speed System > DNS System > WWW System > SSH System > TELNET System > FTP Auth. Server Notification > Mail Server Notification > SMS Notification > Response Message System > SNMP System > Language System > IPv6 System > ZON System Advanced 30.2 Host Name > Host Name Figure 515 Host Name Configuration > System LABEL DESCRIPTION Apply Reset 30.3 USB Storage Configuration > System > USB Storage Figure 516 LABEL DESCRIPTION Apply Reset 30.4 Date and Time MB % System > Date/Time Configuration > Figure 517 LABEL DESCRIPTION Apply Time and Date Setup Manual Apply LABEL DESCRIPTION Apply Time and Date Setup Manual Apply Synchronize Now Time Server Address Saving at Enable Daylight Second Sunday March at at Saving at at Last Sunday March Enable Daylight First Sunday November at Last Sunday October LABEL DESCRIPTION Apply Reset 30.4.1 Pre-defined NTP Time Servers List 30.4.2 Time Server Synchronization Synchronize Now Time Server Address Loading Figure 518 Current Time Current Date Date/Time System > Date/Time Manual Time and Date Setup View Log Time Zone Setup Apply New Time New Date Time Zone Enable Daylight Saving System > Date/Time Get from Time Server Time Zone Setup Time and Date Setup Time Zone Enable Daylight Saving Time and Date Setup Apply Time Server Address 30.5 Console Port Speed Configuration > System > Console Speed Figure 519 Console Speed LABEL DESCRIPTION Console Port Speed Console Apply Reset 30.6 DNS Overview 30.6.1 DNS Server Address Assignment 30.6.2 Configuring the DNS Screen Configuration > System > DNS Network > Interface Status DNS Security Option Control Advanced Settings Figure 520 Configuration > System > DNS Show LABEL DESCRIPTION Edit Remove Edit Remove Add Move LABEL DESCRIPTION User-Defined N/A tunnel Edit Remove Show Advanced Settings Default Customize Query Recursion Customize Default Additional Info from Cache Customize Object > Address allow deny Edit Remove Add Move LABEL DESCRIPTION 30.6.3 (IPv6) Address Record Accept Deny 30.6.4 PTR Record 30.6.5 Adding an (IPv6) Address/PTR Record Add Address/PTR Record IPv6 Address/PTR Record Figure 521 LABEL DESCRIPTION OK Cancel 30.6.6 CNAME Record 30.6.7 Adding a CNAME Record Figure 522 LABEL DESCRIPTION OK Cancel 30.6.8 Domain Zone Forwarder 30.6.9 Adding a Domain Zone Forwarder Add Domain Zone Forwarder Figure 523 LABEL DESCRIPTION DNS Server(s) from ISP Public DNS Server 30.6.10 MX Record Private DNS Server OK Cancel N/A Query via 30.6.11 Adding a MX Record Add MX Record Figure 524 LABEL DESCRIPTION OK Cancel 30.6.12 Security Option Control Security Option Control Advanced Settings Configuration > System > DNS Show Query Recursion Query Recursion Additional Info from Cache Additional Info from Cache 30.6.13 Editing a Security Option Control Edit Additional Info from Cache Figure 525 allow deny Query Recursion LABEL DESCRIPTION Default Object > Address > Member OK Cancel 30.6.14 Adding a DNS Service Control Rule Add Service Control Figure 526 LABEL DESCRIPTION ALL ALL LABEL DESCRIPTION Accept Deny OK Cancel 30.7 WWW Overview 30.7.1 Service Access Limitations Enable Deny 30.7.2 System Timeout Service Control Service Control 30.7.3 HTTPS User/Group Authenticate Client Certificates WWW Authenticate Client Certificates Figure 527 HTTP WWW 30.7.4 Configuring WWW Service Control Configuration > System > WWW WWW Admin Service Control User Service Control Figure 528 LABEL DESCRIPTION Service Control 8443 LABEL DESCRIPTION Authenticate Client Certificates Admin Service Control User Service Control My Certificates Edit Remove Add Move Zone Accept Deny Service Control Admin Service Control User Service Control Add Edit LABEL DESCRIPTION Remove Move Apply Reset 30.7.5 Service Control Rules Add Edit Service Control Figure 529 Zone Accept Deny Object > Auth. method WWW SSH Telnet FTP SNMP LABEL DESCRIPTION ALL LABEL DESCRIPTION ALL Accept Deny OK Cancel 30.7.6 Customizing the WWW Login Page Configuration > System > WWW > Login Page Figure 530 Login Page Figure 531 Figure 532 Figure 533 Color Apply LABEL DESCRIPTION Upload Browse Picture Browse Color Picture Browse Color LABEL DESCRIPTION Apply Reset 30.7.7 HTTPS Example 30.7.7.1 Internet Explorer Warning Messages Figure 534 Continue to this website here to close this web page 30.7.7.2 Mozilla Firefox Warning Messages The Connection is Untrusted Technical Details I Understand the Risks Add Exception Confirm Security Exception Click Figure 535 Figure 536 30.7.7.3 Avoiding Browser Warning Messages 30.7.7.4 Login Screen Figure 537 30.7.7.5 Enrolling and Importing SSL Client Certificates Authenticate Client Certificates Certificates Figure 538 Trusted CA Authenticate Client 30.7.7.5.1 Installing the CA's Certificate Figure 539 Install Certificate 30.7.7.5.2 Installing Your Personal Certificate(s) Next Figure 540 File name Browse Figure 541 Figure 542 certificates in the following store Figure 543 Finish Place all Figure 544 Figure 545 30.7.7.6 Using a Certificate When Accessing the Zyxel Device Example Figure 546 Authenticate Client Certificates Figure 547 Figure 548 30.8 SSH A SSH Service Group > Default_Allow_WAN_To_ZyWALL WAN_to_Device Figure 549 Object > Service > 30.8.1 SSH Implementation on the Zyxel Device 30.8.2 Requirements for Using SSH 30.8.3 Configuring SSH Configuration > System > SSH Figure 550 LABEL DESCRIPTION Service Control Certificates Edit Remove Add My Move Apply Reset Zone Accept Deny 30.8.4 Service Control Rules Add Edit Service Control Figure 551 LABEL DESCRIPTION ALL ALL Accept Deny OK Cancel 30.8.5 SSH Example 30.9 Telnet 30.9.1 Configuring Telnet Configuration > System > TELNET Service Group > Default_Allow_WAN_To_ZyWALL WAN_to_Device Telnet Object > Service > Figure 552 LABEL DESCRIPTION Service Control Edit Remove Add Move Apply Reset Zone Accept Deny 30.9.2 Service Control Rules Add Edit Service Control Figure 553 LABEL 30.10 FTP DESCRIPTION ALL ALL Accept Deny OK Cancel 30.10.1 Configuring FTP Configuration > System > FTP Figure 554 LABEL DESCRIPTION Service Control Edit Remove Add My Certificates Move Zone Accept Deny LABEL DESCRIPTION Apply Reset 30.10.2 Service Control Rules Add Edit Service Control Figure 555 LABEL DESCRIPTION ALL ALL Accept Deny OK Cancel 30.11 SNMP Figure 556 30.11.1 SNMPv3 and Security 30.11.2 Supported MIBs 30.11.3 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION 30.11.4 Configuring SNMP Configuration > System > SNMP Figure 557 LABEL DESCRIPTION Service Control Get Community Set community LABEL DESCRIPTION DES AES Read-Write Read-Only Edit Remove Add MD5 SHA Edit Remove Add Move Apply Reset Zone Accept 30.11.5 Add SNMPv3 User Add Configuration > System > SNMP Deny Figure 558 LABEL DESCRIPTION MD5 SHA DES AES Read-Write Read-Only OK Cancel 30.11.6 Service Control Rules Add Edit Service Control Figure 559 LABEL DESCRIPTION ALL ALL Accept Deny OK Cancel 30.12 Authentication Server Figure 560 Configuration > System > Auth. Server LABEL DESCRIPTION Method Edit Remove Activate Inactivate My Certificates Configuration > Object > Auth. Add Apply Reset 30.12.1 Add/Edit Trusted RADIUS Client Configuration > System > Auth. Server Edit Auth. Server Add Figure 561 LABEL DESCRIPTION OK Cancel 30.13 Notification > Mail Server Maintenance > Diagnostics > Network Tool Report > Email Daily Report Configuration > System > Notification Test Email Server Configuration > Log & Mail Server Figure 562 LABEL DESCRIPTION Configuration > Log & Report > Email Daily Report Append system name Append date time Apply Reset SMTP Authentication SMTP Authentication 30.14 Notification > SMS Configuration > System > Notification > SMS Figure 563 LABEL DESCRIPTION Email-to-SMS Provider Configuration System Notification Mail Server auto append to "Mail to" Mail To Server Configuration System Notification Mail Server Mail LABEL DESCRIPTION Configuration Object User/Group User 30.15 Notification > Response Message Configuration > System > Notification > Response Message Figure 564 LABEL DESCRIPTION Edit LABEL DESCRIPTION #0000FF #0000FF #0000FF 30.16 Language Screen Configuration > System > Language Browse Color #0000FF Color Color Color Figure 565 LABEL DESCRIPTION Apply Reset 30.17 IPv6 Screen Configuration > System > IPv6 Figure 566 LABEL DESCRIPTION Ethernet VLAN Apply Reset Bridge Configuration Network Interface 30.18 Zyxel One Network (ZON) Utility 30.18.1 Requirements Operating System Properties Hardware 30.18.2 Run the ZON Utility OK Figure 567 General My Computer > information about ZON Show Supported model and firmware version Figure 568 Figure 569 Go Figure 570 Figure 571 1 2 3 4 5 6 7 8 9 10 11 12 13 ICON DESCRIPTION LABEL DESCRIPTION Flash Locator LED IP Configuration Renew IP address 30.18.3 Zyxel One Network (ZON) System Screen ZDP Smart Connect System > ZON Monitor > System Status > Ethernet Neighbor Smart Connect Figure 572 System > ZON LABEL DESCRIPTION Smart Connect Ethernet Discovery. Apply Reset 30.19 Advanced Screen Monitor > System Status > 30.19.1 Fast Forwarding Technical Reference System > Advanced Figure 573 LABEL Figure 574 DESCRIPTION Apply Reset Enable Title Bar CHAPTER 31 Log and Report 31.1 Overview 31.1.1 What You Can Do In this Chapter Email Daily Report Log Setting 31.2 Email Daily Report Email Daily Report Notification Mail Server Note Configuration > Log & Report > Email Daily Report Figure 575 LABEL DESCRIPTION LABEL DESCRIPTION Usage Wireless Report Security Service, Interface Traffic Statistics Reset counters after sending report successfully System Resource DHCP Table Apply Reset 31.3 Log Setting Screens Log Setting MONITOR > Log Log Setting Log Setting Edit Log Category Settings 31.3.1 Log Setting Summary Configuration > Log & Report > Log Settings Figure 576 LABEL DESCRIPTION Internal VRPT CEF/Syslog Edit Activate Inactivate LABEL DESCRIPTION Log Category Settings Edit 31.3.2 Edit System Log Settings Log Settings Edit Edit Figure 577 Log Settings Summary Figure 578 Figure 579 LABEL DESCRIPTION Active Log and Alert Daily and When Full Weekly and When Full When Full Hourly and When Full LABEL DESCRIPTION SMTP Authentication SMTP Authentication System Log disable all logs enable normal logs enable normal logs and debug logs E-Mail Server 1 System Log enable normal logs enable alert logs E-Mail Server 2 System Log enable normal logs enable alert logs Category View Log disable all logs enable normal logs Default Log Category enable normal logs and debug logs E-Mail Server 1 System log E-Mail Server 2 System log Display LABEL DESCRIPTION x x Message x Log Consolidation Interval View Log x Message 31.3.3 Edit Log on USB Storage Setting Edit Log on USB Storage Setting Log Setting Summary Edit Figure 580 LABEL DESCRIPTION Active Log Keep Duration Selection disable all logs enable normal logs enable normal logs and debug logs disable all logs enable normal logs enable normal logs and debug logs Default Log Category All Logs 31.3.4 Edit Remote Server Log Settings Log Settings Edit Log Settings Summary Edit Figure 581 LABEL DESCRIPTION VRPT/Syslog CEF/Syslog Active Log LABEL DESCRIPTION Selection disable all logs enable normal logs enable normal logs and debug logs Category View Log Default Log Category disable all logs enable normal logs enable normal logs and debug logs Display All Logs 31.3.5 Log Category Settings Screen Log Category Settings Log Category Settings Figure 582 Log Settings Summary Figure 583 Default LABEL DESCRIPTION System Log disable all logs enable normal logs enable normal logs and debug logs USB Storage disable all logs enable normal logs enable normal logs and debug logs E-Mail Server 1 System Log enable normal logs enable alert logs E-Mail Server 2 System Log enable normal logs enable alert logs LABEL DESCRIPTION Selection disable all logs enable normal logs enable normal logs and debug logs Category View Log Default disable all logs enable normal logs enable normal logs and debug logs Log Category disable all logs enable normal logs enable normal logs and debug logs E-Mail Server 1 System log Mail Server 2 System log All Logs disable all logs enable normal logs enable normal logs and debug logs Display ELog Category 32.1 Overview CHAPTER 32 File Manager 32.1.1 What You Can Do in this Chapter Configuration File Firmware Package Shell Script 32.1.2 What you Need to Know Configuration Files and Shell Scripts Figure 584 Configuration Privilege Privilege Configuration Comments in Configuration Files or Shell Scripts Errors in Configuration Files or Shell Scripts 32.2 The Configuration Screen Maintenance > File Manager > Configuration File > Configuration Configuration Configuration Apply Configuration File Flow at Restart startup-config.conf system-default.conf startup-config.conf startup-config-bad.conf lastgood.conf system-default.conf lastgood.conf startup-config.conf lastgood.conf startup-config.conf startup-config.conf Do not turn off the Zyxel Device while configuration file upload is in progress. LABEL DESCRIPTION default.conf startup-config.conf Figure 585 lastgood.conf system- Rename Rename File OK default.conf startup-config.conf Cancel Remove lastgood.conf Cancel Download systemOK LABEL DESCRIPTION Figure 586 Copy Copy File OK Figure 587 Cancel Apply Immediately stop applying the configuration file Immediately stop applying the configuration file and roll back to the previous configuration Ignore errors and finish applying the configuration file Ignore errors and finish applying the configuration file and then roll back to the previous configuration OK Cancel LABEL DESCRIPTION system-default.conf Apply startup-config.conf lastgood.conf Apply OK startup-config.conf Browse... system-default.conf lastgood.conf Browse ... Upload 32.2.1 The Configuration Schedule Backup Screen Schedule Backup Figure 588 LABEL DESCRIPTION LABEL DESCRIPTION Apply Reset 32.3 Firmware Management Firmware Management Running Standby The firmware update can take up to five minutes. Do not turn off or reset the Zyxel Device while the firmware update is in progress! 32.3.1 Cloud Helper Upgrade What's New Upgrade Now Upgrade Now Upgrade Now 32.3.2 The Firmware Management Screen Maintenance > File Manager > Firmware Management Firmware Management Figure 589 LABEL DESCRIPTION Reboot Standby Reboot Running Standby Running Standby Running N/A Standby LABEL DESCRIPTION Check Now Auto Update File Manager > Firmware Management Schedule Reboot Maintenance > Shutdown-Reboot Not Activated Yes Yes No Activated No Maintenance File Manager Firmware Management Reboot Standby Standby Running Configuration File Configuration Upload Configuration File Firmware Upload in Process Figure 590 Maintenance File Manager Figure 591 Dashboard Figure 592 32.3.3 Firmware Upgrade via USB Stick SYS startup-config.conf startup-config.conf lastgood.conf system-default.conf lastgood.conf 32.4 The Shell Script Screen Maintenance > File Manager > Shell Script Shell Script Shell Script Figure 593 LABEL DESCRIPTION Figure 594 Rename Rename File OK Cancel Remove OK Cancel Download LABEL DESCRIPTION Figure 595 Copy Copy File OK Cancel Apply Browse... Upload Browse ... CHAPTER 33 Diagnostics 33.1 Overview 33.1.1 What You Can Do in this Chapter Diagnostics Packet Capture CPU / Memory Status System Logs Network Tool Routing Traces Wireless Frame Capture 33.2 The Diagnostics Screens Diagnostics 33.2.1 Scripts Script Name Script Uploads to the Zyxel Device File Manager > Shell Script Diagnostics > Controller Diagnostics > AP Diagnostics > AP. Script Output Diagnostics > Files 33.2.2 The Diagnostics Controller Screen Maintenance > Diagnostics > Controller Collect Now Figure 596 LABEL DESCRIPTION Standby Busy on Ap Diagnostics > AP Busy on ZyWall: LABEL DESCRIPTION Browse Upload 33.2.3 The Diagnostics Files Screen Maintenance > Diagnostics > Files Figure 597 LABEL DESCRIPTION LABEL DESCRIPTION Remove Download 33.3 The Packet Capture Screen Capture Maintenance > Diagnostics > Packet File Suffix Figure 598 LABEL DESCRIPTION Capture Interfaces Available Interfaces any any User Defined IP Type any tcp any udp LABEL DESCRIPTION Continuously capture and overwrite old ones Duration File Size Unused Remove Now none service deactivated Storag available Configuration > System > USB LABEL DESCRIPTION 33.3.1 The Packet Capture Files Screen Maintenance > Diagnostics > Packet Capture > Files Figure 599 LABEL DESCRIPTION Remove Download LABEL DESCRIPTION 33.4 The CPU / Memory Status Screen Maintenance > Diagnostics > CPU / Memory Status CPU/Memory Status Figure 600 LABEL DESCRIPTION LABEL DESCRIPTION 33.5 The System Log Screen Maintenance > Diagnostics > System Log Figure 601 System Log LABEL DESCRIPTION Remove Download LABEL DESCRIPTION 33.6 The Network Tool Screen Maintenance > Diagnostics > Network Tool Figure 602 Figure 603 LABEL DESCRIPTION NSLOOKUP IPv4 NSLOOKUP IPv6 PING IPv4 PING IPv6 TRACEROUTE IPv4 TRACEROUTE IPv6 Test Email Server Test Email Server Network Tool LABEL DESCRIPTION Append system name Append date time SMTP Authentication SMTP Authentication 33.7 The Routing Traces Screen Maintenance > Diagnostics > Routing Traces Figure 604 LABEL DESCRIPTION any 33.8 The Wireless Frame Capture Screen Maintenance > Diagnostics > Wireless Frame Capture File Prefix Figure 605 LABEL DESCRIPTION Configuration > Wireless > AP Management Captured MON Mode APs LABEL DESCRIPTION 33.8.1 The Wireless Frame Capture Files Screen Maintenance > Diagnostics > Wireless Frame Capture > Files Figure 606 LABEL DESCRIPTION Remove Download CHAPTER 34 Packet Flow Explore 34.1 Overview 34.1.1 What You Can Do in this Chapter Routing Status SNAT Status 34.2 Routing Status Routing Status Routing Table Routing Flow Maintenance Packet Flow Explore Routing Status use policy route to override direct route Route CONFIGURATION > Network > Routing > Policy use policy routes to control dynamic IPSec rules VPN Connection CONFIGURATION > VPN > IPSec VPN > Figure 607 Figure 608 Figure 609 Figure 610 Figure 611 Figure 612 Figure 613 Figure 614 LABEL DESCRIPTION Routing Flow Routing Table Direct Route Static-Dynamic Route Main Route Routing Flow A S C O R B G ! B L Policy Route Routing Flow any 1-1 SNAT Auto VPN Tunnel Trunk Routing Flow Interface /GW LABEL DESCRIPTION Dynamic VPN or SiteToSite VPN Routing Flow Default WAN Trunk Routing Flow any any 34.3 The SNAT Status Screen SNAT Status SNAT Flow Maintenance Packet Flow Explore SNAT Status SNAT Table use default SNAT CONFIGURATION > Network > Interface > Trunk Figure 615 Figure 616 Figure 617 Figure 618 LABEL DESCRIPTION SNAT Table Policy Route SNAT SNAT Flow SNAT Flow LABEL DESCRIPTION 1-1 SNAT SNAT Flow Interface IP Loopback SNAT SNAT Flow any any Default SNAT SNAT Flow Interface IP Outgoing Outgoing Chapter 35 Shutdown 35.1 Overview Always use the Maintenance > Shutdown > Shutdown screen or the "shutdown" command before you turn off the Zyxel Device or remove the power. Not doing so can cause the firmware to become corrupt. 35.1.1 What You Need To Know 35.2 The Shutdown / Reboot Screen Figure 619 Maintenance Shutdown/Reboot LABEL DESCRIPTION Shutdown Reboot Auto Update File Manager > Firmware Management Schedule Reboot Maintenance > Shutdown-Reboot Apply Reset PART III Appendices and Troubleshooting CHAPTER 36 Troubleshooting Network Test Tool ZTP Setup Organization-wide Configuration Inventory Waiting ZTP OK Add Organization-wide Configuration Inventory Add to site Waiting ZTP ZTP Setup OK OK Add Start (All) Programs Accessories Command Prompt Command Prompt RESET SYS CONSOLE CONSOLE Dashboard Enable Content Filter Category Service Configuration > Security Service > Content Filter > Profile > Add or Edit Containment Period Configuration Security Service Collaborative Detection& Response Internal External Interface Type General Interface Type Auto Trusted Certificates Configuration > VPN > IPSec VPN > VPN Connection dynamic IPSec rules option Use Policy Route to control AP Role Capability Mgnt. AP List Secure WiFi Remote AP Configuration Wireless AP Management Secure Tunnel SSID admin ext-user admin Configuration Object Auth. Method Two-factor Authentication VPN Access. System Notification SMS System Notification Mail Server My Certificates File Size File Size Duration File Suffix Feedback Monitor Network Status Device Insight Monitor Device Insight deny Security Policy Web Interface Security Check for for Web Interface Security Check Check for Web Interface Security Mgmt. & Analytics Nebula 36.1 Resetting the Zyxel Device SYS RESET SYS RESET 36.2 Getting More Troubleshooting Help APPENDIX A Customer Support http://www.zyxel.com/homepage.shtml http://www.zyxel.com/about_zyxel/zyxel_worldwide.shtml Required Information Corporate Headquarters (Worldwide) Taiwan Asia China India Kazakhstan Korea Malaysia Pakistan Philippines Singapore Taiwan Thailand Vietnam Europe Austria Belarus Belgium Bulgaria Czech Republic Denmark Estonia Finland France Germany Hungary Italy Latvia Lithuania Netherlands Norway Poland Romania Russia Slovakia Spain Sweden Switzerland Turkey UK Ukraine Latin America Argentina Brazil Ecuador Middle East Israel Middle East North America USA Oceania Australia Africa South Africa APPENDIX B Product Features Model Name Interface USG FLEX 50 USG FLEX 50W (USG20-VPN) (USG20W-VPN) Routing Sessions NAT Firewall (Secure Policy) ADP Application Patrol User Profile HTTPd Objects Trunk VPN Certificate Built-In Service USB Storage Centralized Log IDP SSL Inspection Content Filtering Anti-Spam Anti-Virus SSL VPN AP Controller BWM SIP Custom Web Portal Page Hotspot Management APPENDIX C Legal Information Copyright Disclaimer Regulatory Notice and Statement (Class B) UNITED STATES of AMERICA FCC EMC Statement FCC Radiation Exposure Statement (For USG FLEX 50W and USG20W-VPN only) CANADA Innovation, Science and Economic Development ICES statement Innovation, Science and Economic Development RSS-GEN & RSS-247 statement (For USG FLEX 50W and USG20W-VPN only) Antenna Information Type Manufacturer Gain Connector Impedance informations antenne Type fabricant Gain Connecteur impédance Industry Canada radiation exposure statement (For USG FLEX 50W and USG20W-VPN only) Déclaration d'exposition aux radiations (For USG FLEX 50W and USG20W-VPN only): EUROPEAN UNION and UNITED KINGDOM Declaration of Conformity with Regard to EU Directive 2014/53/EU (Radio Equipment Directive, RED) and UK regulation (For USG FLEX 50W and USG20W-VPN only) National Restrictions National Restrictions National Restrictions National Restrictions List of national codes Safety Warnings Environment Statement ErP (Energy-related Products) Disposal and Recycling Information About the Symbols Explanation of the Symbols Viewing Certifications Zyxel Limited Warranty Note Registration Open Source Licenses https://www.zyxel.com/form/gpl_oss_software_notice.shtmlMicrosoft: Print To PDF