Zyxel ZyWALL 310 User Manual

Displayed below is the user manual for ZyWALL 310 by Zyxel which is a product in the Hardware Firewalls category. This manual has pages.

Related Manuals

Zyxel ZyWall 110 Manual

Zyxel ZyWALL 1100 Manual

Zyxel ZyWALL 110 VPN Firewall Manual

Whirlpool AKT 310 Manual

Whirlpool AKR 310/IX Manual

Tefal WM 310D Manual

Quick Start Guide

www.zyxel.com

ZyWALL/USG Series

ZyWALL 110 / 310 / 1100

USG40 / USG40W / USG60 / USG60W / USG110 / USG210 /

USG310 / USG1100 / USG1900

Security Firewalls

Version 4.13

Edition 1, 08/2015

User’s Guide

Default Login Details

LAN Port IP Address https://192.168.1.1

User Name admin

Password 1234

ZyWALL/USG Series User’s Guide

IMPORTANT!

READ CAREFULLY BEFORE USE.

KEEP THIS GUIDE FOR FUTURE REFERENCE.

This is a User’s Guide for a series of products. Not all products support all firmware features.

Screenshots and graphics in this book may differ slightly from your product due to differences in

your product firmware or your computer operating system. Every effort has been made to ensure

that the information in this manual is accurate.

Related Documentation

•Quick Start Guide

The Quick Start Guide shows how to connect the ZyWALL/USG and access the Web Configurator

wizards. (See the wizard real time help for information on configuring each screen.) It also

contains a connection diagram and package contents list.

• CLI Reference Guide

The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the

ZyWALL/USG.

Note: It is recommended you use the Web Configurator to configure the ZyWALL/USG.

• Web Configurator Online Help

Click the help icon in any screen for help in configuring that screen and supplementary

information.

•Knowledge Base

See Support > Knowledge Base at the ZyXEL website for FAQs, application examples,

troubleshooting and other technical information on the ZyWALL/USG.

ZyWALL/USG Series User’s Guide

Part I: User’s Guide .........................................................................................19

Chapter 1

Introduction.........................................................................................................................................21

1.1 Overview ...........................................................................................................................................21

1.1.1 Applications .............................................................................................................................21

1.2 Management Overview .....................................................................................................................24

1.3 Web Configurator ..............................................................................................................................25

1.3.1 Web Configurator Access ........................................................................................................25

1.3.2 Web Configurator Screens Overview ......................................................................................28

1.3.3 Navigation Panel .....................................................................................................................31

1.3.4 Tables and Lists .......................................................................................................................38

Chapter 2

Installation Setup Wizard...................................................................................................................41

2.1 Installation Setup Wizard Screens ...................................................................................................41

2.1.1 Internet Access Setup - WAN Interface ..................................................................................41

2.1.2 Internet Access: Ethernet .......................................................................................................42

2.1.3 Internet Access: PPPoE ..........................................................................................................43

2.1.4 Internet Access: PPTP ...........................................................................................................45

2.1.5 Internet Access Setup - Second WAN Interface ......................................................................46

2.1.6 Internet Access Succeed ........................................................................................................47

2.1.7 Wireless Settings: AP Controller ............................................................................................47

2.1.8 Wireless Settings: SSID & Security ........................................................................................48

2.1.9 Internet Access - Device Registration ....................................................................................49

Chapter 3

Hardware, Interfaces and Zones .......................................................................................................50

3.1 Overview ...........................................................................................................................................50

3.1.1 Front Panels ............................................................................................................................50

3.1.2 Rear Panels .............................................................................................................................51

3.1.3 Default Zones, Interfaces, and Ports .......................................................................................52

3.2 Mounting ...........................................................................................................................................54

3.2.1 Rack-mounting ........................................................................................................................54

3.2.2 Wall-mounting ..........................................................................................................................55

3.3 Stopping the ZyWALL/USG ..............................................................................................................55

Chapter 4

Quick Setup Wizards..........................................................................................................................56

4.1 Quick Setup Overview .......................................................................................................................56

4.2 WAN Interface Quick Setup ..............................................................................................................57

4.2.1 Choose an Ethernet Interface ..................................................................................................57

4.2.2 Select WAN Type .....................................................................................................................58

ZyWALL/USG Series User’s Guide

4.2.3 Configure WAN IP Settings .....................................................................................................58

4.2.4 ISP and WAN and ISP Connection Settings ............................................................................59

4.2.5 Quick Setup Interface Wizard: Summary ................................................................................61

4.3 VPN Setup Wizard ............................................................................................................................62

4.3.1 Welcome ..................................................................................................................................63

4.3.2 VPN Setup Wizard: Wizard Type .............................................................................................64

4.3.3 VPN Express Wizard - Scenario .............................................................................................64

4.3.4 VPN Express Wizard - Configuration .....................................................................................66

4.3.5 VPN Express Wizard - Summary ...........................................................................................66

4.3.6 VPN Express Wizard - Finish .................................................................................................67

4.3.7 VPN Advanced Wizard - Scenario .........................................................................................68

4.3.8 VPN Advanced Wizard - Phase 1 Settings .............................................................................69

4.3.9 VPN Advanced Wizard - Phase 2 ...........................................................................................71

4.3.10 VPN Advanced Wizard - Summary ......................................................................................72

4.3.11 VPN Advanced Wizard - Finish .............................................................................................72

4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type ..................................................73

4.4.1 Configuration Provisioning Express Wizard - VPN Settings ...................................................74

4.4.2 Configuration Provisioning VPN Express Wizard - Configuration ..........................................75

4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary .............................76

4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish ...................................77

4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario ...........................78

4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings ..............79

4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2 ............................81

4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard - Summary ..........................81

4.4.9 VPN Settings for Configuration Provisioning Advanced Wizard- Finish .................................83

4.5 VPN Settings for L2TP VPN Settings Wizard ...................................................................................84

4.5.1 L2TP VPN Settings ..................................................................................................................85

4.5.2 L2TP VPN Settings ..................................................................................................................86

4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary ........................................................87

4.5.4 VPN Settings for L2TP VPN Setting Wizard Completed ........................................................88

Chapter 5

Dashboard...........................................................................................................................................89

5.1 Overview ...........................................................................................................................................89

5.1.1 What You Can Do in this Chapter ............................................................................................89

5.2 Main Dashboard Screen ...................................................................................................................89

5.2.1 Device Information Screen ......................................................................................................91

5.2.2 System Status Screen .............................................................................................................92

5.2.3 VPN Status Screen ..................................................................................................................93

5.2.4 DHCP Table Screen ................................................................................................................94

5.2.5 Number of Login Users Screen ...............................................................................................95

5.2.6 System Resources Screen ......................................................................................................96

5.2.7 CPU Usage Screen .................................................................................................................97

ZyWALL/USG Series User’s Guide

5.2.8 Memory Usage Screen ............................................................................................................98

5.2.9 Active Session Screen .............................................................................................................99

5.2.10 Extension Slot Screen .........................................................................................................100

5.2.11 Interface Status Summary Screen .......................................................................................100

5.2.12 Secured Service Status Screen ...........................................................................................102

5.2.13 Content Filter Statistics Screen ...........................................................................................103

5.2.14 Top 5 Viruses Screen ...........................................................................................................103

5.2.15 Top 5 Intrusions Screen .......................................................................................................104

5.2.16 Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic Screen .....................................104

5.2.17 The Latest Alert Logs Screen ..............................................................................................105

Part II: Technical Reference..........................................................................106

Chapter 6

Monitor...............................................................................................................................................108

6.1 Overview .........................................................................................................................................108

6.1.1 What You Can Do in this Chapter ..........................................................................................108

6.2 The Port Statistics Screen ..............................................................................................................109

6.2.1 The Port Statistics Graph Screen ......................................................................................... 110

6.3 Interface Status Screen ................................................................................................................... 111

6.4 The Traffic Statistics Screen ............................................................................................................ 114

6.5 The Session Monitor Screen .......................................................................................................... 117

6.6 IGMP Statistics ................................................................................................................................ 118

6.7 The DDNS Status Screen ............................................................................................................... 119

6.8 IP/MAC Binding ...............................................................................................................................120

6.9 The Login Users Screen ................................................................................................................120

6.10 Cellular Status Screen ...................................................................................................................121

6.10.1 More Information .................................................................................................................124

6.11 The UPnP Port Status Screen ......................................................................................................125

6.12 USB Storage Screen .....................................................................................................................126

6.13 Ethernet Neighbor Screen ............................................................................................................127

6.14 Wireless .......................................................................................................................................128

6.14.1 Wireless AP Information: AP List .........................................................................................128

6.14.2 AP List More Information ...................................................................................................129

6.14.3 Wireless AP Information: Radio List ....................................................................................131

6.14.4 Radio List More Information ................................................................................................133

6.14.5 Wireless Station Info ............................................................................................................134

6.14.6 Detected Device .................................................................................................................135

6.15 The IPSec Monitor Screen ............................................................................................................136

6.15.1 Regular Expressions in Searching IPSec SAs ....................................................................137

6.16 The SSL Screen ............................................................................................................................137

ZyWALL/USG Series User’s Guide

6.17 The L2TP over IPSec Session Monitor Screen .............................................................................138

6.18 The App Patrol Screen ..................................................................................................................139

6.19 The Content Filter Screen .............................................................................................................140

6.20 The IDP Screen .............................................................................................................................142

6.21 The Anti-Virus Screen ...................................................................................................................144

6.22 The Anti-Spam Screens ................................................................................................................145

6.22.1 Anti-Spam Report ................................................................................................................146

6.22.2 The Anti-Spam Status Screen .............................................................................................148

6.23 The SSL Inspection Screens .........................................................................................................149

6.23.1 Certificate Cache List ..........................................................................................................150

6.24 Log Screens ..................................................................................................................................152

6.24.1 View Log ..............................................................................................................................152

6.24.2 View AP Log ........................................................................................................................153

Chapter 7

Licensing...........................................................................................................................................156

7.1 Registration Overview .....................................................................................................................156

7.1.1 What you Need to Know ........................................................................................................156

7.1.2 Registration Screen ...............................................................................................................157

7.1.3 Service Screen ......................................................................................................................157

7.2 Signature Update ............................................................................................................................158

7.2.1 What you Need to Know ........................................................................................................158

7.2.2 The Anti-Virus Update Screen ...............................................................................................158

7.2.3 The IDP/AppPatrol Update Screen ........................................................................................160

Chapter 8

Wireless.............................................................................................................................................162

8.1 Overview .........................................................................................................................................162

8.1.1 What You Can Do in this Chapter ..........................................................................................162

8.2 Controller Screen ...........................................................................................................................162

8.3 AP Management Screen ................................................................................................................163

8.3.1 Edit AP List ...........................................................................................................................164

8.3.2 AP Policy ...............................................................................................................................165

8.4 MON Mode ......................................................................................................................................166

8.4.1 Add/Edit Rogue/Friendly List .................................................................................................168

8.5 Load Balancing ...............................................................................................................................169

8.5.1 Disassociating and Delaying Connections ............................................................................170

8.6 DCS ................................................................................................................................................171

8.7 Auto Healing ....................................................................................................................................174

8.8 Technical Reference ........................................................................................................................175

8.8.1 Dynamic Channel Selection ..................................................................................................175

8.8.2 Load Balancing ......................................................................................................................176

ZyWALL/USG Series User’s Guide

Chapter 9

Interfaces...........................................................................................................................................177

9.1 Interface Overview ..........................................................................................................................177

9.1.1 What You Can Do in this Chapter ..........................................................................................177

9.1.2 What You Need to Know ........................................................................................................178

9.1.3 What You Need to Do First ....................................................................................................182

9.2 Port Role Screen .............................................................................................................................182

9.3 Ethernet Summary Screen ..............................................................................................................183

9.3.1 Ethernet Edit .........................................................................................................................185

9.3.2 Object References .................................................................................................................201

9.3.3 Add/Edit DHCPv6 Request/Release Options ........................................................................201

9.3.4 Add/Edit DHCP Extended Options ........................................................................................202

9.4 PPP Interfaces ................................................................................................................................204

9.4.1 PPP Interface Summary ........................................................................................................204

9.4.2 PPP Interface Add or Edit .....................................................................................................205

9.5 Cellular Configuration Screen .........................................................................................................210

9.5.1 Cellular Choose Slot .............................................................................................................213

9.5.2 Add / Edit Cellular Configuration ...........................................................................................213

9.6 Tunnel Interfaces ............................................................................................................................219

9.6.1 Configuring a Tunnel .............................................................................................................221

9.6.2 Tunnel Add or Edit Screen .....................................................................................................222

9.7 VLAN Interfaces .............................................................................................................................226

9.7.1 VLAN Summary Screen ........................................................................................................227

9.7.2 VLAN Add/Edit ......................................................................................................................229

9.8 Bridge Interfaces ............................................................................................................................238

9.8.1 Bridge Summary ....................................................................................................................240

9.8.2 Bridge Add/Edit .....................................................................................................................241

9.9 Virtual Interfaces ............................................................................................................................250

9.9.1 Virtual Interfaces Add/Edit .....................................................................................................250

9.10 Interface Technical Reference .......................................................................................................252

9.11 Trunk Overview ............................................................................................................................255

9.11.1 What You Need to Know ......................................................................................................255

9.12 The Trunk Summary Screen .........................................................................................................258

9.12.1 Configuring a User-Defined Trunk .......................................................................................259

9.12.2 Configuring the System Default Trunk ................................................................................261

Chapter 10

Routing ..............................................................................................................................................263

10.1 Policy and Static Routes Overview ...............................................................................................263

10.1.1 What You Can Do in this Chapter ........................................................................................263

10.1.2 What You Need to Know .....................................................................................................264

10.2 Policy Route Screen ......................................................................................................................265

10.2.1 Policy Route Edit Screen .....................................................................................................267

ZyWALL/USG Series User’s Guide

10.3 IP Static Route Screen ..................................................................................................................272

10.3.1 Static Route Add/Edit Screen ..............................................................................................272

10.4 Policy Routing Technical Reference ..............................................................................................274

10.5 Routing Protocols Overview .........................................................................................................275

10.5.1 What You Need to Know ......................................................................................................275

10.6 The RIP Screen .............................................................................................................................275

10.7 The OSPF Screen .........................................................................................................................277

10.7.1 Configuring the OSPF Screen .............................................................................................280

10.7.2 OSPF Area Add/Edit Screen ..............................................................................................281

10.7.3 Virtual Link Add/Edit Screen ...............................................................................................283

10.8 Routing Protocol Technical Reference ..........................................................................................284

Chapter 11

DDNS................................................................................................................................................286

11.1 DDNS Overview ............................................................................................................................286

11.1.1 What You Can Do in this Chapter ........................................................................................286

11.1.2 What You Need to Know ......................................................................................................286

11.2 The DDNS Screen .........................................................................................................................287

11.2.1 The Dynamic DNS Add/Edit Screen ....................................................................................288

Chapter 12

NAT.....................................................................................................................................................292

12.1 NAT Overview ...............................................................................................................................292

12.1.1 What You Can Do in this Chapter ........................................................................................292

12.1.2 What You Need to Know ......................................................................................................292

12.2 The NAT Screen ............................................................................................................................292

12.2.1 The NAT Add/Edit Screen ....................................................................................................294

12.3 NAT Technical Reference ..............................................................................................................296

Chapter 13

HTTP Redirect...................................................................................................................................299

13.1 Overview .......................................................................................................................................299

13.1.1 What You Can Do in this Chapter ........................................................................................299

13.1.2 What You Need to Know ......................................................................................................299

13.2 The HTTP Redirect Screen ...........................................................................................................300

13.2.1 The HTTP Redirect Edit Screen ..........................................................................................301

Chapter 14

ALG ....................................................................................................................................................303

14.1 ALG Overview ...............................................................................................................................303

14.1.1 What You Need to Know ......................................................................................................303

14.1.2 Before You Begin .................................................................................................................306

14.2 The ALG Screen ...........................................................................................................................306

ZyWALL/USG Series User’s Guide

14.3 ALG Technical Reference .............................................................................................................309

Chapter 15

UPnP ..................................................................................................................................................311

15.1 UPnP and NAT-PMP Overview ..................................................................................................... 311

15.2 What You Need to Know ............................................................................................................... 311

15.2.1 NAT Traversal ...................................................................................................................... 311

15.2.2 Cautions with UPnP and NAT-PMP .....................................................................................312

15.3 UPnP Screen ................................................................................................................................312

15.4 Technical Reference ......................................................................................................................313

15.4.1 Turning on UPnP in Windows 7 Example ............................................................................313

15.4.2 Using UPnP in Windows XP Example .................................................................................315

15.4.3 Web Configurator Easy Access ...........................................................................................317

Chapter 16

IP/MAC Binding.................................................................................................................................320

16.1 IP/MAC Binding Overview .............................................................................................................320

16.1.1 What You Can Do in this Chapter ........................................................................................320

16.1.2 What You Need to Know ......................................................................................................320

16.2 IP/MAC Binding Summary ............................................................................................................321

16.2.1 IP/MAC Binding Edit ............................................................................................................321

16.2.2 Static DHCP Edit .................................................................................................................322

16.3 IP/MAC Binding Exempt List .........................................................................................................323

Chapter 17

Layer 2 Isolation ...............................................................................................................................325

17.1 Overview .......................................................................................................................................325

17.1.1 What You Can Do in this Chapter ........................................................................................325

17.2 Layer-2 Isolation General Screen ................................................................................................326

17.3 White List Screen ..........................................................................................................................326

17.3.1 Add/Edit White List Rule .....................................................................................................327

Chapter 18

Inbound Load Balancing..................................................................................................................329

18.1 Inbound Load Balancing Overview ...............................................................................................329

18.1.1 What You Can Do in this Chapter ........................................................................................329

18.2 The Inbound LB Screen ................................................................................................................330

18.2.1 The Inbound LB Add/Edit Screen ........................................................................................331

18.2.2 The Inbound LB Member Add/Edit Screen ..........................................................................333

Chapter 19

Web Authentication .........................................................................................................................335

19.1 Web Auth Overview ......................................................................................................................335

ZyWALL/USG Series User’s Guide

19.1.1 What You Can Do in this Chapter ........................................................................................335

19.1.2 What You Need to Know ......................................................................................................336

19.2 Web Authentication Screen ...........................................................................................................336

19.2.1 Creating Exceptional Services .............................................................................................339

19.2.2 Creating/Editing an Authentication Policy ............................................................................339

19.3 SSO Overview ...............................................................................................................................340

19.4 SSO - ZyWALL/USG Configuration ..............................................................................................342

19.4.1 Configuration Overview .......................................................................................................342

19.4.2 Configure the ZyWALL/USG to Communicate with SSO ....................................................342

19.4.3 Enable Web Authentication .................................................................................................343

19.4.4 Create a Security Policy ......................................................................................................344

19.4.5 Configure User Information .................................................................................................345

19.4.6 Configure an Authentication Method ...................................................................................346

19.4.7 Configure Active Directory ...................................................................................................347

19.5 SSO Agent Configuration ..............................................................................................................348

Chapter 20

RTLS ..................................................................................................................................................352

20.1 Overview .......................................................................................................................................352

20.1.1 What You Can Do in this Chapter ........................................................................................352

20.2 Before You Begin ..........................................................................................................................353

20.3 Configuring RTLS ..........................................................................................................................353

Chapter 21

Security Policy..................................................................................................................................355

21.1 Overview .......................................................................................................................................355

21.2 What You Can Do in this Chapter .................................................................................................356

21.2.1 What You Need to Know ......................................................................................................356

21.3 The Security Policy Screen ...........................................................................................................357

21.3.1 Configuring the Security Policy Control Screen ...................................................................358

21.3.2 The Security Policy Control Add/Edit Screen ......................................................................361

21.4 Anomaly Detection and Prevention Overview ...............................................................................363

21.4.1 The Anomaly Detection and Prevention General Screen ....................................................364

21.4.2 Creating New ADP Profiles ................................................................................................365

21.4.3 Traffic Anomaly Profiles ......................................................................................................366

21.4.4 Protocol Anomalies ..............................................................................................................369

21.5 The Session Control Screen .........................................................................................................371

21.5.1 The Session Control Add/Edit Screen .................................................................................372

21.6 Security Policy Example Applications ...........................................................................................373

Chapter 22

IPSec VPN.................................................... .......... ............................................................................376

22.1 Virtual Private Networks (VPN) Overview .....................................................................................376

ZyWALL/USG Series User’s Guide

22.1.1 What You Can Do in this Chapter ........................................................................................378

22.1.2 What You Need to Know ......................................................................................................379

22.1.3 Before You Begin .................................................................................................................381

22.2 The VPN Connection Screen ........................................................................................................381

22.2.1 The VPN Connection Add/Edit (IKE) Screen .......................................................................382

22.3 The VPN Gateway Screen ............................................................................................................389

22.3.1 The VPN Gateway Add/Edit Screen ....................................................................................390

22.4 VPN Concentrator ........................................................................................................................397

22.4.1 VPN Concentrator Requirements and Suggestions ............................................................397

22.4.2 VPN Concentrator Screen ...................................................................................................398

22.4.3 The VPN Concentrator Add/Edit Screen .............................................................................398

22.5 ZyWALL/USG IPSec VPN Client Configuration Provisioning .......................................................399

22.6 IPSec VPN Background Information .............................................................................................401

Chapter 23

SSL VPN ............................................................................................................................................411

23.1 Overview ....................................................................................................................................... 411

23.1.1 What You Can Do in this Chapter ........................................................................................ 411

23.1.2 What You Need to Know ...................................................................................................... 411

23.2 The SSL Access Privilege Screen ................................................................................................412

23.2.1 The SSL Access Privilege Policy Add/Edit Screen .............................................................413

23.3 The SSL Global Setting Screen ....................................................................................................416

23.3.1 How to Upload a Custom Logo ............................................................................................417

23.4 ZyWALL/USG SecuExtender ........................................................................................................418

23.4.1 Example: Configure ZyWALL/USG for SecuExtender .........................................................419

Chapter 24

SSL User Screens.............................................................................................................................422

24.1 Overview .......................................................................................................................................422

24.1.1 What You Need to Know ......................................................................................................422

24.2 Remote SSL User Login ...............................................................................................................423

24.3 The SSL VPN User Screens .........................................................................................................426

24.4 Bookmarking the ZyWALL/USG ....................................................................................................427

24.5 Logging Out of the SSL VPN User Screens ..................................................................................428

24.6 SSL User Application Screen ........................................................................................................428

24.7 SSL User File Sharing ...................................................................................................................429

24.7.1 The Main File Sharing Screen .............................................................................................429

24.7.2 Opening a File or Folder ......................................................................................................430

24.7.3 Downloading a File ..............................................................................................................431

24.7.4 Saving a File ........................................................................................................................431

24.7.5 Creating a New Folder .........................................................................................................432

24.7.6 Renaming a File or Folder ...................................................................................................432

24.7.7 Deleting a File or Folder ......................................................................................................433

ZyWALL/USG Series User’s Guide

24.7.8 Uploading a File ...................................................................................................................433

Chapter 25

ZyWALL/USG SecuExtender (Windows) ........................................................................................435

25.1 The ZyWALL/USG SecuExtender Icon .........................................................................................435

25.2 Status ............................................................................................................................................435

25.3 View Log .......................................................................................................................................436

25.4 Suspend and Resume the Connection .........................................................................................437

25.5 Stop the Connection ......................................................................................................................437

25.6 Uninstalling the ZyWALL/USG SecuExtender ...............................................................................437

Chapter 26

L2TP VPN...........................................................................................................................................439

26.1 Overview .......................................................................................................................................439

26.1.1 What You Can Do in this Chapter ........................................................................................439

26.1.2 What You Need to Know ......................................................................................................439

26.2 L2TP VPN Screen .........................................................................................................................440

26.2.1 Example: L2TP and ZyWALL/USG Behind a NAT Router ...................................................442

Chapter 27

BWM (Bandwidth Management) ...................................................................................................444

27.1 Overview .......................................................................................................................................444

27.1.1 What You Can Do in this Chapter ........................................................................................444

27.1.2 What You Need to Know .....................................................................................................444

27.2 The Bandwidth Management Screen ............................................................................................448

27.2.1 The Bandwidth Management Add/Edit Screen ....................................................................451

Chapter 28

Application Patrol.............................................................................................................................459

28.1 Overview .......................................................................................................................................459

28.1.1 What You Can Do in this Chapter ........................................................................................459

28.1.2 What You Need to Know .....................................................................................................459

28.2 Application Patrol Profile ...............................................................................................................460

28.2.1 The Application Patrol Profile Add/Edit Screen ...................................................................462

28.2.2 The Application Patrol Profile Rule Add Application Screen ...............................................463

Chapter 29

Content Filtering...............................................................................................................................465

29.1 Overview .......................................................................................................................................465

29.1.1 What You Can Do in this Chapter ........................................................................................465

29.1.2 What You Need to Know ......................................................................................................465

29.1.3 Before You Begin .................................................................................................................466

29.2 Content Filter Profile Screen .........................................................................................................467

ZyWALL/USG Series User’s Guide

29.3 Content Filter Profile Add or Edit Screen ......................................................................................469

29.3.1 Content Filter Add Profile Category Service ........................................................................469

29.3.2 Content Filter Add Filter Profile Custom Service ................................................................477

29.4 Content Filter Trusted Web Sites Screen .....................................................................................480

29.5 Content Filter Forbidden Web Sites Screen .................................................................................481

29.6 Content Filter Technical Reference ...............................................................................................482

Chapter 30

IDP......................................................................................................................................................484

30.1 Overview .......................................................................................................................................484

30.1.1 What You Can Do in this Chapter ........................................................................................484

30.1.2 What You Need To Know .....................................................................................................484

30.1.3 Before You Begin .................................................................................................................484

30.2 The IDP Profile Screen .................................................................................................................485

30.2.1 Base Profiles .......................................................................................................................486

30.2.2 Adding / Editing Profiles .....................................................................................................487

30.2.3 Profile > Group View Screen ...............................................................................................488

30.2.4 Add Profile > Query View ...................................................................................................491

30.2.5 Query Example ....................................................................................................................495

30.3 IDP Custom Signatures ................................................................................................................496

30.3.1 Add / Edit Custom Signatures ............................................................................................499

30.3.2 Custom Signature Example .................................................................................................503

30.3.3 Applying Custom Signatures ...............................................................................................505

30.3.4 Verifying Custom Signatures ...............................................................................................506

30.4 IDP Technical Reference ...............................................................................................................506

Chapter 31

Anti-Virus...........................................................................................................................................509

31.1 Overview .......................................................................................................................................509

31.1.1 What You Can Do in this Chapter ........................................................................................509

31.1.2 What You Need to Know ......................................................................................................510

31.2 Anti-Virus Profile Screen ............................................................................................................... 511

31.2.1 Anti-Virus Profile Add or Edit ...............................................................................................513

31.3 Anti-Virus Black List ......................................................................................................................515

31.3.1 Anti-Virus Black List or White List Add/Edit .........................................................................516

31.3.2 Anti-Virus White List ............................................................................................................517

31.4 AV Signature Searching ................................................................................................................518

31.5 Anti-Virus Technical Reference .....................................................................................................519

Chapter 32

Anti-Spam..........................................................................................................................................521

32.1 Overview .......................................................................................................................................521

32.1.1 What You Can Do in this Chapter ........................................................................................521

ZyWALL/USG Series User’s Guide

32.1.2 What You Need to Know ......................................................................................................521

32.2 Before You Begin ..........................................................................................................................522

32.3 The Anti-Spam Profile Screen .......................................................................................................523

32.3.1 The Anti-Spam Profile Add or Edit Screen ..........................................................................524

32.4 The Mail Scan Screen ...................................................................................................................526

32.5 The Anti-Spam Black List Screen ..................................................................................................528

32.5.1 The Anti-Spam Black or White List Add/Edit Screen ...........................................................530

32.5.2 Regular Expressions in Black or White List Entries .............................................................531

32.6 The Anti-Spam White List Screen .................................................................................................531

32.7 The DNSBL Screen .......................................................................................................................533

32.8 Anti-Spam Technical Reference ....................................................................................................535

Chapter 33

SSL Inspection..................................................................................................................................539

33.1 Overview .......................................................................................................................................539

33.1.1 What You Can Do in this Chapter ........................................................................................539

33.1.2 What You Need To Know .....................................................................................................539

33.1.3 Before You Begin .................................................................................................................540

33.2 The SSL Inspection Profile Screen ...............................................................................................540

33.2.1 Add / Edit SSL Inspection Profiles ......................................................................................541

33.3 Exclude List Screen .....................................................................................................................543

33.4 Certificate Update Screen ............................................................................................................545

33.5 Install a CA Certificate in a Browser ..............................................................................................546

Chapter 34

Device HA..........................................................................................................................................548

34.1 Overview .......................................................................................................................................548

34.1.1 What You Can Do in this Chapter ........................................................................................548

34.1.2 What You Need to Know ......................................................................................................548

34.1.3 Before You Begin .................................................................................................................549

34.2 Device HA General .......................................................................................................................549

34.3 The Active-Passive Mode Screen .................................................................................................550

34.3.1 Configuring Active-Passive Mode Device HA ......................................................................552

34.4 Active-Passive Mode Edit Monitored Interface .............................................................................555

34.5 Device HA Technical Reference ....................................................................................................556

Chapter 35

Object.................................................................................................................................................561

35.1 Zones Overview ............................................................................................................................561

35.1.1 What You Need to Know ......................................................................................................561

35.1.2 The Zone Screen .................................................................................................................562

35.2 User/Group Overview ....................................................................................................................563

35.2.1 What You Need To Know .....................................................................................................564

ZyWALL/USG Series User’s Guide

35.2.2 User/Group User Summary Screen .....................................................................................566

35.2.3 User/Group Group Summary Screen ..................................................................................569

35.2.4 User/Group Setting Screen ................................................................................................570

35.2.5 User/Group MAC Address Summary Screen .....................................................................575

35.2.6 User /Group Technical Reference .......................................................................................576

35.3 AP Profile Overview ......................................................................................................................577

35.3.1 Radio Screen .......................................................................................................................578

35.3.2 SSID Screen .......................................................................................................................583

35.4 MON Profile ..................................................................................................................................592

35.4.1 Overview ..............................................................................................................................592

35.4.2 MON Profile .........................................................................................................................592

35.4.3 Technical Reference ............................................................................................................595

35.5 Application .....................................................................................................................................596

35.5.1 Add Application Rule ...........................................................................................................598

35.5.2 Application Group Screen ...................................................................................................601

35.6 Address Overview .........................................................................................................................602

35.6.1 What You Need To Know .....................................................................................................603

35.6.2 Address Summary Screen ...................................................................................................603

35.7 Service Overview ..........................................................................................................................608

35.7.1 What You Need to Know ......................................................................................................609

35.7.2 The Service Summary Screen .............................................................................................609

35.7.3 The Service Group Summary Screen ................................................................................. 611

35.8 Schedule Overview ......................................................................................................................613

35.8.1 What You Need to Know ......................................................................................................613

35.8.2 The Schedule Summary Screen ..........................................................................................614

35.8.3 The Schedule Group Screen ...............................................................................................617

35.9 AAA Server Overview .................................................................................................................618

35.9.1 Directory Service (AD/LDAP) ..............................................................................................619

35.9.2 RADIUS Server ...................................................................................................................619

35.9.3 ASAS ...................................................................................................................................619

35.9.4 What You Need To Know .....................................................................................................620

35.9.5 Active Directory or LDAP Server Summary .........................................................................621

35.9.6 RADIUS Server Summary ...................................................................................................625

35.10 Auth. Method Overview .............................................................................................................627

35.10.1 Before You Begin ...............................................................................................................627

35.10.2 Example: Selecting a VPN Authentication Method ............................................................627

35.10.3 Authentication Method Objects ..........................................................................................628

35.11 Certificate Overview ...................................................................................................................630

35.11.1 What You Need to Know ....................................................................................................630

35.11.2 Verifying a Certificate .........................................................................................................632

35.11.3 The My Certificates Screen ................................................................................................633

35.11.4 The Trusted Certificates Screen .......................................................................................640

35.11.5 Certificates Technical Reference .......................................................................................645

ZyWALL/USG Series User’s Guide

35.12 ISP Account Overview ...............................................................................................................645

35.12.1 ISP Account Summary ......................................................................................................646

35.13 SSL Application Overview ..........................................................................................................648

35.13.1 What You Need to Know ....................................................................................................648

35.13.2 The SSL Application Screen ..............................................................................................650

35.14 DHCPv6 Overview ......................................................................................................................653

35.14.1 The DHCPv6 Request Screen ...........................................................................................654

35.14.2 The DHCPv6 Lease Screen ..............................................................................................655

Chapter 36

System...............................................................................................................................................657

36.1 Overview .......................................................................................................................................657

36.1.1 What You Can Do in this Chapter ........................................................................................657

36.2 Host Name ....................................................................................................................................658

36.3 USB Storage .................................................................................................................................658

36.4 Date and Time ...............................................................................................................................659

36.4.1 Pre-defined NTP Time Servers List .....................................................................................662

36.4.2 Time Server Synchronization ...............................................................................................662

36.5 Console Port Speed ......................................................................................................................663

36.6 DNS Overview ...............................................................................................................................664

36.6.1 DNS Server Address Assignment .......................................................................................664

36.6.2 Configuring the DNS Screen ...............................................................................................664

36.6.3 Address Record ..................................................................................................................668

36.6.4 PTR Record .........................................................................................................................668

36.6.5 Adding an Address/PTR Record .........................................................................................668

36.6.6 CNAME Record ...................................................................................................................669

36.6.7 Adding a CNAME Record ....................................................................................................669

36.6.8 Domain Zone Forwarder .....................................................................................................669

36.6.9 Adding a Domain Zone Forwarder ......................................................................................670

36.6.10 MX Record ........................................................................................................................671

36.6.11 Adding a MX Record ..........................................................................................................671

36.6.12 Security Option Control .....................................................................................................671

36.6.13 Editing a Security Option Control ......................................................................................671

36.6.14 Adding a DNS Service Control Rule ..................................................................................672

36.7 WWW Overview ............................................................................................................................673

36.7.1 Service Access Limitations ..................................................................................................673

36.7.2 System Timeout ...................................................................................................................674

36.7.3 HTTPS .................................................................................................................................674

36.7.4 Configuring WWW Service Control .....................................................................................675

36.7.5 Service Control Rules ..........................................................................................................678

36.7.6 Customizing the WWW Login Page ....................................................................................679

36.7.7 HTTPS Example ..................................................................................................................683

36.8 SSH ............................................................................................................................................690

ZyWALL/USG Series User’s Guide

36.8.1 How SSH Works ..................................................................................................................691

36.8.2 SSH Implementation on the ZyWALL/USG .........................................................................692

36.8.3 Requirements for Using SSH ...............................................................................................692

36.8.4 Configuring SSH ..................................................................................................................692

36.8.5 Secure Telnet Using SSH Examples ...................................................................................693

36.9 Telnet ............................................................................................................................................694

36.9.1 Configuring Telnet ................................................................................................................694

36.10 FTP ............................................................................................................................................696

36.10.1 Configuring FTP ................................................................................................................696

36.11 SNMP .........................................................................................................................................697

36.11.1 SNMP v3 and Security .......................................................................................................698

36.11.2 Supported MIBs .................................................................................................................699

36.11.3 SNMP Traps ......................................................................................................................699

36.11.4 Configuring SNMP .............................................................................................................699

36.12 Authentication Server ..................................................................................................................702

36.12.1 Add/Edit Trusted RADIUS Client ......................................................................................703

36.13 CloudCNM Screen ......................................................................................................................704

36.14 Language Screen ........................................................................................................................706

36.15 IPv6 Screen .................................................................................................................................706

36.16 ZyXEL One Network (ZON) Utility ..............................................................................................707

36.16.1 ZyXEL One Network (ZON) System Screen .....................................................................708

Chapter 37

Log and Report .................................................................................................................................710

37.1 Overview .......................................................................................................................................710

37.1.1 What You Can Do In this Chapter ........................................................................................710

37.2 Email Daily Report ........................................................................................................................710

37.3 Log Setting Screens .....................................................................................................................712

37.3.1 Log Setting Summary ..........................................................................................................713

37.3.2 Edit System Log Settings ...................................................................................................714

37.3.3 Edit Log on USB Storage Setting .......................................................................................719

37.3.4 Edit Remote Server Log Settings .......................................................................................721

37.3.5 Log Category Settings Screen .............................................................................................724

Chapter 38

File Manager......................................................................................................................................729

38.1 Overview .......................................................................................................................................729

38.1.1 What You Can Do in this Chapter ........................................................................................729

38.1.2 What you Need to Know ......................................................................................................729

38.2 The Configuration File Screen ......................................................................................................731

38.3 The Firmware Package Screen ....................................................................................................735

38.4 The Shell Script Screen ...............................................................................................................738

ZyWALL/USG Series User’s Guide

Chapter 39

Diagnostics ......................................................................................................................................740

39.1 Overview .......................................................................................................................................740

39.1.1 What You Can Do in this Chapter ........................................................................................740

39.2 The Diagnostic Screen ..................................................................................................................740

39.2.1 The Diagnostics Files Screen ..............................................................................................741

39.3 The Packet Capture Screen ..........................................................................................................742

39.3.1 The Packet Capture Files Screen ........................................................................................744

39.4 The System Log Screen ................................................................................................................745

39.5 The Network Tool Screen ..............................................................................................................746

39.6 The Wireless Frame Capture Screen ...........................................................................................747

39.6.1 The Wireless Frame Capture Files Screen ........................................................................748

Chapter 40

Packet Flow Explore ........................................................................................................................750

40.1 Overview .......................................................................................................................................750

40.1.1 What You Can Do in this Chapter ........................................................................................750

40.2 The Routing Status Screen ...........................................................................................................750

40.3 The SNAT Status Screen ..............................................................................................................755

Chapter 41

Shutdown...........................................................................................................................................758

41.1 Overview .......................................................................................................................................758

41.1.1 What You Need To Know .....................................................................................................758

41.2 The Shutdown Screen ...................................................................................................................758

Chapter 42

Troubleshooting................................................................................................................................759

42.1 Resetting the ZyWALL/USG .........................................................................................................771

42.2 Getting More Troubleshooting Help ..............................................................................................772

Appendix A Customer Support ........................................................................................................773

Appendix B Legal Information..........................................................................................................779

Appendix C Product Features..........................................................................................................790

Index ..................................................................................................................................................797

PART I

User’s Guide

ZyWALL/USG Series User’s Guide

CHAPTER 1

Introduction

1.1 Overview

ZyWALL/USG refers to all ZyWALL and USG models in the series.

Besides performance variance, the following are the key feature differences between the models:

• ZyWALL models need a license for UTM (Unified Threat Management) functionality

• USG models need a UTM license after one year

• The following UTM features work without a UTM license:

• Configuration > Content Filter > Trusted Web Sites

• Configuration > IDP > Custom Signatures

• Configuration > Anti-Virus > Black/White List

• Configuration > Anti-Spam > Black/White List

• ZyWALL models do not support SSL Inspection

• USG40 / USG40W / USG60 / USG60W support UTM but not SSL Inspection

• USG40W / USG60W have built-in Wi-Fi functionality

• Some interface names vary by model - see Table 13 on page 53 for default port / interface name

mapping. See Table 14 on page 53 for default interface / zone mapping.

See the product’s datasheet for detailed information on a specific model.

1.1.1 Applications

These are some ZyWALL/USG application scenarios.

Table 1 ZyWALL/USG Models

ZYWALL MODELS USG MODELS

ZyWALL 110 USG40

ZyWALL 310 USG40W

ZyWALL 1100 USG60

USG60W

USG110

USG210

USG310

USG1100

USG1900

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Security Router

Security includes a Stateful Packet Inspection (SPI) firewall, and UTM (Unified Threat

Management). ZyWALL models need a license to use UTM (Unified Threat Management) features.

UTM features include the following:

• Application Patrol (AP)

• Intrusion Detection & Prevention (IDP)

• Anomaly Detection & Prevention (ADP)

• Content Filtering (CF)

• Anti-Virus (AV)

• Anti-Spam (AS)

• Secure Socket Layer (SSL) encrypted traffic Inspection

Figure 1 Applications: Security RouterApplications: Security Router

IPv6 Routing

The ZyWALL/USG supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6

policy routes and IPv6 objects. The ZyWALL/USG can also route IPv6 packets through IPv4

networks using different tunneling methods.

Figure 2 Applications: IPv6 Routing

VPN Connectivity

Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to

provide secure access to your network. You can also purchase the ZyWALL/USG OTPv2 One-Time

Password System for strong two-factor authentication for Web Configurator, Web access, SSL VPN,

and ZyXEL IPSec VPN client user logins.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Figure 3 Applications: VPN Connectivity

SSL VPN Network Access

SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just

browses to the ZyWALL/USG’s web address and enters his user name and password to securely

connect to the ZyWALL/USG’s network. Here full tunnel mode creates a virtual connection for a

remote user and gives him a private IP address in the same subnet as the local network so he can

access network resources in the same way as if he were part of the internal network.

Figure 4 SSL VPN With Full Tunnel Mode

User-Aware Access Control

Set up security policies to restrict access to sensitive information and shared resources based on

the user who is trying to access it. In the following figure user A can access both the Internet and

an internal file server. User B has a lower level of access and can only access the Internet. User C is

not even logged in, so and cannot access either the Internet or the file server.

OTP PIN

SafeWord 2008

Authentication Server

File Email Web-based

Server Server Application

*****

Web Mail File Share

Web-based Application

https://

Application Server

Non-Web

LAN (192.168.1.X)

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Figure 5 Applications: User-Aware Access Control

Load Balancing

Set up multiple connections to the Internet on the same port, or different ports, including cellular

interfaces. In either case, you can balance the traffic loads between them.

Figure 6 Applications: Multiple WAN Interfaces

1.2 Management Overview

You can manage the ZyWALL/USG in the following ways.

Web Configurator

The Web Configurator allows easy ZyWALL/USG setup and management using an Internet browser.

This User’s Guide provides information about the Web Configurator.

Figure 7 Managing the ZyWALL/USG: Web Configurator

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the ZyWALL/USG. Access it using

remote management (for example, SSH or Telnet) or via the physical or Web Configurator console

port. See the Command Reference Guide for CLI details. The default settings for the console port

are:

FTP

Use File Transfer Protocol for firmware upgrades and configuration backup/restore.

SNMP

The device can be monitored and/or managed by an SNMP manager. See Section 43.3 on page 359.

CloudCNM

Use the CloudCNM screen (see Section 36.13 on page 704) to enable and configure management

of the ZyWALL/USG by a Central Network Management system.

1.3 Web Configurator

In order to use the Web Configurator, you must:

• Use one of the following web browser versions or later: Internet Explorer 7, Firefox 3.5, Chrome

9.0

• Allow pop-up windows (blocked by default in Windows XP Service Pack 2)

• Enable JavaScripts, Java permissions, and cookies

The recommended screen resolution is 1024 x 768 pixels.

Note: Most screen shots in this guide come from the USG110 and USG60W. Screen shots

for other models may vary a little.

1.3.1 Web Configurator Access

1Make sure your ZyWALL/USG hardware is properly connected. See the Quick Start Guide.

Table 2 Console Port Default Settings

SETTING VALUE

Speed 115200 bps

Data Bits 8

Parity None

Stop Bit 1

Flow Control Off

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

2In your browser go to http://192.168.1.1. By default, the ZyWALL/USG automatically routes this

request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears.

3Type the user name (default: “admin”) and password (default: “1234”).

If you have a OTP (One-Time Password) token generate a number and enter it in the One-Time

Password field. The number is only good for one login. You must use the token to generate a new

number the next time you log in.

4Click Login. If you logged in using the default user name and password, the Update Admin Info

screen appears. Otherwise, the dashboard appears.

5The Netw ork Risk Warning screen displays any unregistered or disabled security services. Select

how often to display the screen and click OK.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

If you select Never and you later want to bring this screen back, use these commands (note the

space before the underscore).

See the Command Line Interface (CLI) Reference Guide (RG) for details on all supported

commands.

6Follow the directions in the Update Admin Info screen. If you change the default password, the

opens if the ZyWALL is using its default configuration; otherwise the dashboard appears.

Router> enable

Router#

Router# configure terminal

Router(config)#

Router(config)# service-register _setremind

after-10-days

after-180-days

after-30-days

every-time

never

Router(config)# service-register _setremind every-time

Router(config)#

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

1.3.2 Web Configurator Screens Overview

The Web Configurator screen is divided into these parts (as illustrated on page 27):

•A - title bar

•B - navigation panel

•C - main window

Ti tle Bar

Figure 8 Title Bar

The title bar icons in the upper right corner provide the following functions.

Table 3 Title Bar: Web Configurator Icons

LABEL DESCRIPTION

Logout Click this to log out of the Web Configurator.

Help Click this to open the help page for the current screen.

About Click this to display basic information about the ZyWALL/USG.

Site Map Click this to see an overview of links to the Web Configurator screens.

Object Reference Click this to check which configuration items reference an object.

Console Click this to open a Java-based console window from which you can run command line

interface (CLI) commands. You will be prompted to enter your user name and password.

See the Command Reference Guide for information about the commands.

CLI Click this to open a popup window that displays the CLI commands sent by the Web

Configurator to the ZyWALL/USG.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

About

Click About to display basic information about the ZyWALL/USG.

Figure 9 About

Site Map

Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to

go to that screen.

Figure 10 Site Map

Table 4 About

LABEL DESCRIPTION

Current Version This shows the firmware version of the ZyWALL/USG.

Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released.

OK Click this to close the screen.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Object Reference

Click Object Reference to open the Object Reference screen. Select the type of object and the

individual object and click Refresh to show which configuration settings reference the object.

Figure 11 Object Reference

The fields vary with the type of object. This table describes labels that can appear in this screen.

Console

Click Console to open a Java-based console window from which you can run CLI commands. You

will be prompted to enter your user name and password. See the Command Reference Guide for

information about the commands.

Table 5 Object References

LABEL DESCRIPTION

Object Name This identifies the object for which the configuration settings that use it are displayed. Click the

object’s name to display the object’s configuration screen in the main window.

# This field is a sequential value, and it is not associated with any entry.

Service This is the type of setting that references the selected object. Click a service’s name to display

the service’s configuration screen in the main window.

Priority If it is applicable, this field lists the referencing configuration item’s position in its list,

otherwise N/A displays.

Name This field identifies the configuration item that references the object.

Description If the referencing configuration item has a description configured, it displays here.

Refresh Click this to update the information in this screen.

Cancel Click Cancel to close the screen.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Figure 12 Console Window

CLI Messages

Click CLI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and

then click some menus in the web configurator to display the corresponding commands.

Figure 13 CLI Messages

1.3.3 Navigation Panel

Use the navigation panel menu items to open status and configuration screens. Click the arrow in

the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The

following sections introduce the ZyWALL/USG’s navigation panel menus and their screens.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Figure 14 Navigation Panel

Dashboard

The dashboard displays general device information, system status, system resource usage, licensed

service status, and interface status in widgets that you can re-arrange to suit your needs. See the

Web Help for details on the dashboard.

Monitor Menu

The monitor menu screens display status and statistics information.

Table 6 Monitor Menu Screens Summary

FOLDER OR LINK TAB FUNCTION

System Status

Port Statistics Port

Statistics

Displays packet statistics for each physical port.

Interface

Status Interface

Summary

Displays general interface information and packet statistics.

Traffic

Statistics Traffic

Statistics

Collect and display traffic statistics.

Session

Monitor Session

Monitor

Displays the status of all current sessions.

IGMP Statistics IGMP

Statistics

Collect and display IGMP statistics.

DDNS Status DDNS

Status

Displays the status of the ZyWALL/USG’s DDNS domain names.

IP/MAC Binding IP/MAC

Binding

Lists the devices that have received an IP address from ZyWALL/USG

interfaces using IP/MAC binding.

Cellular Status Cellular

Status

Displays details about the ZyWALL/USG’s mobile broadband connection

status.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Configuration Menu

Use the configuration menu screens to configure the ZyWALL/USG’s features.

UPnP Port

Status Port

Statistics

Displays details about UPnP connections going through the ZyWALL/USG.

USB Storage Storage

Information

Displays details about USB device connected to the ZyWALL/USG.

Ethernet

Neighbor Ethernet

Neighbor

View and manage the ZyWALL/USG’s neighboring devices via Smart

Connect (Layer Link Discovery Protocol (LLDP)). Use the ZyXEL One

Network (ZON) utility to view and manage the ZyWALL/USG’s neighboring

devices via the ZyXEL Discovery Protocol (ZDP).

Wireless

AP Information AP List Lists APs managed by the ZyWALL/USG.

Radio List Lists wireless details of APs managed by the ZyWALL/USG.

Station Info Station List Lists wireless clients associated with the APs managed by the ZyWALL/

USG.

Detected

Device Detected

Device

Display information about suspected rogue APs.

VPN Monitor

IPSec IPSec Displays and manages the active IPSec SAs.

SSL SSL Lists users currently logged into the VPN SSL client portal. You can also

log out individual users and delete related session information.

L2TP over

IPSec Session

Monitor

Displays details about current L2TP sessions.

UTM Statistics

AppPatrol AppPatrol

Statistics

Displays application patrol statistics.

Content Filter Report Collect and display content filter statistics

IDP IDP Collect and display statistics on the intrusions that the ZyWALL/USG has

detected.

Anti-Virus Anti-Virus Collect and display statistics on the viruses that the ZyWALL/USG has

detected.

Anti-Spam Report Collect and display spam statistics.

Status Displays how many mail sessions the ZyWALL is currently checking and

DNSBL (Domain Name Service-based spam Black List) statistics.

SSL Inspection Report Collect and display SSL Inspection statistics.

Certificate

Cache List

Displays traffic to destination servers using certificates.

Log View Log Lists log entries.

View AP Log Lists AP log entries.

Table 7 Configuration Menu Screens Summary

FOLDER OR LINK TAB FUNCTION

Quick Setup Quickly configure WAN interfaces or VPN connections.

Licensing

Table 6 Monitor Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Registration Registration Register the device and activate trial services.

Service View the licensed service status and upgrade licensed services.

Signature

Update Anti-Virus Update anti-virus signatures immediately or by a schedule.

IDP/AppPatrol Update IDP signatures immediately or by a schedule.

Wireless

Controller Configuration Configure manual or automatic controller registration.

Management Mgnt AP List Edit or remove entries in the lists of APs managed by the ZyWALL/

USG.

AP Policy Configure the AP controller’s IP address on the managed APs and

determine the action the managed APs take if the current AP

controller fails.

MON Mode Rogue/Friendly AP

List

Configure how the ZyWALL/USG monitors rogue APs.

Load Balancing Load Balancing Configure load balancing for traffic moving to and from wireless

clients.

DCS DCS Configure dynamic wireless channel selection.

Auto Healing Auto Healing Enable auto healing to extend the wireless service coverage area of

the managed APs when one of the APs fails.

Network

Interface Port Role Use this screen to set the ZyWALL/USG’s flexible ports such as

LAN, OPT, WLAN, or DMZ.

Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces.

PPP Create and manage PPPoE and PPTP interfaces.

Cellular Configure a cellular Internet connection for an installed mobile

broadband card.

Tunnel Configure tunneling between IPv4 and IPv6 networks.

VLAN Create and manage VLAN interfaces and virtual VLAN interfaces.

Bridge Create and manage bridges and virtual bridge interfaces.

Trunk Create and manage trunks (groups of interfaces) for load

balancing.

Routing Policy Route Create and manage routing policies.

Static Route Create and manage IP static routing information.

RIP Configure device-level RIP settings.

OSPF Configure device-level OSPF settings, including areas and virtual

links.

DDNS DDNS Define and manage the ZyWALL/USG’s DDNS domain names.

NAT NAT Set up and manage port forwarding rules.

HTTP Redirect HTTP Redirect Set up and manage HTTP redirection rules.

ALG ALG Configure SIP, H.323, and FTP pass-through settings.

UPnP UPnP Configure interfaces that allow UPnP and NAT-PMP connections.

IP/MAC

Binding Summary Configure IP to MAC address bindings for devices connected to

each supported interface.

Exempt List Configure ranges of IP addresses to which the ZyWALL/USG does

not apply IP/MAC binding.

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Layer 2

Isolation General Enable layer-2 isolation on the ZyWALL/USG and the internal

interface(s).

White List Enable and configure the white list.

DNS Inbound

LB DNS Load

Balancing

Configure DNS Load Balancing.

Web

Authentication

Web Authentication Define a web portal and exempt services from authentication.

SSO Configure the ZyWALL/USG to work with a Single Sign On agent.

RTLS Real Time Location

System

Use the managed APs as part of an Ekahau RTLS to track the

location of Ekahau Wi-Fi tags.

Security Policy

Policy Control Policy Create and manage level-3 traffic rules and apply UTM profiles.

ADP General Display and manage ADP bindings.

Profile Create and manage ADP profiles.

Session

Control Session Control Limit the number of concurrent client NAT/security policy sessions.

VPN

IPSec VPN VPN Connection Configure IPSec tunnels.

VPN Gateway Configure IKE tunnels.

Concentrator Combine IPSec VPN connections into a single secure network

Configuration

Provisioning

Set who can retrieve VPN rule settings from the ZyWALL/USG

using the ZyWALL/USG IPSec VPN Client.

SSL VPN Access Privilege Configure SSL VPN access rights for users and groups.

Global Setting Configure the ZyWALL/USG’s SSL VPN settings that apply to all

connections.

SecuExtender Check for the latest version of the SecuExtender VPN client.

L2TP VPN L2TP VPN Configure L2TP over IPSec tunnels.

BWM BWM Enable and configure bandwidth management rules.

AppPatrol General Enable or disable traffic management by application and see

registration and signature information.

UTM Profile

AppPatrol Profile Manage different types of traffic in this screen. Create App Patrol

template(s) of settings to apply to a traffic flow using a security

policy.

Content Filter Profile Create and manage the detailed filtering rules for content filtering

profiles and then apply to a traffic flow using a security policy.

Trusted Web Sites Create a list of allowed web sites that bypass content filtering

policies.

Forbidden Web

Sites

Create a list of web sites to block regardless of content filtering

policies.

IDP Profile Create IDP template(s) of settings to apply to a traffic flow using a

security policy.

Custom Signatures Create, import, or export custom signatures.

Anti-Virus Profile Create anti-virus template(s) of settings to apply to a traffic flow

using a security policy.

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Black/White List Set up a black list to identify files with virus file patterns and a

white list to identify files that should not be checked for AV.

Signature Search for signatures by signature name or attributes and

configure how the ZyWALL/USG uses them.

Anti-Spam Profile Turn anti-spam on or off and manage anti-spam policies. Create

anti-spam template(s) of settings to apply to a traffic flow using a

security policy.

Mail Scan Configure e-mail scanning details.

Black/White List Set up a black list to identify spam and a white list to identify

legitimate e-mail.

DNSBL Have the ZyWALL check e-mail against DNS Black Lists.

SSL Inspection Profile Decrypt HTTPS traffic for UTM inspection. Create SSL Inspection

template(s) of settings to apply to a traffic flow using a security

policy.

Exclude List Configure services to be excluded from SSL Inspection.

Certificate Update Use this screen to update the latest certificates of servers uisng

SSL connections to the ZyWALL/USG network.

Device HA General Configure device HA global settings, and see the status of each

interface monitored by device HA.

Active-Passive

Mode

Configure active-passive mode device HA.

Object

Zone Zone Configure zone template(s) used to define various policies.

User/Group User Create and manage users.

Group Create and manage groups of users.

Setting Manage default settings for all users, general settings for user

sessions, and rules to force user authentication.

AP Profile Radio Create template(s) of radio settings to apply to policies as an

object.

SSID Create template(s) of wireless settings to apply to radio profiles or

policies as an object.

MON Profile MON Profile Create and manage rogue AP monitoring files that can be

associated with different APs.

Application Application Create template(s) of services to apply to policies as an object.

Application Group Create and manage groups of applications to apply to policies as a

single object.

Address Address Create and manage host, range, and network (subnet) addresses.

Address Group Create and manage groups of addresseto apply to policies as a

single objects.

Service Service Create and manage TCP and UDP services.

Service Group Create and manage groups of services to apply to policies as a

single object.

Schedule Schedule Create one-time and recurring schedules.

Schedule Group Create and manage groups of schedules to apply to policies as a

single object.

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

AAA Server Active Directory Configure the Active Directory settings.

LDAP Configure the LDAP settings.

RADIUS Configure the RADIUS settings.

Auth. Method Authentication

Method

Create and manage ways of authenticating users.

Certificate My Certificates Create and manage the ZyWALL/USG’s certificates.

Trusted Certificates Import and manage certificates from trusted sources.

ISP Account ISP Account Create and manage ISP account information for PPPoE/PPTP

interfaces.

SSL Application SSL Application Create SSL web application or file sharing objects to apply to

policies.

DHCPv6 Request Configure IPv6 DHCP request type and interface information.

Lease Configure IPv6 DHCP lease type and interface information.

System

Host Name Host Name Configure the system and domain name for the ZyWALL/USG.

USB Storage Settings Configure the settings for the connected USB devices.

Date/Time Date/Time Configure the current date, time, and time zone in the ZyWALL/

USG.

Console Speed Console Speed Set the console speed.

DNS DNS Configure the DNS server and address records for the ZyWALL/

USG.

WWW Service Control Configure HTTP, HTTPS, and general authentication.

SSH SSH Configure SSH server and SSH service settings.

TELNET TELNET Configure telnet server settings for the ZyWALL/USG.

FTP FTP Configure FTP server settings.

SNMP SNMP Configure SNMP communities and services.

Auth. Server Auth. Server Configure the ZyWALL/USG to act as a RADIUS server.

CloudCNM CloudCNM Enable and configure management of the ZyWALL/USG by a

Central Network Management system.

Language Language Select the Web Configurator language.

IPv6 IPv6 Enable IPv6 globally on the ZyWALL/USG here.

ZON ZON Use the ZyXEL One Network (ZON) utility to view and manage the

ZyWALL/USG’s neighboring devices via the ZyXEL Discovery

Protocol (ZDP).

Log & Report

Email Daily

Report Email Daily Report Configure where and how to send daily reports and what reports to

send.

Log Settings Log Settings Configure the system log, e-mail logs, and remote syslog servers.

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR LINK TAB FUNCTION

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics,

and reboot or shut down the ZyWALL/USG.

1.3.4 Tables and Lists

Web Configurator tables and lists are flexible with several options for how to display their entries.

Click a column heading to sort the table’s entries according to that column’s criteria.

Figure 15 Sorting Table Entries by a Column’s Criteria

Click the down arrow next to a column heading for more options about how to display the entries.

The options available vary depending on the type of fields in the column. Here are some examples

of what you can do:

• Sort in ascending or descending (reverse) alphabetical order

• Select which columns to display

• Group entries by field

• Show entries in groups

• Filter by mathematical operators (<, >, or =) or searching for text

Table 8 Maintenance Menu Screens Summary

FOLDER

OR LINK TAB FUNCTION

File

Manager

Configuration File Manage and upload configuration files for the ZyWALL/USG.

Firmware Package View the current firmware version and upload firmware. Reboot with your

choice of firmware.

Shell Script Manage and run shell script files for the ZyWALL/USG.

Diagnostics Diagnostic Collect diagnostic information.

Packet Capture Capture packets for analysis.

System Log Connect a USB device to the ZyWALL/USG and archive the ZyWALL/USG

system logs to it here.

Network Tool Identify problems with the connections. You can use Ping or TraceRoute to

help you identify problems.

Wireless Frame

Capture

Capture wireless frames from APs for analysis.

Packet

Flow

Explore

Routing Status Check how the ZyWALL/USG determines where to route a packet.

SNAT Status View a clear picture on how the ZyWALL/USG converts a packet’s source IP

address and check the related settings.

Shutdown Shutdown Turn off the ZyWALL/USG.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Figure 16 Common Table Column Options

Select a column heading cell’s right border and drag to re-size the column.

Figure 17 Resizing a Table Column

Select a column heading and drag and drop it to change the column order. A green check mark

displays next to the column’s title when you drag the column to a valid new location.

Figure 18 Moving Columns

Use the icons and fields at the bottom of the table to navigate to different pages of entries and

control how many entries display at a time.

Figure 19 Navigating Pages of Table Entries

The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to

select multiple entries to remove, activate, or deactivate.

Chapter 1 Introduction

ZyWALL/USG Series User’s Guide

Figure 20 Common Table Icons

Here are descriptions for the most common table icons.

Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just double-

click an entry to move it from one list to the other. In some lists you can also use the [Shift] or

[Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.

Figure 21 Working with Lists

Table 9 Common Table Icons

LABEL DESCRIPTION

Add Click this to create a new entry. For features where the entry’s position in the numbered list is

important (features where the ZyWALL/USG applies the table’s entries in order like the security

policy for example), you can select an entry and click Add to create a new entry after the

selected entry.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the

entry’s settings. In some tables you can just click a table entry and edit it directly in the table.

For those types of tables small red triangles display for table entries with changes that you have

not yet applied.

Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove

it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Connect To connect an entry, select it and click Connect.

Disconnect To disconnect an entry, select it and click Disconnect.

Object

References

Select an entry and click Object References to check which settings use the entry.

Move To change an entry’s position in a numbered list, select it and click Move to display a field to

type a number for where you want to put that entry and press [ENTER] to move the entry to the

number that you typed. For example, if you type 6, the entry you are moving becomes number 6

and the previous entry 6 (if there is one) gets pushed up (or down) one.

ZyWALL/USG Series User’s Guide

CHAPTER 2

Installation Setup Wizard

2.1 Installation Setup Wizard Screens

When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its

default configuration, the Installation Setup Wizard screen displays. This wizard helps you

configure Internet connection settings and activate subscription services. This chapter provides

information on configuring the Web Configurator's installation setup wizard. See the feature-specific

chapters in this User’s Guide for background information.

Figure 22 Installation Setup Wizard

• Click the double arrow in the upper right corner to display or hide the help.

• Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for

Internet access.

2.1.1 Internet Access Setup - WAN Interface

Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of

encapsulation and method of IP address assignment.

The screens vary depending on the encapsulation type. Refer to information provided by your ISP

to know what to enter in each field. Leave a field blank if you don’t have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

Figure 23 Internet Access: Step 1

•I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to

configure just one. This option appears when you are configuring the first WAN interface.

•Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet.

Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from

your ISP.

•WAN Interface: This is the interface you are configuring for Internet access.

•Zone: This is the security zone to which this interface and Internet connection belong.

•IP Address Assignment: Select Auto if your ISP did not assign you a fixed IP address.

Select Static if the ISP assigned a fixed IP address.

2.1.2 Internet Access: Ethernet

This screen is read-only if you set the previous screen’s IP Address Assignment field to Auto. If

you set the previous screen’s IP Address Assignment field to Static, use this screen to configure

your IP address settings.

Note: Enter the Internet access information exactly as given to you by your ISP or

network administrator.

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

Figure 24 Internet Access: Ethernet Encapsulation

•Encapsulation: This displays the type of Internet connection you are configuring.

•First WAN Interface: This is the number of the interface that will connect with your ISP.

•Zone: This is the security zone to which this interface and Internet connection will belong.

•IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP

Address Assignment in the previous screen.

The following fields display if you selected static IP address assignment.

•IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.

•Gateway IP Address: Enter the IP address of the router through which this WAN connection

will send traffic (the default gateway).

•First / Second DNS Serve r: These fields display if you selected static IP address assignment.

The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a

DNS server's IP address(es). The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it. The ZyWALL/USG uses these

(in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Leave the field as 0.0.0.0 if you do not want to configure DNS servers.

2.1.3 Internet Access: PPPoE

Note: Enter the Internet access information exactly as given to you by your ISP.

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

Figure 25 Internet Access: PPPoE Encapsulation

2.1.3.1 ISP Parameters

• Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify

and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up

to 64 characters long.

•Authentication Type - Select an authentication protocol for outgoing connection requests.

Options are:

•CHAP/PAP - Your ZyWALL/USG accepts either CHAP or PAP when requested by the remote

node.

•CHAP - Your ZyWALL/USG accepts CHAP only.

•PAP - Your ZyWALL/USG accepts PAP only.

•MSCHAP - Your ZyWALL/USG accepts MSCHAP only.

•MSCHAP-V2 - Your ZyWALL/USG accepts MSCHAP-V2 only.

•Type the User Name given to you by your ISP. You can use alphanumeric and -_@$./ characters,

and it can be up to 31 characters long.

•Type the Password associated with the user name. Use up to 64 ASCII characters except the []

and ?. This field can be blank.

•Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle

Timeout in seconds that elapses before the router automatically disconnects from the PPPoE

server.

2.1.3.2 WAN IP Address Assignments

•WAN Interface: This is the name of the interface that will connect with your ISP.

•Zone: This is the security zone to which this interface and Internet connection will belong.

•IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP

Address Assignment in the previous screen.

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

•First / Second DNS Serve r: These fields display if you selected static IP address assignment.

The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a

DNS server's IP address(es). The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it. The ZyWALL/USG uses these

(in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a

DNS server, you must know the IP address of a machine in order to access it.

2.1.4 Internet Access: PPTP

Note: Enter the Internet access information exactly as given to you by your ISP.

Figure 26 Internet Access: PPTP Encapsulation

2.1.4.1 ISP Parameters

•Authentication Type - Select an authentication protocol for outgoing calls. Options are:

•CHAP/PAP - Your ZyWALL/USG accepts either CHAP or PAP when requested by the remote

node.

•CHAP - Your ZyWALL/USG accepts CHAP only.

•PAP - Your ZyWALL/USG accepts PAP only.

•MSCHAP - Your ZyWALL/USG accepts MSCHAP only.

•MSCHAP-V2 - Your ZyWALL/USG accepts MSCHAP-V2 only.

•Type the User Name given to you by your ISP. You can use alphanumeric and -_@$./ characters,

and it can be up to 31 characters long.

•Type the Password associated with the user name. Use up to 64 ASCII characters except the []

and ?. This field can be blank. Re-type your password in the next field to confirm it.

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

•Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle

Timeout in seconds that elapses before the router automatically disconnects from the PPTP

server.

2.1.4.2 PPTP Configuration

•Base Interface: This identifies the Ethernet interface you configure to connect with a modem or

router.

•Type a Base IP Address (static) assigned to you by your ISP.

• Type the IP Subnet Mask assigned to you by your ISP (if given).

•Server IP: Type the IP address of the PPTP server.

•Type a Connection ID or connection name. It must follow the “c:id” and “n:name” format. For

example, C:12 or N:My ISP. This field is optional and depends on the requirements of your

broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to

31 characters long.

2.1.4.3 WAN IP Address Assignments

•First WAN Interface: This is the connection type on the interface you are configuring to

connect with your ISP.

•Zone This is the security zone to which this interface and Internet connection will belong.

•IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP

Address Assignment in the previous screen.

•First / Second DNS Serve r: These fields display if you selected static IP address assignment.

The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a

DNS server's IP address(es). The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it. The ZyWALL/USG uses these

(in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Leave the field as 0.0.0.0 if you do not want to configure DNS servers.

2.1.5 Internet Access Setup - Second WAN Interface

If you selected I have two ISPs, after you configure the First WAN Interface, you can configure

the Second WAN Interface. The screens for configuring the second WAN interface are similar to

the first (see Section 2.1.1 on page 41).

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

Figure 27 Internet Access: Step 3: Second WAN Interface

2.1.6 Internet Access Succeed

This screen shows your Internet access settings that have been applied successfully.

Figure 28 Internet Access Succeed

2.1.7 Wireless Settings: AP Controller

The ZyWALL/USG can act as an AP Controller that can manage APs in the same network as the

ZyWALL/USG.

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

Figure 29 Wireless Settings: AP Controller

Select Yes if you want your ZyWALL/USG to manage APs in your network; otherwise select No.

2.1.8 Wireless Settings: SSID & Security

Configure SSID and wireless security in this screen.

Figure 30 Wireless Settings: SSID & Security

SSID Setting

•SSID - Enter a descriptive name of up to 32 printable characters for the wireless LAN.

•Security Mode - Select Pre-Shared Key to add security on this wireless network. Otherwise,

select None to allow any wireless client to associate this network without authentication.

Chapter 2 Installation Setup Wizard

ZyWALL/USG Series User’s Guide

•Pre-Shared Key - Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters

(including spaces and symbols) or 64 hexadecimal characters.

•Hidden SSID - Select this option if you want to hide the SSID in the outgoing beacon frame. A

wireless client then cannot obtain the SSID through scanning using a site survey tool.

•Enable Intra-BSS Traffic Blocking - Select this option if you want to prevent crossover traffic

from within the same SSID. Wireless clients can still access the wired network but cannot

communicate with each other.

For Built-in Wireless AP Only

•Bridged to: ZyWALL/USGs with W in the model name have a built-in AP. Select an interface to

bridge with the built-in AP wireless network. Devices connected to this interface will then be in

the same broadcast domain as devices in the AP wireless network.

2.1.9 Internet Access - Device Registration

Click the link in this screen to register your device at portal.myzyxel.com.

Note: The ZyWALL/USG must be connected to the Internet in order to register.

Figure 31 Internet Access: Device Registration

You will need the ZyWALL/USG’s serial number and LAN MAC address to register it if you have not

already done so. Use the Configuratio n > Licensing > Registration > Service screen to update

your service subscription status.

ZyWALL/USG Series User’s Guide

CHAPTER 3

Hardware, Interfaces and Zones

3.1 Overview

This table is an overview of the different housings in the series.

3.1.1 Front Panels

The LED indicators are located on the front panel.

Figure 32 ZyWALL 110 / USG110 / USG210 Front Panel

Figure 33 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Front Panel

Figure 34 USG40 / USG40W Front Panel

Table 10 Housing Comparison

MODELS WITH SAME HARDWARE MODELS WITH SAME HARDWARE

• ZyWALL 110

• USG110

• USG210

• ZyWALL 310

• ZyWALL 1100

•USG310

• USG1100

• USG1900

•USG40

• USG40W (with two antennas)

•USG60

• USG60W (with four antennas)

Chapter 3 Hardware, Interfaces and Zones

ZyWALL/USG Series User’s Guide

Figure 35 USG60 / USG60W Front Panel

The following table describes the LEDs.

3.1.2 Rear Panels

The connection ports are located on the rear panel.

Figure 36 ZyWALL 110 / USG110 / USG210 Rear Panel

Figure 37 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Rear Panel

Table 11 LED Descriptions

LED COLOR STATUS DESCRIPTION

PWR Off The ZyWALL/USG is turned off.

Green On The ZyWALL/USG is turned on.

Red On There is a hardware component failure. Shut down the device, wait for a few

minutes and then restart the device (see Section 3.2 on page 54). If the LED

turns red again, then please contact your vendor.

SYS Green Off The ZyWALL/USG is not ready or has failed.

On The ZyWALL/USG is ready and running.

Blinking The ZyWALL/USG is booting.

Red On The ZyWALL/USG xd an error or has failed.

USB Green Off No device is connected to the ZyWALL/USG’s USB port or the connected

device is not supported by the ZyWALL/USG.

On A mobile broadband USB card or USB storage device is connected to the USB

port.

Orange On Connected to a mobile broadband network through the connected mobile

broadband USB card.

P1, P2... Green Off There is no traffic on this port.

Blinking The ZyWALL/USG is sending or receiving packets on this port.

Orange Off There is no connection on this port.

On This port has a successful link.

Chapter 3 Hardware, Interfaces and Zones

ZyWALL/USG Series User’s Guide

Figure 38 USG40 / USG40W Rear Panel

Figure 39 USG60 / USG60W Rear Panel

The following table describes the items on the rear panel

Note: Use an 8-wire Ethernet cable to run your Gigabit Ethernet connection at 1000

Mbps. Using a 4-wire Ethernet cable limits your connection to 100 Mbps. Note that

the connection speed also depends on what the Ethernet device at the other end

can support.

3.1.3 Default Zones, Interfaces, and Ports

The default configurations for zones, interfaces, and ports are as follows. References to interfaces

may be generic rather than the specific name used in your model. For example, this guide may use

“the WAN interface” rather than “wan1” or “wan2”, “ge2” or” ge3”.

An OPT (optional) Ethernet port can be configured as an additional WAN port, LAN, WLAN, or DMZ

port.

Ta ble 12 Rear Panel Items

LABEL DESCRIPTION

Console You can use the console port to manage the ZyWALL/USG using CLI commands. You will be

prompted to enter your user name and password. See the Command Reference Guide for

more information about the CLI.

When configuring using the console port, you need a computer equipped with

communications software configured to the following parameters:

• Speed 115200 bps

•Data Bits 8

• Parity None

•Stop Bit 1

• Flow Control Off

CF Card Slot Insert a compact flash card into this slot to store ZyWALL/USG system logs. This feature is

not available at the time of writing.

Power Use the included power cord to connect the power socket to a power outlet. Turn the power

switch on if your ZyWALL/USG has a power switch.

Lock Attach a lock-and-cable from the Kensington lock (the small, metal-reinforced, oval hole)

to a permanent object, such as a pole, to secure the ZyWALL/USG in place.

Fan The fans are for cooling the ZyWALL/USG. Make sure they are not obstructed to allow

maximum ventilation.

Chapter 3 Hardware, Interfaces and Zones

ZyWALL/USG Series User’s Guide

The following table shows the default physical port and interface mapping for each model at the

time of writing.

The following table shows the default interface and zone mapping for each model at the time of

writing.

Table 13 Default Physical Port - Interface Mapping

PORT / INTERFACE P1 P2 P3 P4 P5 P6 P7 P8

•USG40 wan1 lan1 lan1 lan1 opt

• USG40W wan1 lan1 lan1 lan1 opt

•USG60 wan1 wan2 lan1 lan1 lan1 lan1

• USG60W wan1 wan2 lan1 lan1 lan1 lan1

•ZyWALL 110

• USG110

• USG210

wan1 wan2 opt lan1 lan1 lan1 dmz

•ZyWALL 310

• ZyWALL 1100

• USG310

• USG1100

• USG1900

ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8

Table 14 Default Zone - Interface Mapping

ZONE / INTERFACE WAN LAN1 LAN2 DMZ OPT NO

DEFAULT

ZONE

•USG40 WAN1

WAN1_PPP

LAN1 LAN2 DMZ OPT

OPT_PPP

• USG40W WAN1

WAN1_PPP

LAN1 LAN2 DMZ OPT

OPT_PPP

•USG60 WAN1

WAN1_PPP

WAN2

WAN2_PPP

LAN1 LAN2 DMZ

• USG60W WAN1

WAN1_PPP

WAN2

WAN2_PPP

LAN1 LAN2 DMZ

•ZyWALL 110

• USG110

• USG210

WAN1

WAN1_PPP

WAN2

WAN2_PPP

LAN1 LAN2 DMZ OPT

OPT_PPP

•ZyWALL 310

• ZyWALL 1100

• USG310

• USG1100

• USG1900

GE1

GE1_PPP

GE2

GE2_PPP

GE3 GE4 GE5 GE3_PPP

GE4_PPP

GE5_PPP

GE6_PPP

GE7_PPP

GE8_PPP

Chapter 3 Hardware, Interfaces and Zones

ZyWALL/USG Series User’s Guide

3.2 Mounting

Some models can be mounted in a rack, and some can be mounted on a wall.

3.2.1 Rack-mounting

See Table 15 on page 54 for the ZyWALL/USG models that can be rack mounted. Use the following

steps to mount the ZyWALL/USG on an EIA standard size, 19-inch rack or in a wiring closet with

other equipment using a rack-mounting kit. Make sure the rack will safely support the combined

weight of all the equipment it contains and that the position of the ZyWALL does not make the rack

unstable or top-heavy. Take all necessary precautions to anchor the rack securely before installing

the unit.

Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.

Use a #2 Phillips screwdriver to install the screws.

Note: Failure to use the proper screws may damage the unit.

1Align one bracket with the holes on one side of the ZyWALL/USG and secure it with the included

bracket screws (smaller than the rack-mounting screws).

2Attach the other bracket in a similar fashion.

3After attaching both mounting brackets, position the ZyWALL/USG in the rack and up the bracket

holes with the rack holes. Secure the ZyWALL/USG to the rack with the rack-mounting screws.

Table 15 Mounting Method

RACK-MOUNTING WALL-MOUNTING

• ZyWALL 110 • USG40

• ZyWALL 310 • USG40W

• ZyWALL 1100 • USG60

• USG110 • USG60W

• USG210

• USG310

• USG1100

• USG1900

Chapter 3 Hardware, Interfaces and Zones

ZyWALL/USG Series User’s Guide

3.2.2 Wall-mounting

See Table 15 on page 54 for the ZyWALL/USG models that can be wall-mounted. Do the following to

attach your ZyWALL/USG to a wall.

1Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the wall 150 mm apart (see

the figure in step 2). Do not screw the screws all the way in to the wall; leave a small gap between

the head of the screw and the wall.

The gap must be big enough for the screw heads to slide into the screw slots and the connection

cables to run down the back of the ZyWALL/USG.

Note: Make sure the screws are securely fixed to the wall and strong enough to hold the

weight of the ZyWALL/USG with the connection cables.

2Use the holes on the bottom of the ZyWALL/USG to hang the ZyWALL/USG on the screws.

Wall-mount the ZyWALL/USG horizontally. The ZyWALL/USG's side

panels with ventilation slots should not be facing up or down as this

position is less safe.

3.3 Stopping the ZyWALL/USG

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn

off the ZyWALL/USG or remove the power. Not doing so can cause the firmware to become corrupt.

ZyWALL/USG Series User’s Guide

CHAPTER 4

Quick Setup Wizards

4.1 Quick Setup Overview

The Web Configurator's quick setup wizards help you configure Internet and VPN connection

settings. This chapter provides information on configuring the quick setup screens in the Web

Configurator. See the feature-specific chapters in this User’s Guide for background information.

In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup

screen.

Figure 40 Quick Setup

•WAN Interface

Click this link to open a wizard to set up a WAN (Internet) connection. This wizard creates

matching ISP account settings in the ZyWALL/USG if you use PPPoE or PPTP. See Section 4.2 on

page 57.

•VPN SETUP

Use VPN Setup to configure a VPN (Virtual Private Network) rule for a secure connection to

another computer or network. Use VPN Settings for Configuration Provisioning to set up a

VPN rule that can be retrieved with the ZyWALL/USG IPSec VPN Client. You only need to enter a

user name, password and the IP address of the ZyWALL/USG in the IPSec VPN Client to get all

VPN settings automatically from the ZyWALL/USG. See Section 4.3 on page 62.Use VPN

Settings for L2TP VPN Settings to configure the L2TP VPN for clients.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

•Wizard Help

If the help does not automatically display when you run the wizard, click teh arrow to display it.

4.2 WAN Interface Quick Setup

Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup

Wizard Welcome screen. Use these screens to configure an interface to connect to the Internet.

Click Next.

Figure 41 WAN Interface Quick Setup Wizard

4.2.1 Choose an Ethernet Interface

Select the Ethernet interface (names vary by model) that you want to configure for a WAN

connection and click Next.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 42 Choose an Ethernet Interface

4.2.2 Select WAN Type

WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet

when the WAN port is used as a regular Ethernet.

Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your

ISP.

Figure 43 WAN Interface Setup: Step 2

The screens vary depending on what encapsulation type you use. Refer to information provided by

your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

4.2.3 Configure WAN IP Settings

Use this screen to select whether the interface should use a fixed or dynamic IP address.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 44 WAN Interface Setup: Step 2 Dynamic IP

Figure 45 WAN Interface Setup: Step 2 Fixed IP

•WAN Interface: This is the interface you are configuring for Internet access.

•Zone: This is the security zone to which this interface and Internet connection belong.

•IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address.

Select Static if you have a fixed IP address and enter the IP address, subnet mask, gateway IP

address (optional) and DNS server IP address(es).

4.2.4 ISP and WAN and ISP Connection Settings

Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you

select Ethernet and set t the IP Address Assignment to AutoStatic. If you set the IP Address

Assignment to static and/or select PPTP or PPPoE, enter the Internet access information exactly

as your ISP gave it to you.

Note: Enter the Internet access information exactly as your ISP gave it to you.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 46 WAN and ISP Connection Settings: (PPTP Shown)

The following table describes the labels in this screen.

Ta ble 16 WAN and ISP Connection Settings

LABEL DESCRIPTION

ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection.

Encapsulation This displays the type of Internet connection you are configuring.

Authentication

Type Use the drop-down list box to select an authentication protocol for outgoing calls.

Options are:

CHAP/PAP - Your ZyWALL/USG accepts either CHAP or PAP when requested by this

remote node.

CHAP - Your ZyWALL/USG accepts CHAP only.

PAP - Your ZyWALL/USG accepts PAP only.

MSCHAP - Your ZyWALL/USG accepts MSCHAP only.

MSCHAP-V2 - Your ZyWALL/USG accepts MSCHAP-V2 only.

User Name Type the user name given to you by your ISP. You can use alphanumeric and -_@$./

characters, and it can be up to 31 characters long.

Password Type the password associated with the user name above. Use up to 64 ASCII characters

except the [] and ?. This field can be blank.

Retype to

Confirm Type your password again for confirmation.

Nailed-Up Select Nailed-Up if you do not want the connection to time out.

Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from

the PPPoE server. 0 means no timeout.

PPTP Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

4.2.5 Quick Setup Interface Wizard: Summary

This screen displays the WAN interface’s settings.

Base Interface This displays the identity of the Ethernet interface you configure to connect with a

modem or router.

Base IP Address Type the (static) IP address assigned to you by your ISP.

IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).

Server IP Type the IP address of the PPTP server.

Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and

"n:name" format. For example, C:12 or N:My ISP.

This field is optional and depends on the requirements of your DSL modem.

You can use alphanumeric and -_: characters, and it can be up to 31 characters long.

WAN Interface

Setup

WAN Interface This displays the identity of the interface you configure to connect with your ISP.

Zone This field displays to which security zone this interface and Internet connection will

belong.

IP Address This field is read-only when the WAN interface uses a dynamic IP address. If your WAN

interface uses a static IP address, enter it in this field.

First DNS

Server

Second DNS

Server

These fields only display for an interface with a static IP address. Enter the DNS server

IP address(es) in the field(s) to the right.

Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not

configure a DNS server, you must know the IP address of a machine in order to access

it.

DNS (Domain Name System) is for mapping a domain name to its corresponding IP

address and vice versa. The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it. The ZyWALL/USG

uses a system DNS server (in the order you specify here) to resolve domain names for

VPN, DDNS and the time server.

Back Click Back to return to the previous screen.

Next Click Next to continue.

Ta ble 16 WAN and ISP Connection Settings (continued)

LABEL DESCRIPTION

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 47 Interface Wizard: Summary WAN (PPTP Shown)

The following table describes the labels in this screen.

4.3 VPN Setup Wizard

Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen.

Ta ble 17 Interface Wizard: Summary WAN

LABEL DESCRIPTION

Encapsulation This displays what encapsulation this interface uses to connect to the Internet.

Service Name This field only appears for a PPPoE interface. It displays the PPPoE service name specified

in the ISP account.

Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server.

User Name This is the user name given to you by your ISP.

Nailed-Up If No displays the connection will not time out. Yes means the ZyWALL/USG uses the idle

timeout.

Idle Timeout This is how many seconds the connection can be idle before the router automatically

disconnects from the PPPoE server. 0 means no timeout.

Connection ID If you specified a connection ID, it displays here.

WAN Interface This identifies the interface you configure to connect with your ISP.

Zone This field displays to which security zone this interface and Internet connection will belong.

IP Address

Assignment

This field displays whether the WAN IP address is static or dynamic (Auto).

First DNS Server

Second DNS

Server

If the IP Address Assignment is Static, these fields display the DNS server IP

address(es).

Close Click Close to exit the wizard.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 48 VPN Setup Wizard

4.3.1 Welcome

Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase

1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule

settings appear in the VPN > IPSec VPN > VPN Connection screen.

•VPN Settings configures a VPN tunnel for a secure connection to another computer or network.

•VPN Settings for Configuration Provisioning sets up a VPN rule the ZyWALL/USG IPSec VPN

Client can retrieve. Just enter a user name, password and the IP address of the ZyWALL/USG in

the IPSec VPN Client to get the VPN settings automatically from the ZyWALL/USG.

•VPN Settings for L2TP VPN Settings sets up a L2TP VPN rule that the ZyWALL/USG IPSec

L2TP VPN client can retrieve.

Figure 49 VPN Setup Wizard Welcome

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

4.3.2 VPN Setup Wizard: Wizard Type

Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to

another ZLD-based ZyWALL/USG using a pre-shared key.

Choose Advanced to change the default settings and/or use certificates instead of a pre-shared

key to create a VPN rule to connect to another IPSec device.

Figure 50 VPN Setup Wizard: Wizard Type

4.3.3 VPN Express Wizard - Scenario

Click the Express radio button as shown in Figure 50 on page 64 to display the following screen.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 51 VPN Express Wizard: Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection. The figure on the left of the

screen changes to match the scenario you select.

•Site-to-site - The remote IPSec device has a static IP address or a domain name. This ZyWALL/

USG can initiate the VPN tunnel.

•Site-to-site with Dynamic Peer - The remote IPSec device has a dynamic IP address. Only the

remote IPSec device can initiate the VPN tunnel.

•Remote Access (Server Role) - Allow incoming connections from IPSec VPN clients. The

clients have dynamic IP addresses and are also known as dial-in users. Only the clients can

initiate the VPN tunnel.

•Remote Access (Client Role) - Connect to an IPSec server. This ZyWALL/USG is the client

(dial-in user) and can initiate the VPN tunnel.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

4.3.4 VPN Express Wizard - Configuration

Figure 52 VPN Express Wizard: Configuration

•Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario.

Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure

gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if

the remote IPSec router has a dynamic WAN IP address.

•Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password.

Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”)

characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload

malformed) packet if the same pre-shared key is not used on both ends.

•Local Policy (IP/Mask): Type the IP address of a computer on your network that can use the

tunnel. You can also specify a subnet. This must match the remote IP address configured on the

remote IPSec device.

•Remote Policy (IP/Mask): Any displays in this field if it is not configurable for the chosen

scenario. Otherwise, type the IP address of a computer behind the remote IPSec device. You can

also specify a subnet. This must match the local IP address configured on the remote IPSec

device.

4.3.5 VPN Express Wizard - Summary

This screen provides a read-only summary of the VPN tunnel’s configuration and commands that

you can copy and paste into another ZLD-based ZyWALL/USG’s command line interface to configure

it.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 53 VPN Express Wizard: Summary

•Rule Name: Identifies the VPN gateway policy.

•Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays

Any, only the remote IPSec device can initiate the VPN connection.

•Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1

IKE negotiation.

•Local Policy: IP address and subnet mask of the computers on the network behind your

ZyWALL/USG that can use the tunnel.

•Remote Policy: IP address and subnet mask of the computers on the network behind the

remote IPSec device that can use the tunnel. If this field displays Any, only the remote IPSec

device can initiate the VPN connection.

• Copy and paste the Configuration for Secure Gateway commands into another ZLD-based

ZyWALL/USG’s command line interface to configure it to serve as the other end of this VPN

tunnel. You can also use a text editor to save these commands as a shell script file with a “.zysh”

filename extension. Use the file manager to run the script in order to configure the VPN

connection. See the commands reference guide for details on the commands displayed in this

list.

4.3.6 VPN Express Wizard - Finish

Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >

IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec

VPN > VPN Connection screen.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 54 VPN Express Wizard: Finish

Click Close to exit the wizard.

4.3.7 VPN Advanced Wizard - Scenario

Click the Advanced radio button as shown in Figure 50 on page 64 to display the following screen.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 55 VPN Advanced Wizard: Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection. The figure on the left of the

screen changes to match the scenario you select.

•Site-to-site - The remote IPSec device has a static IP address or a domain name. This ZyWALL/

USG can initiate the VPN tunnel.

•Site-to-site with Dynamic Peer - The remote IPSec device has a dynamic IP address. Only the

remote IPSec device can initiate the VPN tunnel.

•Remote Access (Server Role) - Allow incoming connections from IPSec VPN clients. The

clients have dynamic IP addresses and are also known as dial-in users. Only the clients can

initiate the VPN tunnel.

•Remote Access (Client Role) - Connect to an IPSec server. This ZyWALL/USG is the client

(dial-in user) and can initiate the VPN tunnel.

4.3.8 VPN Advanced Wizard - Phase 1 Settings

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication)

and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 56 VPN Advanced Wizard: Phase 1 Settings

•Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario.

Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure

gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if

the remote IPSec device has a dynamic WAN IP address.

•My Address (interface): Select an interface from the drop-down list box to use on your

ZyWALL/USG.

•Negotiation Mode: This displays Main or Aggressive:

•Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to

establish the IKE SA

•Aggressive is faster but does not encrypt the identities.

The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs

connecting through a secure gateway must have the same negotiation mode.

•Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the

security (this may affect throughput). Both sender and receiver must use the same secret key,

which can be used to encrypt and decrypt the message or to generate and verify a message

authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a

variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

requires more processing power, resulting in increased latency and decreased throughput.

AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key, and AES256

uses a 256-bit key.

•Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest

security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to

authenticate packet data. The stronger the algorithm the slower it is.

•Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1

(default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit

random number.

•SA Life Time: Set how often the ZyWALL/USG renegotiates the IKE SA. A short SA life time

increases security, but renegotiation temporarily disconnects the VPN tunnel.

•NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router

between the IPSec devices).

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Note: The remote IPSec device must also have NAT traversal enabled. See the help in the

main IPSec VPN screens for more information.

•Dead Peer Detection (DPD) has the ZyWALL/USG make sure the remote IPSec device is there

before transmitting data through the IKE SA. If there has been no traffic for at least 15 seconds,

the ZyWALL/USG sends a message to the remote IPSec device. If it responds, the ZyWALL/USG

transmits the data. If it does not respond, the ZyWALL/USG shuts down the IKE SA.

•Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one

of the ZyWALL/USG’s certificates.

4.3.9 VPN Advanced Wizard - Phase 2

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 57 VPN Advanced Wizard: Phase 2 Settings

•Active Protocol: ESP is compatible with NAT, AH is not.

•Encapsulation: Tunnel is compatible with NAT, Transport is not.

•Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the

security (this may affect throughput). Null uses no encryption.

•Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest

security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to

authenticate packet data. The stronger the algorithm the slower it is.

•SA Life Time: Set how often the ZyWALL/USG renegotiates the IKE SA. A short SA life time

increases security, but renegotiation temporarily disconnects the VPN tunnel.

•Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure.

Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may

affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to

Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a

1536 bit random number (more secure, yet slower).

•Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also

specify a subnet. This must match the remote IP address configured on the remote IPSec device.

•Remote Policy (IP/Mask): Type the IP address of a computer behind the remote IPSec device.

You can also specify a subnet. This must match the local IP address configured on the remote

IPSec device.

•Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this

to have the ZyWALL/USG automatically renegotiate the IPSec SA when the SA life time expires.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

4.3.10 VPN Advanced Wizard - Summary

This is a read-only summary of the VPN tunnel settings.

Figure 58 VPN Advanced Wizard: Summary

•Rule Name: Identifies the VPN connection (and the VPN gateway).

•Secure Gateway: IP address or domain name of the remote IPSec device.

•Pre-Shared Key: VPN tunnel password.

•Certificate: The certificate the ZyWALL/USG uses to identify itself when setting up the VPN

tunnel.

•Local Policy: IP address and subnet mask of the computers on the network behind your

ZyWALL/USG that can use the tunnel.

•Remote Policy: IP address and subnet mask of the computers on the network behind the

remote IPSec device that can use the tunnel.

• Copy and paste the Configuration for Remote Gateway commands into another ZLD-based

ZyWALL/USG’s command line interface.

• Click Save to save the VPN rule.

4.3.11 VPN Advanced Wizard - Finish

Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >

IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN

> VPN Connection screen.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 59 VPN Wizard: Finish

Click Close to exit the wizard.

4.4 VPN Settings for Configuration Provisioning Wizard:

Wizard Type

Use VPN Setti n gs for Configura tion Provision ing to set up a VPN rule that can be retrieved

with the ZyWALL/USG IPSec VPN Client.

VPN rules for the ZyWALL/USG IPSec VPN Client have certain restrictions. They must not contain

the following settings:

•AH active protocol

•NULL encryption

•SHA512 authentication

• A subnet or range remote policy

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a

pre-shared key.

Choose Advanced to change the default settings and/or use certificates instead of a pre-shared

key in the VPN rule.

Figure 60 VPN Settings for Configuration Provisioning Express Wizard: Wizard Type

4.4.1 Configuration Provisioning Express Wizar d - VPN Settings

Click the Express radio button as shown in the previous screen to display the following screen.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 61 VPN for Configuration Provisioning Express Wizard: Settings Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It

allows incoming connections from the ZyWALL/USG IPSec VPN Client.

4.4.2 Configuration Provisioning VPN Express Wizard - Configuration

Click Next to continue the wizard.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 62 VPN for Configuration Provisioning Express Wizard: Configuration

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows

incoming connections from the ZyWALL/USG IPSec VPN Client.

•Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password.

Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”)

characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload

malformed) packet if the same pre-shared key is not used on both ends.

•Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also

specify a subnet. This must match the remote IP address configured on the remote IPSec device.

•Remote Policy (IP/Mask): Any displays in this field because it is not configurable in this

wizard.

4.4.3 VPN Settings for Configuration Provisioning Express Wizard -

Summary

This screen has a read-only summary of the VPN tunnel’s configuration and commands you can

copy and paste into another ZLD-based ZyWALL/USG’s command line interface to configure it.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 63 VPN for Configuration Provisioning Express Wizard: Summary

•Rule Name: Identifies the VPN gateway policy.

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows

incoming connections from the ZyWALL/USG IPSec VPN Client.

•Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1

IKE negotiation.

•Local P olicy : (Static) IP address and subnet mask of the computers on the network behind your

ZyWALL/USG that can be accessed using the tunnel.

•Remote Policy: Any displays in this field because it is not configurable in this wizard.

•The Configuration for Secure Gateway displays the configuration that the ZyWALL/USG IPSec

VPN Client will get from the ZyWALL/USG.

• Click Save to save the VPN rule.

4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish

Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >

IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec

VPN > VPN Connection screen. Enter the IP address of the ZyWALL/USG in the ZyWALL/USG

IPSec VPN Client to get all these VPN settings automatically from the ZyWALL/USG.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 64 VPN for Configuration Provisioning Express Wizard: Finish

Click Close to exit the wizard.

4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard -

Scenario

Click the Advanced radio button as shown in the screen shown in Figure 60 on page 74 to display

the following screen.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 65 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use

1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It

allows incoming connections from the ZyWALL/USG IPSec VPN Client.

Click Next to continue the wizard.

4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase

1 Settings

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication)

and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 66 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows

incoming connections from the ZyWALL/USG IPSec VPN Client.

•My Address (interface): Select an interface from the drop-down list box to use on your

ZyWALL/USG.

•Negotiation Mode:This displays Main or Aggressive:

•Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to

establish the IKE SA

•Aggressive is faster but does not encrypt the identities.

The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs

connecting through a secure gateway must have the same negotiation mode.

•Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the

security (this may affect throughput). Both sender and receiver must know the same secret key,

which can be used to encrypt and decrypt the message or to generate and verify a message

authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a

variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

requires more processing power, resulting in increased latency and decreased throughput.

AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses

a 256-bit key.

•Authentication Algorithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are

hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives

higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it

is.

•Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1

(default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit

random number.

•SA Life Time: Set how often the ZyWALL/USG renegotiates the IKE SA. A short SA life time

increases security, but renegotiation temporarily disconnects the VPN tunnel.

•Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one

of the ZyWALL/USG’s certificates.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 67 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings

•Active Protocol: ESP is compatible with NAT. AH is not available in this wizard.

•Encapsulation: Tunnel is compatible with NAT, Transport is not.

•Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the

security (this may affect throughput). Null uses no encryption.

•Authentication Algorithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are

hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives

higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it

is.

•SA Life Time: Set how often the ZyWALL/USG renegotiates the IKE SA. A short SA life time

increases security, but renegotiation temporarily disconnects the VPN tunnel.

•Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure.

Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may

affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to

Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a

1536 bit random number (more secure, yet slower).

•Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also

specify a subnet. This must match the remote IP address configured on the remote IPSec device.

•Remote Policy (IP/Mask): Any displays in this field because it is not configurable in this

wizard.

•Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this

to have the ZyWALL/USG automatically renegotiate the IPSec SA when the SA life time expires.

4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard -

Summary

This is a read-only summary of the VPN tunnel settings.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 68 VPN for Configuration Provisioning Advanced Wizard: Summary

Summary

•Rule Name: Identifies the VPN connection (and the VPN gateway).

•Secure Gateway: Any displays in this field because it is not configurable in this wizard. It

allows incoming connections from the ZyWALL/USG IPSec VPN Client.

•Pre-Shared Key: VPN tunnel password.

•Local Policy: IP address and subnet mask of the computers on the network behind your

ZyWALL/USG that can use the tunnel.

•Remote Policy: Any displays in this field because it is not configurable in this wizard.

Phase 1

•Negotiation Mode: This displays Main or Aggressive:

•Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to

establish the IKE SA

•Aggressive is faster but does not encrypt the identities.

The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs

connecting through a secure gateway must have the same negotiation mode.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

•Encryption Algorithm: This displays the encryption method used. The longer the key, the

higher the security, the lower the throughput (possibly).

•DES uses a 56-bit key.

•3DES uses a 168-bit key.

•AES128 uses a 128-bit key

•AES192 uses a 192-bit key

•AES256 uses a 256-bit key.

•Authentication Algorithm: This displays the authentication algorithm used. The stronger the

algorithm, the slower it is.

•MD5 gives minimal security.

•SHA1 gives higher security

•SHA256 gives the highest security.

•Key Group: This displays the Diffie-Hellman (DH) key group used. DH5 is more secure than

DH1 or DH2 (although it may affect throughput).

•DH1 uses a 768 bit random number.

•DH2 uses a 1024 bit (1Kb) random number.

•DH5 uses a 1536 bit random number.

Phase 2

•Active Protocol: This displays ESP (compatible with NAT) or AH.

•Encapsulation: This displays Tunnel (compatible with NAT) or Transport.

•Encryption Algorithm: This displays the encryption method used. The longer the key, the

higher the security, the lower the throughput (possibly).

•DES uses a 56-bit key.

•3DES uses a 168-bit key.

•AES128 uses a 128-bit key

•AES192 uses a 192-bit key

•AES256 uses a 256-bit key.

•Null uses no encryption.

•Authentication Algorithm: This displays the authentication algorithm used. The stronger the

algorithm, the slower it is.

•MD5 gives minimal security.

•SHA1 gives higher security

•SHA256 gives the highest security..

The Configuration for Secure Gateway displays the configuration that the ZyWALL/USG IPSec

VPN Client will get from the ZyWALL/USG.

Click Save to save the VPN rule.

4.4.9 VPN Settings for Configuration Provisioning Advanced Wi zard- Finish

Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >

IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

> VPN Connection screen. Enter the IP address of the ZyWALL/USG in the ZyWALL/USG IPSec

VPN Client to get all these VPN settings automatically from the ZyWALL/USG.

Figure 69 VPN for Configuration Provisioning Advanced Wizard: Finish

Click Close to exit the wizard.

4.5 VPN Settings for L2TP VPN Settings Wizard

Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule. Click Configuration >

Quick Setup > VPN Settings and select VPN Settings for L2TP VPN Settings to see the

following screen.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Figure 70 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings

Click Next to continue the wizard.

4.5.1 L2TP VPN Settings

Figure 71 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings

•Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway).

You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first

character cannot be a number. This value is case-sensitive.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

•My Address (interface): Select one of the interfaces from the pull down menu to apply the

L2TP VPN rule.

•Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password.

Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”)

characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload

malformed) packet if the same pre-shared key is not used on both ends.

Click Next to continue the wizard.

4.5.2 L2TP VPN Settings

Figure 72 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings

•IP Address Pool: Select Range or Subnet from the pull down menu. This IP address pool is used

to assign to the L2TP VPN clients.

•Starting IP Address: Enter the starting IP address in the field.

•End IP Address: Enter the ending IP address in the field.

•First DNS S erver ( Option al) : Enter the first DNS server IP address in the field. Leave the filed

as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server you

must know the IP address of a machine in order to access it.

•Second DNS Server (Optional):Enter the second DNS server IP address in the field. Leave the

filed as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server

you must know the IP address of a machine in order to access it.

•Allow L2TP traffic Through WAN: Select this check box to allow traffic from L2TP clients to go

to the Internet.

Click Next to continue the wizard.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

Note: DNS (Domain Name System) is for mapping a domain name to its corresponding IP

address and vice versa. The DNS server is extremely important because without it,

you must know the IP address of a computer before you can access it. The

ZyWALL/USG uses a system DNS server (in the order you specify here) to resolve

domain names for VPN, DDNS and the time server.

4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary

This is a read-only summary of the L2TP VPN settings.

Figure 73 VPN Settings for L2TP VPN Settings Advanced Settings Wizard: Summary

Summary

•Rule Name: Identifies the L2TP VPN connection (and the L2TP VPN gateway).

•Secure Gateway: “Any” displays in this field because it is not configurable in this wizard. It

allows incoming connections from the L2TP VPN Client.

•Pre-Shared Key: L2TP VPN tunnel password.

•My Address (Interface): This displays the interface to use on your ZyWALL/USG for the L2TP

tunnel.

•IP Address Pool: This displays the IP address pool used to assign to the L2TP VPN clients.

Click Save to complete the L2TP VPN Setting and the following screen will show.

Chapter 4 Quick Setup Wizards

ZyWALL/USG Series User’s Guide

4.5.4 VPN Settings for L2TP VPN Setting Wizard Completed

Figure 74 VPN Settings for L2TP VPN Settings Wizard: Finish

Now the rule is configured on the ZyWALL/USG. The L2TP VPN rule settings appear in the VPN >

L2TP VPN screen and also in the VPN > IPSec VPN > VPN Connection and VPN Gateway

screen.

ZyWALL/USG Series User’s Guide

CHAPTER 5

Dashboard

5.1 Overview

Use the Dashboard screens to check status information about the ZyWALL/USG.

5.1.1 What You Can Do in this Chapter

Use the main Dashboard screen to see the ZyWALL/USG’s general device information, system

status, system resource usage, licensed service status, and interface status. You can also display

other status screens for more information.

Use the Dashboard screens to view the following.

•Device Information Screen on page 91

•System Status Screen on page 92

•VPN Status Screen on page 93

•DHCP Table Screen on page 94

•Number of Login Users Screen on page 95

•System Resources Screen on page 96

•CPU Usage Screen on page 97

•Memory Usage Screen on page 98

•Active Session Screen on page 99

•Extension Slot Screen on page 100

•Interface Status Summary Screen on page 100

•Secured Service Status Screen on page 102

•Content Filter Statistics Screen on page 103

•Top 5 Viruses Screen on page 103

•Top 5 Intrusions Screen on page 104

•Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic Screen on page 104

•The Latest Alert Logs Screen on page 105

5.2 Main Dashboard Screen

The Dashboard screen displays when you log into the ZyWALL/USG or click Dashboard in the

navigation panel. The dashboard displays general device information, system status, system

resource usage, licensed service status, and interface status in widgets that you can re-arrange to

suit your needs. You can also collapse, refresh, and close individual widgets.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

Figure 75 Dashboard

The following table describes the labels in this screen.

Ta ble 18 Dashboard

LABEL DESCRIPTION

Widget Setting

(A)

Use this link to open or close widgets by selecting/clearing the associated checkbox.

Up Arrow (B) Click this to collapse a widget. It then becomes a down arrow. Click it again to enlarge the

widget again.

Refresh Time

Setting (C)

Set the interval for refreshing the information displayed in the widget.

Refresh Now (D) Click this to update the widget’s information immediately.

Close Widget (E) Click this to close the widget. Use Widget Setting to re-open it.

Virtual Device

Rear Panel Click this to view details about the ZyWALL/USG’s rear panel. Hover your cursor over a

connected interface or slot to display status details.

Front Panel Click this to view details about the status of the ZyWALL/USG’s front panel LEDs and

connections. See Section 3.1.1 on page 50 for LED descriptions. An unconnected interface

or slot appears grayed out.

The following front and rear panel labels display when you hover your cursor over a

connected interface or slot.

CDE

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

5.2.1 Device Information Screen

The Device Information screen displays ZyWALL/USG’s system and model name, serial number,

MAC address and firmware version shown in the below screen.

Figure 76 Dashboard > Device Information (Example)

Name This field displays the name of each interface.

Status This field displays the current status of each interface or device installed in a slot. The

possible values depend on what type of interface it is.

Inactive - The Ethernet interface is disabled.

Down - The Ethernet interface does not have any physical ports associated with it or the

Ethernet interface is enabled but not connected.

Speed / Duplex - The Ethernet interface is enabled and connected. This field displays the

port speed and duplex setting (Full or Half).

The status for a WLAN card is none.

For cellular (mobile broadband) interfaces, see Section 9.5 on page 210 for the status that

can appear.

For the auxiliary interface:

Inactive - The auxiliary interface is disabled.

Connected - The auxiliary interface is enabled and connected.

Disconnected - The auxiliary interface is not connected.

HA Status This field displays the status of the interface in the virtual router.

Active - This interface is the master interface in the virtual router.

Stand-By - This interface is a backup interface in the virtual router.

Fault - This VRRP group is not functioning in the virtual router right now. For example, this

might happen if the interface is down.

n/a - Device HA is not active on the interface.

Zone This field displays the zone to which the interface is currently assigned.

IP Address/

Mask This field displays the current IP address and subnet mask assigned to the interface. If the

interface is a member of an active virtual router, this field displays the IP address it is

currently using. This is either the static IP address of the interface (if it is the master) or

the management IP address (if it is a backup).

Ta ble 18 Dashboard (continued)

LABEL DESCRIPTION

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

This tabel describes the fields in the above screen.

5.2.2 System Status Screen

Figure 77 Dashboard > System Status (Example)

This table describes the fields in the above screen.

Ta ble 19 Dashboard > Device Information

LABEL DESCRIPTION

Device Information This identifies a device installed in one of the ZyWALL/USG’s extension slots, the

Security Extension Module slot, or USB ports. For an installed SEM (Security

Extension Module) card, this field displays what kind of SEM card is installed.

SEM-VPN - The VPN accelerator. The SEM-VPN provides 500 Mbps VPN

throughput, 2,000 IPSec VPN tunnels, and 750 SSL VPN users.

SEM-DUAL - accelerator for both VPN and UTM. The SEM-DUAL provides the

benefits of the SEM-VPN and increases the maximum anti-virus and IDP traffic

throughput from 100 Mbps to 400 Mbps.

System Name This field displays the name used to identify the ZyWALL/USG on any network.

Click the link and open the Host Name screen where you can edit and make

changes to the system and domain name.

Model Name This field displays the model name of this ZyWALL/USG.

Serial Number This field displays the serial number of this ZyWALL/USG. The serial number is

used for device tracking and control.

MAC Address Range This field displays the MAC addresses used by the ZyWALL/USG. Each physical

port has one MAC address. The first MAC address is assigned to physical port 1,

the second MAC address is assigned to physical port 2, and so on.

Firmware Version This field displays the version number and date of the firmware the ZyWALL/USG

is currently running. Click the link to open the Firmware Package screen where

you can upload firmware.

Ta ble 20 Dashboard > System Status

LABEL DESCRIPTION

System Uptime This field displays how long the ZyWALL/USG has been running since it last

restarted or was turned on.

Current Date/Time This field displays the current date and time in the ZyWALL/USG. The format is

yyyy-mm-dd hh:mm:ss. Click on the link to see the Date/Time screen where

you can make edits and changes to the date, time and time zone information.

VPN Status Click on the link to look at the VPN tunnels that are currently established. See

Section 5.2.3 on page 93. Click on the VPN icon to go to the ZyXEL VPN Client

product page at the ZyXEL website.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

5.2.3 VPN Status Screen

Click on VPN Status link to look at the VPN tunnels that are currently established. The following

screen will show.

Figure 78 Dashboard > System Status > VPN Status

SSL VPN Status The first number is the actual number of VPN tunnels up and the second number

is the maximum number of SSL VPN tunnels allowed.

DHCP Table Click this to look at the IP addresses currently assigned to the ZyWALL/USG’s

DHCP clients and the IP addresses reserved for specific MAC addresses. See

Section 5.2.4 on page 94.

Current Login User This field displays the user name used to log in to the current session, the

amount of reauthentication time remaining, and the amount of lease time

remaining.

Number of Login Users This field displays the number of users currently logged in to the ZyWALL/USG.

Click the icon to pop-open a list of the users who are currently logged in to the

ZyWALL/USG.

Boot Status This field displays details about the ZyWALL/USG’s startup state.

OK - The ZyWALL/USG started up successfully.

Firmware update OK - A firmware update was successful.

Problematic configuratio n afte r firmw are update - The application of the

configuration failed after a firmware upgrade.

System default configuration - The ZyWALL/USG successfully applied the

system default configuration. This occurs when the ZyWALL/USG starts for the

first time or you intentionally reset the ZyWALL/USG to the system default

settings.

Fallback to lastgood conf iguration - The ZyWALL/USG was unable to apply

the startup-config.conf configuration file and fell back to the lastgood.conf

configuration file.

Fallback to system default configuration - The ZyWALL/USG was unable to

apply the lastgood.conf configuration file and fell back to the system default

configuration file (system-default.conf).

Booting in progress - The ZyWALL/USG is still applying the system

configuration.

Ta ble 20 Dashboard > System Status

LABEL DESCRIPTION

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

This table describes the fields in the above screen.

Ta ble 21 Dashboard > System Status > VPN Status

ZyXEL VPN Client Product Page

5.2.4 DHCP Table Screen

Click on the DHCP Table link to look at the IP addresses currently assigned to DHCP clients and the

IP addresses reserved for specific MAC addresses. The following screen will show.

LABLE DESCRIPTION

# This field is a sequential value, and it is not associated with a specific SA.

Name This field displays the name of the IPSec SA.

Encapsulation This field displays how the IPSec SA is encapsulated.

Algorithm This field displays the encryption and authentication algorithms used in the SA.

Refresh Interval Select how often you want this window to be updated automatically.

Refresh Click this to update the information in the window right away.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

Figure 79 Dashboard > System Status > DHCP Table

This table describes the fields in the above screen.

5.2.5 Number of Login Users Screen

Click the Number of Login Users link to see the following screen.

Ta ble 22 Dashboard > System Status > DHCP Table

LABEL DESCRIPTION

# This field is a sequential value, and it is not associated with a specific entry.

Interface This field identifies the interface that assigned an IP address to a DHCP client.

IP Address This field displays the IP address currently assigned to a DHCP client or reserved

for a specific MAC address. Click the column’s heading cell to sort the table

entries by IP address. Click the heading cell again to reverse the sort order.

Host Name This field displays the name used to identify this device on the network (the

computer name). The ZyWALL/USG learns these from the DHCP client requests.

“None” shows here for a static DHCP entry.

MAC Address This field displays the MAC address to which the IP address is currently assigned

or for which the IP address is reserved. Click the column’s heading cell to sort

the table entries by MAC address. Click the heading cell again to reverse the sort

order.

Description For a static DHCP entry, the host name or the description you configured shows

here. This field is blank for dynamic DHCP entries.

Reserve If this field is selected, this entry is a static DHCP entry. The IP address is

reserved for the MAC address.

If this field is clear, this entry is a dynamic DHCP entry. The IP address is

assigned to a DHCP client.

To create a static DHCP entry using an existing dynamic DHCP entry, select this

field, and then click Apply.

To remove a static DHCP entry, clear this field, and then click Apply.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

Figure 80 Dashboard > System Status > Number of Login Users

This table describes the fields in the above screen.

5.2.6 System Resources Screen

Hover your mouse over an item and click the arrow on the right to see more details on that

resource.

Ta ble 23 Dashboard > System Status > Number of Login Users

LABEL DESCRIPTION

# This field is a sequential value and is not associated with any entry.

User ID This field displays the user name of each user who is currently logged in to the

ZyWALL/USG.

Reauth Lease T. This field displays the amount of reauthentication time remaining and the

amount of lease time remaining for each user.

Type This field displays the way the user logged in to the ZyWALL/USG.

IP address This field displays the IP address of the computer used to log in to the ZyWALL/

USG.

User Info This field displays the types of user accounts the ZyWALL/USG uses. If the user

type is ext-user (external user), this field will show its external-group

information when you move your mouse over it.

If the external user matches two external-group objects, both external-group

object names will be shown.

Force Logout Click this icon to end a user’s session.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

Figure 81 Dashboard > System Resources

This table describes the fields in the above screen.

5.2.7 CPU Usage Screen

Use the below screen to look at a chart of the ZyWALL/USG’s recent CPU usage. To access this

screen, click CPU Usage in the dashboard.

Ta ble 24 .Dashboard > System Resources

LABEL DESCRIPTION

CPU Usage This field displays what percentage of the ZyWALL/USG’s processing capability is

currently being used. Hover your cursor over this field to display the Show CPU

Usage icon that takes you to a chart of the ZyWALL/USG’s recent CPU usage.

Memory Usage This field displays what percentage of the ZyWALL/USG’s RAM is currently being

used. Hover your cursor over this field to display the Show Memory Usage icon

that takes you to a chart of the ZyWALL/USG’s recent memory usage.

Flash Usage This field displays what percentage of the ZyWALL/USG’s onboard flash memory

is currently being used.

USB Storage Usage This field shows how much storage in the USB device connected to the ZyWALL/

USG is in use.

Active Sessions This field shows how many sessions, established and non-established, that pass

through/from/to/within the ZyWALL. Hover your cursor over this field to display

icons. Click the Detail icon to go to the Session Monitor screen to see details

about the active sessions. Click the Show Active Sessions icon to display a

chart of ZyWALL/USG’s recent session usage.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

Figure 82 Dashboard > CPU Usage screen

This table describes the fields in the above screen.

5.2.8 Memory Usage Screen

Use the below screen to look at a chart of the ZyWALL/USG’s recent memory (RAM) usage. To

access this screen, click Memory Usage in the dashboard.

Figure 83 Dashboard > Memory Usage screen

Ta ble 25 Dashboard > CPU Usage

LABEL DESCRIPTION

The y-axis represents the percentage of CPU usage.

The x-axis shows the time period over which the CPU usage occurred

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Now Click this to update the information in the window right away.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

This table describes the fields in the above screen.

5.2.9 Active Session Screen

To see the details of Active Sessions, move the cursor to the far right of the Active Sessions box and

the Detail and the Show Active Session icons appear. Click the Show Active Session icon.

Figure 84 Dashboard > Active Sessions > Show Active Session

This table describes the fields in the above screen.

Ta ble 26 Dashboard > Memory Usage screen.

LABEL DESCRIPTION

The y-axis represents the percentage of RAM usage.

The x-axis shows the time period over which the RAM usage occurred

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Now Click this to update the information in the window right away.

Ta ble 27 Dashboard > Active Sessions > Show Active Session

Sessions The y-axis represents the number of session.

The x-axis shows the time period over which the session usage occurred

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Now Click this to update the information in the window right away.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

100

5.2.10 Extension Slot Screen

Figure 85 Dashboard > Extension Slot

This table describes the fields in the above screen.

5.2.11 Interface Status Summary Screen

Interfaces per ZyWALL/USG model vary.

Ta ble 28 Dashboard > Extension Slot

LABEL DESCRIPTION

Extension Slot This field displays the name of each extension slot.

Device This field displays the name of the device connected to the extension slot (or

none if no device is detected). For an installed SEM (Security Extension Module)

card, this field displays what kind of SEM card is installed.

SEM-VPN - The VPN accelerator. The SEM-VPN provides 500 Mbps VPN

throughput, 2,000 IPSec VPN tunnels, and 750 SSL VPN users.

SEM-DUAL - accelerator for both VPN and UTM. The SEM-DUAL provides the

benefits of the SEM-VPN and increases the maximum anti-virus and IDP traffic

throughput from 100 Mbps to 400 Mbps.

USB Flash Drive - Indicates a connected USB storage device and the drive’s

storage capacity.

Status The status for an installed WLAN card is none. For cellular (mobile broadband)

interfaces, see Section 6.10 on page 121 for the status that can appear. For an

installed SEM (Security Extension Module) card, this field displays one of the

following:

Active - The SEM card is working properly.

Ready to activate - The SEM was inserted while the ZyWALL/USG was

operating. Restart the ZyWALL/USG to use the SEM.

Driver load failed - An error occurred during the ZyWALL/USG’s attempt to

activate the SEM card. Make sure the SEM is installed properly and the

thumbscrews are tightened. If this status still displays, contact your vendor.

Ready - A USB storage device connected to the ZyWALL/USG is ready for the

ZyWALL/USG to use.

Unused - The ZyWALL/USG is unable to mount a USB storage device connected

to the ZyWALL/USG.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

101

Figure 86 Dashboard > Interface Status Summary

This table describes the fields in the above screen.

Ta ble 29 Dashboard > Interface Status Summary

LABEL DESCRIPTION

Name This field displays the name of each interface.

Status This field displays the current status of each interface. The possible values

depend on what type of interface it is.

For Ethernet interfaces:

Inactive - The Ethernet interface is disabled.

Down - The Ethernet interface does not have any physical ports associated with

it or the Ethernet interface is enabled but not connected.

Speed / Duplex - The Ethernet interface is enabled and connected. This field

displays the port speed and duplex setting (Full or Half).

For cellular (mobile broadband) interfaces, see Section 6.10 on page 121 for the

status that can appear.

For the auxiliary interface:

Inactive - The auxiliary interface is disabled.

Connected - The auxiliary interface is enabled and connected.

Disconnected - The auxiliary interface is not connected.

For PPP interfaces:

Connected - The PPP interface is connected.

Disconnected - The PPP interface is not connected.

If the PPP interface is disabled, it does not appear in the list.

For WLAN interfaces:

Up - The WLAN interface is enabled.

Down - The WLAN interface is disabled.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

102

5.2.12 Secured Service Status Screen

This part shows what Unified Threat Management (UTM) services are available and enabled.

Figure 87 Dashboard > Secured Service Status

This table describes the fields in the above screen.

HA Status This field displays the status of the interface in the virtual router.

Active - This interface is the master interface in the virtual router.

Stand-By - This interface is a backup interface in the virtual router.

Fault - This VRRP group is not functioning in the virtual router right now. For

example, this might happen if the interface is down.

n/a - Device HA is not active on the interface.

Zone This field displays the zone to which the interface is currently assigned.

IP Addr/Netmask This field displays the current IP address and subnet mask assigned to the

interface. If the IP address is 0.0.0.0/0.0.0.0, the interface is disabled or did not

receive an IP address and subnet mask via DHCP.

If this interface is a member of an active virtual router, this field displays the IP

address it is currently using. This is either the static IP address of the interface

(if it is the master) or the management IP address (if it is a backup).

IP Assignment This field displays the interface’s IP assignment. It will show DHCP or Static.

Action Use this field to get or to update the IP address for the interface.

Click Renew to send a new DHCP request to a DHCP server.

Click the Connect icon to have the ZyWALL/USG try to connect a PPPoE/PPTP

interface. If the interface cannot use one of these ways to get or to update its IP

address, this field displays n/a.

Click the Disconnect icon to stop a PPPoE/PPTP connection.

Ta ble 29 Dashboard > Interface Status Summary

LABEL DESCRIPTION

Ta ble 30 Dashboard > Secured Service Status

LABEL DESCRIPTION

# This field is a sequential value, and it is not associated with a specific status.

Status This field displays the status of the ZyWALL/USG’s secure services. It will show

four types of status, Licensed or Unlicensed or Disabled or Enabled.

Name This field displays the name of the service, for example Security Policy.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

103

5.2.13 Content Filter Statistics Screen

Configure Configuration > UTM Profile > Content Filter and then view results here.

Figure 88 Dashboard > Content Filter Statistics

This table describes the fields in the above screen.

5.2.14 Top 5 Viruses Screen

Figure 89 Dashboard > Top 5 Viruses

Version This field displays the version number of the services.

Expiration This field displays the expiration code of the services. For example, 364 means

Ta ble 30 Dashboard > Secured Service Status

LABEL DESCRIPTION

Ta ble 31 Dashboard > Content Filter Statistics

LABEL DESCRIPTION

Web Request Statistics

Total Web Pages

Inspected This is the number of web pages the ZyWALL/USG has checked to see whether

they belong to the categories you selected in the content filter screen.

Blocked This is the number of web pages that the ZyWALL/USG blocked access.

Warned This is the number of web pages for which the ZyWALL/USG has displayed a

warning message to the access requesters.

Passed This is the number of web pages that the ZyWALL/USG allowed access.

Category Hit Summary

Security Threat

(unsafe) This is the number of requested web pages that belong to the unsafe categories

you have selected in the content filter screen.

Managed Web pages This is the number of requested web pages that belong to the managed

categories you have selected in the content filter screen.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

104

This table describes the fields in the above screen.

5.2.15 Top 5 Intrusions Screen

Figure 90 Dashboard > Top 5 Intrusions

This table describes the fields in the above screen.

5.2.16 Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic Screen

Figure 91 Dashboard > Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic

This table describes the fields in the above screen.

Ta ble 32 Dashboard > Top 5 Viruses

LABEL DESCRIPTION

# This is the entry’s rank in the list of the most commonly detected viruses.

Virus ID This is the IDentification number of the anti-virus signature.

Virus Name This is the name of a detected virus.

Hits This is how many times the ZyWALL/USG has detected the event described in

the entry.

Ta ble 33 Dashboard > Top 5 Intrusions

LABEL DESCRIPTION

# This is the entry’s rank in the list of the most commonly triggered signature

policies.

Signature ID This is the identification number of the signature.

Signature Name This is the name of the signature.

Type This is the type of the signature, for example Schedule.

Severity This is the level of threat that the intrusions may pose.

Hits This is how many times the ZyWALL/USG has detected the event described in

the entry.

Ta ble 34 Dashboard > Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic

LABEL DESCRIPTION

# This is the entry’s rank in the list of the most commonly triggered security

policies.

From This shows the zone packets came from that the triggered security policy.

Chapter 5 Dashboard

ZyWALL/USG Series User’s Guide

105

5.2.17 The Latest Alert Logs Screen

Figure 92 Dashboard > The Latest Alert Logs

This table describes the fields in the above screen.

To This shows the zone packets went to that the triggered security policy.

Description This field displays the descriptive name (if any) of the triggered security policy.

Hits This field displays how many times the security policy was triggered.

Ta ble 34 Dashboard > Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic

LABEL DESCRIPTION

Ta ble 35 Dashboard > The Latest Alert Logs

LABEL DESCRIPTION

# This is the entry’s rank in the list of alert logs.

Time This field displays the date and time the log was created.

Priority This field displays the severity of the log.

Category This field displays the type of log generated.

Message This field displays the actual log message.

Source This field displays the source address (if any) in the packet that generated the

log.

Destination This field displays the destination address (if any) in the packet that generated

the log.

Source Interface This field displays the incoming interface of the packet that generated the log.

106

PART II

Technical Reference

107

ZyWALL/USG Series User’s Guide

108

CHAPTER 6

Monitor

6.1 Overview

Use the Monitor screens to check status and statistics information.

6.1.1 What You Can Do in this Chapter

Use the Monitor screens for the following.

•Use the System Status > Port Statistics screen (see Section 6.2 on page 109) to look at

packet statistics for each physical port.

•Use the System Status > Port Statistics > Graph View screen (see Section 6.2 on page 109)

to look at a line graph of packet statistics for each physical port.

•Use the System Status > Interface Status screen (Section 6.3 on page 111) to see all of the

ZyWALL/USG’s interfaces and their packet statistics.

•Use the System Status > Traffic Statistics screen (see Section 6.4 on page 114) to start or

stop data collection and view statistics.

•Use the System Status > Session Monitor screen (see Section 6.5 on page 117) to view

sessions by user or service.

•Use the System Status > IGMP Statistics screen (see Section 6.6 on page 118) to view

multicasting details.

•Use the System Status > DDNS Status screen (see Section 6.7 on page 119) to view the

status of the ZyWALL/USG’s DDNS domain names.

•Use the System Status > IP/MAC Binding screen (Section 6.8 on page 120) to view a list of

devices that have received an IP address from ZyWALL/USG interfaces with IP/MAC binding

enabled.

•Use the System Status > Login Users screen (Section 6.9 on page 120) to look at a list of the

users currently logged into the ZyWALL/USG.

•Use the System Status > Cellular Status screen (Section 6.10 on page 121) to check your

mobile broadband connection status.

•Use the System Status > UPnP Port Status screen (see Section 6.11 on page 125) to look at

a list of the NAT port mapping rules that UPnP creates on the ZyWALL/USG.

•Use the System Status > USB Storage screen (Section 6.12 on page 126) to view information

about a connected USB storage device.

•Use the System Status > Ethernet Neighbor screen (Section 6.13 on page 127) to view and

manage the ZyWALL/USG’s neighboring devices via Layer Link Discovery Protocol (LLDP).

•Use the Wireless > AP Information screen (Section 6.14.1 on page 128) to view information

on connected APs.

•Use the Wireless > Station Info screen (Section 6.14.5 on page 134) to view information on

connected wireless stations.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

109

•Use the Wireless > Detected Device screen (Section 6.14.5 on page 134) to view information

about suspected rogue APs.

•Use the VPN Monitor > IPSec screen (Section 6.15 on page 136) to display and manage active

IPSec SAs.

•Use the VPN Monitor > SSL screen (see Section 6.16 on page 137) to list the users currently

logged into the VPN SSL client portal. You can also log out individual users and delete related

session information.

•Use the VPN Monitor > L2TP over IPSec screen (see Section 6.17 on page 138) to display and

manage the ZyWALL/USG’s connected L2TP VPN sessions.

•Use the UTM Statistics > App Patrol screen (see Section 6.18 on page 139) to start or stop

data collection and view virus statistics

•Use the UTM Statistics > Content Filter screen (Section 6.19 on page 140) to start or stop

data collection and view content filter statistics.

•Use the UTM Statistics > IDP screen (Section 6.20 on page 142) to start or stop data collection

and view IDP statistics.

•Use the UTM Statistics > Anti-Virus screen (see Section 6.21 on page 144) to start or stop

data collection and view virus statistics.

•Use the UTM Statistics > Anti-Spam screen (Section 6.22 on page 145) to start or stop data

collection and view spam statistics.

•Use the UTM Statistics > Anti-Spam > Status screen (Section 6.22.2 on page 148) to see

how many mail sessions the ZyWALL/USG is currently checking and DNSBL statistics.

•Use the UTM Statistics > SSL Inspection screen (Section 6.23 on page 149) to see a report on

SSL Inspection and a certificate cache list.

•Use the Log screens (Section 6.24 on page 152) to view the ZyWALL/USG’s current log

messages. You can change the way the log is displayed, you can e-mail the log, and you can also

clear the log in this screen.

6.2 The Port Statistics Screen

Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen,

click Monitor > System Status > Port Statistics.

Figure 93 Monitor > System Status > Port Statistics

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

110

The following table describes the labels in this screen.

6.2.1 The Port Statistics Graph Screen

Use this screen to look at a line graph of packet statistics for each physical port. To access this

screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button.

Ta ble 36 Monitor > System Status > Port Statistics

LABEL DESCRIPTION

Poll Interval Enter how often you want this window to be updated automatically, and click Set

Interval.

Set Interval Click this to set the Poll Interval the screen uses.

Stop Click this to stop the window from updating automatically. You can start it again by setting

the Poll Interval and clicking Set Interval .

Switch to

Graphic View

Click this to display the port statistics as a line graph.

# This field is a sequential value, and it is not associated with a specific port.

Port This field displays the physical port number.

Status This field displays the current status of the physical port.

Down - The physical port is not connected.

Speed / Duplex - The physical port is connected. This field displays the port speed and

duplex setting (Full or Half).

TxPkts This field displays the number of packets transmitted from the ZyWALL/USG on the

physical port since it was last connected.

RxPkts This field displays the number of packets received by the ZyWALL/USG on the physical port

since it was last connected.

Collisions This field displays the number of collisions on the physical port since it was last connected.

Tx B/s This field displays the transmission speed, in bytes per second, on the physical port in the

one-second interval before the screen updated.

Rx B/s This field displays the reception speed, in bytes per second, on the physical port in the

one-second interval before the screen updated.

Up Time This field displays how long the physical port has been connected.

System Up Time This field displays how long the ZyWALL/USG has been running since it last restarted or

was turned on.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

111

Figure 94 Monitor > System Status > Port Statistics > Switch to Graphic View

The following table describes the labels in this screen.

6.3 Interface Status Screen

This screen lists all of the ZyWALL/USG’s interfaces and gives packet statistics for them. Click

Monitor > System Sta tus > Inte rface Status to access this screen.

Ta ble 37 Monitor > System Status > Port Statistics > Switch to Graphic View

LABEL DESCRIPTION

Refresh Interval Enter how often you want this window to be automatically updated.

Refresh Now Click this to update the information in the window right away.

Port Selection Select the number of the physical port for which you want to display graphics.

Switch to Grid

View

Click this to display the port statistics as a table.

bps The y-axis represents the speed of transmission or reception.

time The x-axis shows the time period over which the transmission or reception occurred

TX This line represents traffic transmitted from the ZyWALL/USG on the physical port since it

was last connected.

RX This line represents the traffic received by the ZyWALL/USG on the physical port since it

was last connected.

Last Update This field displays the date and time the information in the window was last updated.

System Up Time This field displays how long the ZyWALL/USG has been running since it last restarted or

was turned on.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

112

Figure 95 Monitor > System Status > Interface Status

Each field is described in the following table.

Ta ble 38 Monitor > System Status > Interface Status

LABEL DESCRIPTION

Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is

displayed in light gray text.

Name This field displays the name of each interface. If there is an Expand icon (plus-sign) next

to the name, click this to look at the status of virtual interfaces on top of this interface.

Port This field displays the physical port number.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

113

Status This field displays the current status of each interface. The possible values depend on what

type of interface it is.

For Ethernet interfaces:

•Inactive - The Ethernet interface is disabled.

•Down - The Ethernet interface does not have any physical ports associated with it or

the Ethernet interface is enabled but not connected.

•Speed / Duplex - The Ethernet interface is enabled and connected. This field displays

the port speed and duplex setting (Full or Half).

For cellular (mobile broadband) interfaces, see Section 6.12 on page 126 the Web Help for

the status that can appear.

For the auxiliary interface:

•Inactive - The auxiliary interface is disabled.

•Connected - The auxiliary interface is enabled and connected.

•Disconnected - The auxiliary interface is not connected.

For virtual interfaces, this field always displays Up. If the virtual interface is disabled, it

does not appear in the list.

For VLAN and bridge interfaces, this field always displays Up. If the VLAN or bridge

interface is disabled, it does not appear in the list.

For PPP interfaces:

•Connected - The PPP interface is connected.

•Disconnected - The PPP interface is not connected.

If the PPP interface is disabled, it does not appear in the list.

For WLAN interfaces:

•Up - The WLAN interface is enabled.

•Down - The WLAN interface is disabled.

HA Status This field displays the status of the interface in the virtual router.

•Active - This interface is the master interface in the virtual router.

•Stand-By - This interface is a backup interface in the virtual router.

•Fault - This VRRP group is not functioning in the virtual router right now. For example,

this might happen if the interface is down.

•n/a - Device HA is not active on the interface.

Zone This field displays the zone to which the interface is assigned.

IP Addr/Netmask This field displays the current IP address and subnet mask assigned to the interface. If the

IP address and subnet mask are 0.0.0.0, the interface is disabled or did not receive an IP

address and subnet mask via DHCP.

If this interface is a member of an active virtual router, this field displays the IP address it

is currently using. This is either the static IP address of the interface (if it is the master) or

the management IP address (if it is a backup).

IP Assignment This field displays how the interface gets its IP address.

•Static - This interface has a static IP address.

•DHCP Client - This interface gets its IP address from a DHCP server.

Services This field lists which services the interface provides to the network. Examples include

DHCP relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface

does not provide any services to the network.

Action Use this field to get or to update the IP address for the interface. Click Renew to send a

new DHCP request to a DHCP server. Click Connect to try to connect a PPPoE/PPTP

interface. If the interface cannot use one of these ways to get or to update its IP address,

this field displays n/a.

Ta ble 38 Monitor > System Status > Interface Status (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

114

6.4 The Traffic Statistics Screen

Click Monitor > System Status > Traffic Statistics to display the Traffic Statistics screen. This

screen provides basic information about the following for example:

• Most-visited Web sites and the number of times each one was visited. This count may not be

accurate in some cases because the ZyWALL/USG counts HTTP GET packets. Please see Table 39

on page 115 for more information.

• Most-used protocols or service ports and the amount of traffic on each one

• LAN IP with heaviest traffic and how much traffic has been sent to and from each one

Tunnel Interface

Status

This displays the details of the ZyWALL/USG’s configured tunnel interfaces.

Name This field displays the name of the interface.

Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is

inactive.

Zone This field displays the zone to which the interface is assigned.

IP Address This is the IP address of the interface. If the interface is active (and connected), the

ZyWALL/USG tunnels local traffic sent to this IP address to the Remote Gateway

Address.

My Address This is the interface or IP address uses to identify itself to the remote gateway. The

ZyWALL/USG uses this as the source for the packets it tunnels to the remote gateway.

Remote Gateway

Address

This is the IP address or domain name of the remote gateway to which this interface

tunnels traffic.

Mode This field displays the tunnel mode that you are using.

Interface

Statistics

This table provides packet statistics for each interface.

Refresh Click this button to update the information in the screen.

Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the

Ethernet interfaces.

Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to

the name, click this to look at the statistics for virtual interfaces on top of this interface.

Status This field displays the current status of the interface.

•Down - The interface is not connected.

•Speed / Duplex - The interface is connected. This field displays the port speed and

duplex setting (Full or Half).

This field displays Connected and the accumulated connection time (hh:mm:ss) when the

PPP interface is connected.

TxPkts This field displays the number of packets transmitted from the ZyWALL/USG on the

interface since it was last connected.

RxPkts This field displays the number of packets received by the ZyWALL/USG on the interface

since it was last connected.

Tx B/s This field displays the transmission speed, in bytes per second, on the interface in the one-

second interval before the screen updated.

Rx B/s This field displays the reception speed, in bytes per second, on the interface in the one-

second interval before the screen updated.

Ta ble 38 Monitor > System Status > Interface Status (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

115

You use the Traffic Statistics screen to tell the ZyWALL/USG when to start and when to stop

collecting information for these reports. You cannot schedule data collection; you have to start and

stop it manually in the Traffic Statistics screen.

Figure 96 Monitor > System Status > Traffic Statistics

There is a limit on the number of records shown in the report. Please see Table 40 on page 116 for

more information. The following table describes the labels in this screen.

Ta ble 39 Monitor > System Status > Traffic Statistics

LABEL DESCRIPTION

Data Collection

Collect Statistics Select this to have the ZyWALL/USG collect data for the report. If the ZyWALL/USG has

already been collecting data, the collection period displays to the right. The progress is not

tracked here real-time, but you can click the Refresh button to update it.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Statistics

Interface Select the interface from which to collect information. You can collect information from

Ethernet, VLAN, bridge and PPPoE/PPTP interfaces.

Sort By Select the type of report to display. Choices are:

•Host IP Address/User - displays the IP addresses or users with the most traffic and

how much traffic has been sent to and from each one.

•Service/Port - displays the most-used protocols or service ports and the amount of

traffic for each one.

•Web Site Hits - displays the most-visited Web sites and how many times each one has

been visited.

Each type of report has different information in the report (below).

Refresh Click this button to update the report display.

Flush Data Click this button to discard all of the screen’s statistics and update the report display.

These fields are available when the Traffic Type is Host IP Address/User.

# This field is the rank of each record. The IP addresses and users are sorted by the amount

of traffic.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

116

The following table displays the maximum number of records shown in the report, the byte count

limit, and the hit count limit.

Direction This field indicates whether the IP address or user is sending or receiving traffic.

•Ingress- traffic is coming from the IP address or user to the ZyWALL/USG.

•Egress - traffic is going from the ZyWALL/USG to the IP address or user.

IP Address/User This field displays the IP address or user in this record. The maximum number of IP

addresses or users in this report is indicated in Table 40 on page 116.

Amount This field displays how much traffic was sent or received from the indicated IP address or

user. If the Direction is Ingress, a red bar is displayed; if the Direction is Egress, a

blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes or Gbytes, depending

on the amount of traffic for the particular IP address or user. The count starts over at zero

if the number of bytes passes the byte count limit. See Table 40 on page 116.

These fields are available when the Traffic Type is Service/Port.

# This field is the rank of each record. The protocols and service ports are sorted by the

amount of traffic.

Service/Port This field displays the service and port in this record. The maximum number of services

and service ports in this report is indicated in Table 40 on page 116.

Protocol This field indicates what protocol the service was using.

Direction This field indicates whether the indicated protocol or service port is sending or receiving

traffic.

•Ingress - traffic is coming into the router through the interface

•Egress - traffic is going out from the router through the interface

Amount This field displays how much traffic was sent or received from the indicated service / port.

If the Direction is Ingress, a red bar is displayed; if the Direction is Egress, a blue bar

is displayed. The unit of measure is bytes, Kbytes, Mbytes, Gbytes, or Tbytes, depending

on the amount of traffic for the particular protocol or service port. The count starts over at

zero if the number of bytes passes the byte count limit. See Table 40 on page 116.

These fields are available when the Traffic Type is Web Site Hits.

# This field is the rank of each record. The domain names are sorted by the number of hits.

Web Site This field displays the domain names most often visited. The ZyWALL/USG counts each

page viewed on a Web site as another hit. The maximum number of domain names in this

report is indicated in Table 40 on page 116.

Hits This field displays how many hits the Web site received. The ZyWALL/USG counts hits by

counting HTTP GET packets. Many Web sites have HTTP GET references to other Web sites,

and the ZyWALL/USG counts these as hits too. The count starts over at zero if the number

of hits passes the hit count limit. See Table 40 on page 116.

Ta ble 40 Maximum Values for Reports

LABEL DESCRIPTION

Maximum Number of Records 20

Byte Count Limit 264 bytes; this is just less than 17 million terabytes.

Hit Count Limit 264 hits; this is over 1.8 x 1019 hits.

Ta ble 39 Monitor > System Status > Traffic Statistics (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

117

6.5 The Session Monitor Screen

The Session Monitor screen displays all established sessions that pass through the ZyWALL/USG

for debugging or statistical analysis. It is not possible to manage sessions in this screen. The

following information is displayed.

• User who started the session

• Protocol or service port used

• Source address

• Destination address

• Number of bytes received (so far)

• Number of bytes transmitted (so far)

• Duration (so far)

You can look at all established sessions that passed through the ZyWALL/USG by user, service,

source IP address, or destination IP address. You can also filter the information by user, protocol /

service or service group, source address, and/or destination address and view it by user.

Click Monitor > System Status > Session Monitor to display the following screen.

Figure 97 Monitor > System Status > Session Monitor

The following table describes the labels in this screen.

Ta ble 41 Monitor > System Status > Session Monitor

LABEL DESCRIPTION

View Select how you want the established sessions that passed through the ZyWALL/USG to be

displayed. Choices are:

•sessions by users - display all active sessions grouped by user

•sessions by services - display all active sessions grouped by service or protocol

•sessions by source IP - display all active sessions grouped by source IP address

•sessions by destination IP - display all active sessions grouped by destination IP

address

•all sessions - filter the active sessions by the User, Service, Source Address, and

Destination Address, and display each session individually (sorted by user).

Refresh Click this button to update the information on the screen. The screen also refreshes

automatically when you open and close the screen.

The User, Service, Source Address, and Destination Address fields display if you view

all sessions. Select your desired filter criteria and click the Refresh button to filter the list

of sessions.

User This field displays when View is set to all sessions. Type the user whose sessions you

want to view. It is not possible to type part of the user name or use wildcards in this field;

you must enter the whole user name.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

118

6.6 IGMP Statistics

The Internet Group Management Protocol (IGMP) Statistics is used by ZyWALL/USG IP hosts to

inform adjacent router about multicast group memberships. It can also be used for one-to-many

networking applications such as online streaming video and gaming, distribution of company

newsletters, updating address book of mobile computer users in the field allowing more efficient

use of resources when supporting these types of applications. Click Monitor > System Status >

IGMP Statistics to open the following screen.

Service This field displays when View is set to all sessions. Select the service or service group

whose sessions you want to view. The ZyWALL/USG identifies the service by comparing

the protocol and destination port of each packet to the protocol and port of each services

that is defined.

Source This field displays when View is set to all sessions. Type the source IP address whose

sessions you want to view. You cannot include the source port.

Destination This field displays when View is set to all sessions. Type the destination IP address

whose sessions you want to view. You cannot include the destination port.

Rx This field displays the amount of information received by the source in the active session.

Tx This field displays the amount of information transmitted by the source in the active

session.

Duration This field displays the length of the active session in seconds.

Active Sessions This is the total number of established sessions that passed through the ZyWALL which

matched the search criteria.

Show Select the number of active sessions displayed on each page. You can use the arrow keys

on the right to change pages.

# This field is the rank of each record. The names are sorted by the name of user in active

session. You can use the pull down menu on the right to choose sorting method.

User This field displays the user in each active session.

If you are looking at the sessions by users (or all sessions) report, click + or - to

display or hide details about a user’s sessions.

Service This field displays the protocol used in each active session.

If you are looking at the sessions by services report, click + or - to display or hide

details about a protocol’s sessions.

Source This field displays the source IP address and port in each active session.

If you are looking at the sessions by source IP report, click + or - to display or hide

details about a source IP address’s sessions.

Destination This field displays the destination IP address and port in each active session.

If you are looking at the sessions by destination IP report, click + or - to display or

hide details about a destination IP address’s sessions.

Rx This field displays the amount of information received by the source in the active session.

Tx This field displays the amount of information transmitted by the source in the active

session.

Duration This field displays the length of the active session in seconds.

Ta ble 41 Monitor > System Status > Session Monitor (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

119

Figure 98 Monitor > System Status > IGMP Statistics

The following table describes the labels in this screen.

6.7 The DDNS Status Screen

The DDNS Status screen shows the status of the ZyWALL/USG’s DDNS domain names. Click

Monitor > System Stat us > DDNS Sta tus to open the following screen.

Figure 99 Monitor > System Status > DDNS Status

The following table describes the labels in this screen.

Ta ble 42 Monitor > System Status > IGMP Statistics

LABEL DESCRIPTION

# This field is a sequential value, and it is not associated with a specific I GMP

Statistics.

Group This field displays the group of devices in the IGMP.

Source IP This field displays the host source IP information of the IGMP.

Incoming Interface This field displays the incoming interface that’s connected on the IGMP.

Packet Count This field displays the packet size of the data being transferred.

Bytes This field displays the size of the data being transferred in Byes.

Outgoing Interface This field displays the outgoing interface that’s connected on the IGMP.

Ta ble 43 Monitor > System Status > DDNS Status

LABEL DESCRIPTION

Update Click this to have the ZyWALL/USG update the profile to the DDNS server. The

ZyWALL/USG attempts to resolve the IP address for the domain name.

# This field is a sequential value, and it is not associated with a specific DDNS server.

Profile Name This field displays the descriptive profile name for this entry.

Domain Name This field displays each domain name the ZyWALL/USG can route.

Effective IP This is the (resolved) IP address of the domain name.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

120

6.8 IP/MAC Binding

Click Monitor > Sy st em St atus > IP/MAC Binding to open the IP/MAC Binding screen. This

screen lists the devices that have received an IP address from ZyWALL/USG interfaces with IP/MAC

binding enabled and have ever established a session with the ZyWALL/USG. Devices that have

never established a session with the ZyWALL/USG do not display in the list.

Figure 100 Monitor > System Status > IP/MAC Binding

The following table describes the labels in this screen.

6.9 The Login Users Screen

Use this screen to look at a list of the users currently logged into the ZyWALL/USG. To access this

screen, click Monitor > System Status > Login Users.

Last Update Status This shows whether the last attempt to resolve the IP address for the domain name

was successful or not. Updating means the ZyWALL/USG is currently attempting to

resolve the IP address for the domain name.

Last Update Time This shows when the last attempt to resolve the IP address for the domain name

occurred (in year-month-day hour:minute:second format).

Ta ble 43 Monitor > System Status > DDNS Status (continued)

LABEL DESCRIPTION

Ta ble 44 Monitor > System Status > IP/MAC Binding

LABEL DESCRIPTION

Interface Select a ZyWALL/USG interface that has IP/MAC binding enabled to show to which

devices it has assigned an IP address.

#This field is a sequential value, and it is not associated with a specific IP/MAC binding

entry.

IP Address This is the IP address that the ZyWALL/USG assigned to a device.

Host Name This field displays the name used to identify this device on the network (the computer

name). The ZyWALL/USG learns these from the DHCP client requests.

MAC Address This field displays the MAC address to which the IP address is currently assigned.

Last Access This is when the device last established a session with the ZyWALL/USG through this

interface.

Description This field displays the description of the IP/MAC binding.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

121

Figure 101 Monitor > System Status > Login Users

The following table describes the labels in this screen.

6.10 Cellular Status Screen

This screen displays your mobile broadband connection status. Click Monitor > System Status >

Cellular Status to display this screen.

Figure 102 Monitor > System Status > Cellular Status

Ta ble 45 Monitor > System Status > Login Users

LABEL DESCRIPTION

Force Logout Select a user ID and click this icon to end a user’s session.

# This field is a sequential value and is not associated with any entry.

User ID This field displays the user name of each user who is currently logged in to the

ZyWALL/USG.

Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of

lease time remaining for each user.

Type This field displays the way the user logged in to the ZyWALL/USG.

IP Address This field displays the IP address of the computer used to log in to the ZyWALL/USG.

User Info This field displays the types of user accounts the ZyWALL/USG uses. If the user type

is ext-user (external user), this field will show its external-group information when

you move your mouse over it.

If the external user matches two external-group objects, both external-group object

names will be shown.

Refresh Click this button to update the information in the screen.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

122

The following table describes the labels in this screen.

Ta ble 46 Monitor > System Status > Cellular Status

LABEL DESCRIPTION

Refresh Click this button to update the information in the screen.

More Information Click this to display more information on your mobile broadband, such as the

signal strength, IMEA/ESN and IMSI. This is only available when the mobile

broadband device attached and activated on your ZyWALL/USG. Refer to Section

6.10.1 on page 124.

# This field is a sequential value, and it is not associated with any interface.

Extension Slot This field displays where the entry’s cellular card is located.

Connected Device This field displays the model name of the cellular card.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

123

Status • No device - no mobile broadband device is connected to the ZyWALL/USG.

•No Service - no mobile broadband network is available in the area; you

cannot connect to the Internet.

•Limited Service - returned by the service provider in cases where the SIM

card is expired, the user failed to pay for the service and so on; you cannot

connect to the Internet.

•Device detected - displays when you connect a mobile broadband device.

•Device error - a mobile broadband device is connected but there is an error.

•Probe device fail - the ZyWALL/USG’s test of the mobile broadband device

failed.

•Probe device ok - the ZyWALL/USG’s test of the mobile broadband device

succeeded.

•Init device fail - the ZyWALL/USG was not able to initialize the mobile

broadband device.

•Init device ok - the ZyWALL/USG initialized the mobile broadband card.

•Check lock fa il - the ZyWALL/USG’s check of whether or not the mobile

broadband device is locked failed.

•Device locked - the mobile broadband device is locked.

•SIM error - there is a SIM card error on the mobile broadband device.

•SIM locked-PUK - the PUK is locked on the mobile broadband device’s SIM

card.

•SIM locked-PIN - the PIN is locked on the mobile broadband device’s SIM

card.

•Unlock PUK fail - Your attempt to unlock a WCDMA mobile broadband

device’s PUK failed because you entered an incorrect PUK.

•Unlock PIN fail - Your attempt to unlock a WCDMA mobile broadband device’s

PIN failed because you entered an incorrect PIN.

•Unlock device fail - Your attempt to unlock a CDMA2000 mobile broadband

device failed because you entered an incorrect device code.

•Device unlocked - You entered the correct device code and unlocked a

CDMA2000 mobile broadband device.

•Get dev-info fail - The ZyWALL/USG cannot get cellular device information.

•Get dev-info ok - The ZyWALL/USG succeeded in retrieving mobile broadband

device information.

•Searching network - The mobile broadband device is searching for a

network.

•Get signal fail - The mobile broadband device cannot get a signal from a

network.

•Network found - The mobile broadband device found a network.

•Apply conf ig - The ZyWALL/USG is applying your configuration to the mobile

broadband device.

•Inactive - The mobile broadband interface is disabled.

•Active - The mobile broadband interface is enabled.

•Incorrect device - The connected mobile broadband device is not compatible

with the ZyWALL/USG.

•Correct device - The ZyWALL/USG detected a compatible mobile broadband

device.

•Set band fail - Applying your band selection was not successful.

•Set band ok - The ZyWALL/USG successfully applied your band selection.

•Set profile fail - Applying your ISP settings was not successful.

•Set profile ok - The ZyWALL/USG successfully applied your ISP settings.

•PPP fail - The ZyWALL/USG failed to create a PPP connection for the cellular

interface.

•Need auth-password - You need to enter the password for the mobile

broadband card in the cellular edit screen.

•Device ready - The ZyWALL/USG successfully applied all of your configuration

and you can use the mobile broadband connection.

Service Provider This displays the name of your network service provider. This shows Limited

Service if the service provider has stopped service to the mobile broadband card.

For example if the bill has not been paid or the account has expired.

Ta ble 46 Monitor > System Status > Cellular Status (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

124

6.10.1 More Information

This screen displays more information on your mobile broadband, such as the signal strength,

IMEA/ESN and IMSI that helps identify your mobile broadband device and SIM card. Click Monitor

> System Status > More Information to display this screen.

Note: This screen is only available when the mobile broadband device is attached to and

activated on the ZyWALL/USG.

Figure 103 Monitor > System Status > More Information

The following table describes the labels in this screen.

Cellular System This field displays what type of cellular network the mobile broadband connection

is using. The network type varies depending on the mobile broadband card you

inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a

GSM mobile broadband card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you

insert a CDMA mobile broadband card.

Signal Quality This displays the strength of the signal. The signal strength mainly depends on the

antenna output power and the distance between your ZyWALL/USG and the

service provider’s base station.

Ta ble 46 Monitor > System Status > Cellular Status (continued)

LABEL DESCRIPTION

Ta ble 47 Monitor > System Status > More Information

LABEL DESCRIPTION

Extension Slot This field displays where the entry’s cellular card is located.

Service Provider This displays the name of your network service provider. This shows Limited

Service if the service provider has stopped service to the mobile broadband card.

For example if the bill has not been paid or the account has expired.

Cellular System This field displays what type of cellular network the mobile broadband connection is

using. The network type varies depending on the mobile broadband card you

inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a

GSM mobile broadband card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you

insert a CDMA mobile broadband card.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

125

6.11 The UPnP Port Status Screen

Use this screen to look at the NAT port mapping rules that UPnP creates on the ZyWALL/USG. To

access this screen, click Monitor > System Status > UPnP Port Status.

Figure 104 Monitor > System Status > UPnP Port Status

The following table describes the labels in this screen.

Signal Strength This is the Signal Quality measured in dBm.

Signal Quality This displays the strength of the signal. The signal strength mainly depends on the

antenna output power and the distance between your ZyWALL/USG and the service

provider’s base station.

Device Manufacturer This shows the name of the company that produced the mobile broadband device.

Device Model This field displays the model name of the cellular card.

Device Firmware This shows the software version of the mobile broadband device.

Device IMEI/ESN IMEI (International Mobile Equipment Identity) is a 15-digit code in decimal format

that identifies the mobile broadband device.

ESN (Electronic Serial Number) is an 8-digit code in hexadecimal format that

identifies the mobile broadband device.

SIM Card IMSI IMSI (International Mobile Subscriber Identity) is a 15-digit code that identifies the

SIM card.

Ta ble 47 Monitor > System Status > More Information (continued)

LABEL DESCRIPTION

Ta ble 48 Monitor > System Status > UPnP Port Status

LABEL DESCRIPTION

Remove Select an entry and click this button to remove it from the list.

# This is the index number of the UPnP-created NAT mapping rule entry.

Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is

often a wildcard, the field may be blank.

When the field is blank, the ZyWALL/USG forwards all traffic sent to the External Port

on the WAN interface to the Internal Client on the Internal Port.

When this field displays an external IP address, the NAT rule has the ZyWALL/USG

forward inbound packets to the Internal Client from that IP address only.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

126

6.12 USB Storage Screen

This screen displays information about a connected USB storage device. Click Monitor > System

Status > USB Storage to display this screen.

Figure 105 Monitor > System Status > USB Storage

The following table describes the labels in this screen.

External Port This field displays the port number that the ZyWALL/USG “listens” on (on the WAN port)

for connection requests destined for the NAT rule’s Internal Port and Internal Client.

The ZyWALL/USG forwards incoming packets (from the WAN) with this port number to

the Internal Client on the Internal Port (on the LAN). If the field displays “0”, the

ZyWALL/USG ignores the Internal Port value and forwards requests on all external port

numbers (that are otherwise unmapped) to the Internal Client.

Protocol This field displays the protocol of the NAT mapping rule (TCP or UDP).

Internal Port This field displays the port number on the Internal Client to which the ZyWALL/USG

should forward incoming connection requests.

Internal Client This field displays the DNS host name or IP address of a client on the LAN. Multiple NAT

clients can use a single port simultaneously if the internal client field is set to

255.255.255.255 for UDP mappings.

Internal Client

Type

This field displays the type of the client application on the LAN.

Description This field displays a text explanation of the NAT mapping rule.

Delete All Click this to remove all mapping rules from the NAT table.

Refresh Click this button to update the information in the screen.

Ta ble 48 Monitor > System Status > UPnP Port Status (continued)

LABEL DESCRIPTION

Ta ble 49 Monitor > System Status > USB Storage

LABEL DESCRIPTION

Device description This is a basic description of the type of USB device.

Usage This field displays how much of the USB storage device’s capacity is currently being

used out of its total capacity and what percentage that makes.

Filesystem This field displays what file system the USB storage device is formatted with. This

field displays Unknown if the file system of the USB storage device is not

supported by the ZyWALL/USG, such as NTFS.

Speed This field displays the connection speed the USB storage device supports.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

127

6.13 Ethernet Neighbor Screen

The Ethernet Neighbor screen allows you to view the ZyWALL/USG’s neighboring devices in one

place.

It uses Smart Connect, that is Link Layer Discovery Protocol (LLDP) for discovering and configuring

LLDP-aware devices in the same broadcast domain as the ZyWALL/USG that you’re logged into

using the web configurator.

LLDP is a layer-2 protocol that allows a network device to advertise its identity and capabilities on

the local network. It also allows the device to maintain and store information from adjacent devices

which are directly connected to the network device. This helps you discover network changes and

perform necessary network reconfiguration and management.

Note: Enable Smart Connect in the System > ZON screen.

See also System > ZON for more information on the ZyXEL One Network (ZON) utility that uses

the ZyXEL Discovery Protocol (ZDP) for discovering and configuring ZDP-aware ZyXEL devices in

the same network as the computer on which the ZON utility is installed.

Click Monitor > System Status > Ethernet Neighbor to see the following screen

Figure 106 Monitor > System Status > Ethernet Neighbor

Status Ready - you can have the ZyWALL/USG use the USB storage device.

Click Remove Now to stop the ZyWALL/USG from using the USB storage device so

you can remove it.

Unused - the connected USB storage device was manually unmounted by using

the Remove Now button or for some reason the ZyWALL/USG cannot mount it.

Click Use It to have the ZyWALL/USG mount a connected USB storage device. This

button is grayed out if the file system is not supported (unknown) by the ZyWALL/

USG.

none - no USB storage device is connected.

Detail This field displays any other information the ZyWALL/USG retrieves from the USB

storage device.

•Deactivated - the use of a USB storage device is disabled (turned off) on the

ZyWALL/USG.

•OutofSpace - the available disk space is less than the disk space full threshold.

•Mounting - the ZyWALL/USG is mounting the USB storage device.

•Removing - the ZyWALL/USG is unmounting the USB storage device.

•none - the USB device is operating normally or not connected.

Ta ble 49 Monitor > System Status > USB Storage (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

128

The following table describes the fields in the previous screen.

6.14 Wireless

Wireless contains AP information and Station Info menus.

6.14.1 Wireless AP Information: AP List

The AP Information menu contains AP List and Radio List screens. Click Monitor > Wireless >

AP Information to display the AP List screen.

Figure 107 Monitor > Wireless > AP List

The following table describes the labels in this screen.

Ta ble 50 Monitor > System Status > Ethernet Neighbor

LABEL DESCRIPTION

Local Port (Description) This field displays the port of the ZyWALL/USG, on which the neighboring device is

discovered.

For ZyWALL/USGs that support Port Role, if ports 3 to 5 are grouped together

and there is a connection to P5 only, the ZyWALL/USG will display P3 as the

interface port number (even though there is no connection to that port).

Model Name This field displays the model name of the discovered device.

System Name This field displays the system name of the discovered device.

Firmware Version This field displays the firmware version of the discovered device.

Port (Description) This field displays the first internal port on the discovered device. Internal is an

interface type displayed in the Network > Interface > Ethernet > Edit screen.

For example, if P1 and P2 are WAN, P3 to P5 are LAN, and P6 is DMZ, then

ZyWALL/USG will display P3 as the first internal interface port number.

For ZyWALL/USGs that support Port Role, if ports 3 to 5 are grouped together

and there is a connection to P5 only, the ZyWALL/USG will display P3 as the first

internal interface port number (even though there is no connection to that port).

IP Address This field displays the IP address of the discovered device.

MAC Address This field displays the MAC address of the discovered device.

Refresh Click this button to update the information in the screen.

Ta ble 51 Monitor > Wireless > AP Information

LABEL DESCRIPTION

Add to Mgnt AP List Click this to add new Access Points

More Information Click this icon to see AP Information and Station count.

# This field is a sequential value, and it is not associated with a specific AP.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

129

The following table describes the icons in this screen.

6.14.2 AP List More Information

Use this screen to look at station statistics for the connected AP. To access this screen, select an

entry and click the More Information button in the AP List screen. Use this screen to look at

Status This field displays the on-line or off-line status of the AP, move the cursor to the

AP icon and a status pop up message will appear.

Registration This field displays the registration information of the AP. You can set the AP’s

registration at Configuration > Wireless > Controller screen. APs must be

connected to the ZyWALL/USG by a wired connection or network.

IP Address This field displays the IP address of the AP.

MAC Address This field displays the MAC address of the AP.

Model This field displays the AP’s hardware model information. It displays N/A (not

applicable) only when the AP disconnects from the ZyWALL/USG and the

information is unavailable as a result.

Mgnt. VLAN ID (AC/AP) This displays the Access Controller (the ZyWALL/USG) and runtime management

VLAN ID setting for the AP. VLAN Conflict displays if the AP’s management

VLAN ID does not match the Mgmnt. VLAN ID(AC). This field displays n/a if

the ZyWALL/USG cannot get VLAN information from the AP.

Description This field displays the AP’s description, which you can configure by selecting the

AP’s entry and clicking the Edit button.

Station This field displays the station count information.

Recent On-Line This field displays the latest date and time that the AP was logged on.

Last Off-Line This field displays the date and time that the AP was last logged out.

Ta ble 52 Monitor > Wireless > AP Information > AP List Icons

LABEL DESCRIPTION

This AP is not on the management list.

This AP is on the management list and online.

This AP is in the process of having its firmware updated.

This AP is on the management list but offline.

This indicates one of the following cases:

• This AP has a runtime management VLAN ID setting that conflicts with the VLAN ID setting on

the Access Controller (the ZyWALL/USG).

• A setting the ZyWALL/USG assigns to this AP does not match the AP’s capability.

Ta ble 51 Monitor > Wireless > AP Information (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

130

configuration information, port status and station statistics for the connected AP. To access this

screen, select an entry and click the More Information button in the AP List screen.

Figure 108 Monitor > Wireless > AP Information > AP List > More Information

The following table describes the labels in this screen.

Ta ble 53 Monitor > Wireless > AP Information > AP List > More Information

LABEL DESCRIPTION

Configuration

Status

This displays whether or not any of the AP’s configuration is in conflict with the ZyWALL/

USG’s settings for the AP.

Non Support If any of the AP’s configuration conflicts with the ZyWALL/USG’s settings for the AP, this

field displays which configuration conflicts. It displays n/a if none of the AP’s

configuration conflicts with the ZyWALL/USG’s settings for the AP.

Port Status

Port This shows the name of the physical Ethernet port on the ZyWALL/USG.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

131

6.14.3 Wireless AP Information: Radio List

Click Monitor > Wireless > AP Information > Radio List to display the Radio List screen.

Figure 109 Monitor > Wireless > Radio List

The following table describes the labels in this screen.

Status This field displays the current status of each physical port on the AP.

Down - The port is not connected.

Speed / Duplex - The port is connected. This field displays the port speed and duplex

setting (Full or Half).

PVID This shows the port’s PVID.

A PVID (Port VLAN ID) is a tag that adds to incoming untagged frames received on a port

so that the frames are forwarded to the VLAN group that the tag defines.

Up Time This field displays how long the physical port has been connected.

VLAN

Configuration

Name This shows the name of the VLAN.

Status This displays whether or not the VLAN is activated.

VID This shows the VLAN ID number.

Member This field displays the Ethernet port(s) that is a member of this VLAN.

Station Count

The y-axis represents the number of connected stations.

The x-axis shows the time over which a station was connected.

Last Update This field displays the date and time the information in the window was last updated.

Ta ble 53 Monitor > Wireless > AP Information > AP List > More Information (continued)

LABEL DESCRIPTION

Ta ble 54 Monitor > Wireless > Radio List

LABEL DESCRIPTION

More Information Click this icon to see the traffic statistics, station count, SSID, Security Mode and

VLAN ID information on the AP.

# This field is a sequential value, and it is not associated with a specific radio.

AP Description Enter a description for this AP. You can use up to 31 characters, spaces and

underscores allowed.

Model This field displays the AP’s hardware model information. It displays N/A (not

applicable) only when the AP disconnects from the ZyWALL/USG and the

information is unavailable as a result.

MAC Address This field displays the MAC address of the AP.

Radio This field displays the Radio number. For example 1.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

132

OP Mode This field displays the operating mode of the AP. It displays n/a for the profile

for a radio not using an AP profile.

AP Mode means the AP can receive connections from wireless clients and pass

their data traffic through to the ZyWALL/USG to be managed (or subsequently

passed on to an upstream gateway for managing).

Profile This field displays the AP Profile for the Radio. It displays n/A for the radio profile

not using an AP profile. It displays default if using a default profile.

Frequency Band This field displays the WLAN frequency band using the IEEE 802.11 a/b/g/n

standard of 2.4 or 5 GHz.

Channel ID This field displays the WLAN channels using the IEEE 802.11 protocols.

Station This field displays the station count information.

Rx PKT This field displays the data packets of incoming traffic on the AP.

Tx PKT This field displays the data packet of outgoing traffic on the AP.

Rx FCS Error Count This field displays the erroneous data packet count received and detected by

Frame Check Sequence (FCS)

Tx Retry Count This field displays the data packet count that were transmitted for retry.

Ta ble 54 Monitor > Wireless > Radio List

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

133

6.14.4 Radio List More Information

This screen allows you to view detailed information about a selected radio’s SSID(s), wireless traffic

and wireless clients for the preceding 24 hours. To access this window, select an entry and click the

More Information button in the Radio List screen.

Figure 110 Monitor > Wireless > AP Information > Radio List > More Information

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

134

The following table describes the labels in this screen.

6.14.5 Wireless Station Info

This screen displays information about connected wireless stations. Click Monitor > Wireless >

Station Information to display this screen.

Figure 111 Monitor > Wireless > Station List

The following table describes the labels in this screen.

Ta ble 55 Monitor > Wireless > AP Info > Radio List > More Information

LABEL DESCRIPTION

MBSSID Detail This list shows information about the SSID(s) that is associated with the radio over the

preceding 24 hours.

# This is the items sequential number in the list. It has no bearing on the actual data in this

list.

SSID Name This displays an SSID associated with this radio. There can be up to eight maximum.

BSSID This displays the MAC address associated with the SSID.

Security

Mode This displays the security mode in which the SSID is operating.

VLAN This displays the VLAN ID associated with the SSID.

Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24

hours.

y-axis This axis represents the amount of data moved across this radio in megabytes per second.

x-axis This axis represents the amount of time over which the data moved across this radio.

Station Count This graph displays information about all the wireless clients that have connected to the

radio over the preceding 24 hours.

y-axis The y-axis represents the number of connected wireless clients.

x-axis The x-axis shows the time over which a wireless client was connected.

Last Update This field displays the date and time the information in the window was last updated.

OK Click this to close this window.

Cancel Click this to close this window.

Ta ble 56 Monitor > Wireless > Station List

LABEL DESCRIPTION

# This field is a sequential value, and it is not associated with a specific station.

MAC Address This field displays the MAC address of the station.

Associated AP This field displays the APs that are associated with the station.

SSID Name This field displays the SSID names of the station.

Security Mode This field displays the security mode the station is using.

Signal Strength This field displays the signal strength of the station.

IP Address This field displays the IP address of the station.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

135

6.14.6 Detected Device

Use this screen to view information about wireless devices detected by the AP. Click Monitor >

Wireless > Detected Device to access this screen.

Note: At least one radio of the APs connected to the ZyWALL/USG must be set to monitor

mode (in the Configuration > Wireless > AP Management screen) in order to

detect other wireless devices in its vicinity.

Figure 112 Monitor > Wireless > Detected Device

The following table describes the labels in this screen.

Tx Rate This field displays the transmit data rate of the station.

Rx Rate This field displays the receive data rate of the station.

Association Time This field displays the time duration the station was online and offline.

Ta ble 56 Monitor > Wireless > Station List

LABEL DESCRIPTION

Ta ble 57 Monitor > Wireless > Detected Device

LABEL DESCRIPTION

Mark as Rogue

Click this button to mark the selected AP as a rogue AP. A rogue AP can be contained in the

Configuration > Wireless > MON Mode screen.

Mark as Friendly

Click this button to mark the selected AP as a friendly AP. For more on managing friendly

APs, see the Configuration > Wireless > MON Mode screen.

# This is the station’s index number in this list.

Status This indicates the detected device’s status.

Device This indicates the detected device’s network type (such as infrastructure or ad-hoc).

Role This indicates the detected device’s role (such as friendly or rogue).

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

136

6.15 The IPSec Monitor Screen

You can use the IPSec Monitor screen to display and to manage active IPSec To access this

screen, click Monitor > VPN Monitor > IPSec. The following screen appears. SAs. Click a

column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again

to reverse the sort order.

Figure 113 Monitor > VPN Monitor > IPSec

Each field is described in the following table.

MAC Address This indicates the detected device’s MAC address.

SSID Name This indicates the detected device’s SSID.

Channel ID This indicates the detected device’s channel ID.

802.11 Mode This indicates the 802.11 mode (a/b/g/n) transmitted by the detected device.

Security This indicates the encryption method (if any) used by the detected device.

Description This displays the detected device’s description. For more on managing friendly and rogue

APs, see the Configuration > Wireless > MON Mode screen.

Last Seen This indicates the last time the device was detected by the ZyWALL/USG.

Refresh Click this to refresh the items displayed on this page.

Ta ble 57 Monitor > Wireless > Detected Device (continued)

LABEL DESCRIPTION

Ta ble 58 Monitor > VPN Monitor > IPSec

LABEL DESCRIPTION

Name Type the name of a IPSec SA here and click Search to find it (if it is associated).

You can use a keyword or regular expression. Use up to 30 alphanumeric and

_+-.()!$*^:?|{}[]<>/ characters. See Section 6.15.1 on page 137 for more

details.

Policy Type the IP address(es) or names of the local and remote policies for an IPSec SA

and click Search to find it. You can use a keyword or regular expression. Use up

to 30 alphanumeric and _+-.()!$*^:?|{}[]<>/ characters. See Section 6.15.1

on page 137 for more details.

Search Click this button to search for an IPSec SA that matches the information you

specified above.

Disconnect Select an IPSec SA and click this button to disconnect it.

# This field is a sequential value, and it is not associated with a specific SA.

Name This field displays the name of the IPSec SA.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

137

6.15.1 Regular Expressions in Searching IPSec SAs

A question mark (?) lets a single character in the VPN connection or policy name vary. For example,

use “a?c” (without the quotation marks) to specify abc, acc and so on.

Wildcards (*) let multiple VPN connection or policy names match the pattern. For example, use

“*abc” (without the quotation marks) to specify any VPN connection or policy name that ends with

“abc”. A VPN connection named “testabc” would match. There could be any number (of any type) of

characters in front of the “abc” at the end and the VPN connection or policy name would still match.

A VPN connection or policy name named “testacc” for example would not match.

A * in the middle of a VPN connection or policy name has the ZyWALL/USG check the beginning and

end and ignore the middle. For example, with “abc*123”, any VPN connection or policy name

starting with “abc” and ending in “123” matches, no matter how many characters are in between.

The whole VPN connection or policy name has to match if you do not use a question mark or

asterisk.

6.16 The SSL Screen

The ZyWALL/USG keeps track of the users who are currently logged into the VPN SSL client. Click

Monitor > VPN Monitor > SSL to display the user list.

Use this screen to do the following:

• View a list of active SSL VPN connections.

• Log out individual users and delete related session information.

Once a user logs out, the corresponding entry is removed from the screen.

Policy This field displays the content of the local and remote policies for this IPSec SA.

The IP addresses, not the address objects, are displayed.

IKE Name This field displays the Internet Key Exchange (IKE) name.

Cookies This field displays the cookies information that initiates the IKE.

My Address This field displays the IP address of local computer.

Secure Gateway This field displays the secure gateway information.

Up Time This field displays how many seconds the IPSec SA has been active. This field

displays N/A if the IPSec SA uses manual keys.

Timeout This field displays how many seconds remain in the SA life time, before the

ZyWALL/USG automatically disconnects the IPSec SA. This field displays N/A if

the IPSec SA uses manual keys.

Inbound (Bytes) This field displays the amount of traffic that has gone through the IPSec SA from

the remote IPSec router to the ZyWALL/USG since the IPSec SA was established.

Outbound (Bytes) This field displays the amount of traffic that has gone through the IPSec SA from

the ZyWALL/USG to the remote IPSec router since the IPSec SA was established.

Ta ble 58 Monitor > VPN Monitor > IPSec (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

138

Figure 114 Monitor > VPN Monitor > SSL

The following table describes the labels in this screen.

6.17 The L2TP over IPSec Session Monitor Screen

Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen

to display and manage the ZyWALL/USG’s connected L2TP VPN sessions.

Figure 115 Monitor > VPN Monitor > L2TP over IPSec

The following table describes the fields in this screen.

Ta ble 59 Monitor > VPN Monitor > SSL

LABEL DESCRIPTION

Disconnect Select a connection and click this button to terminate the user’s connection and

delete corresponding session information from the ZyWALL/USG.

Refresh Click Refresh to update this screen.

# This field is a sequential value, and it is not associated with a specific SSL.

User This field displays the account user name used to establish this SSL VPN connection.

Access This field displays the name of the SSL VPN application the user is accessing.

Connected Time This field displays the time this connection was established.

Inbound (Bytes) This field displays the number of bytes received by the ZyWALL/USG on this

connection.

Outbound (Bytes) This field displays the number of bytes transmitted by the ZyWALL/USG on this

connection.

Ta ble 60 Monitor > VPN Monitor > L2TP over IPSec

LABEL DESCRIPTION

Disconnect Select a connection and click this button to disconnect it.

Refresh Click Refresh to update this screen.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

139

6.18 The App Patrol Screen

Application patrol provides a convenient way to manage the use of various applications on the

network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM),

peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control

the use of a particular application’s individual features (like text messaging, voice, video

conferencing, and file transfers).

Click Monitor > UTM Statistics > App Patrol to display the following screen. This screen displays

Application Patrol statistics based on the App Patrol profiles bound to Security Policy profiles.

Figure 116 Monitor > UTM Statistics > App Patrol

The following table describes the labels in this screen.

# This field is a sequential value, and it is not associated with a specific L2TP VPN

session.

User Name This field displays the remote user’s user name.

Hostname This field displays the name of the computer that has this L2TP VPN connection

with the ZyWALL/USG.

Assigned IP This field displays the IP address that the ZyWALL/USG assigned for the remote

user’s computer to use within the L2TP VPN tunnel.

Public IP This field displays the public IP address that the remote user is using to connect to

the Internet.

Ta ble 60 Monitor > VPN Monitor > L2TP over IPSec (continued)

LABEL DESCRIPTION

Ta ble 61 Monitor > UTM Statistics > App Patrol

LABEL DESCRIPTION

Collect Statistics Select this check box to have the ZyWALL/USG collect app patrol statistics.

The collection starting time displays after you click Apply. All of the statistics in

this screen are for the time period starting at the time displayed here. The

format is year, month, day and hour, minute, second. All of the statistics are

erased if you restart the ZyWALL/USG or click Flush Data. Collecting starts over

and a new collection start time displays.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Refresh Click this button to update the report display.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

140

6.19 The Content Filter Screen

Click Monitor > UT M Statistics > Content Filt er to display the following screen. This screen

displays content filter statistics.

Flush Data Click this button to discard all of the screen’s statistics and update the report

display.

App Patrol Statistics

# This field is a sequential value, and it is not associated with a specific App Patrol

session.

Application This is the protocol.

Forwarded Data (KB) This is how much of the application’s traffic the ZyWALL/USG has sent (in

kilobytes).

Dropped Data (KB) This is how much of the application’s traffic the ZyWALL/USG has discarded

without notifying the client (in kilobytes). This traffic was dropped because it

matched an application policy set to “drop”.

Rejected Data (KB) This is how much of the application’s traffic the ZyWALL/USG has discarded and

notified the client that the traffic was rejected (in kilobytes). This traffic was

rejected because it matched an application policy set to “reject”.

Matched Auto

Connection This is how much of the application’s traffic the ZyWALL/USG identified by

examining the IP payload.

Inbound Kbps This field displays the amount of the application’s traffic that has gone to the

ZyWALL (in kilo bits per second).

Outbound Kbps This field displays the amount of the application’s traffic that has gone from the

ZyWALL (in kilo bits per second).

Ta ble 61 Monitor > UTM Statistics > App Patrol

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

141

Figure 117 Monitor > UTM Statistics > Content Filter

The following table describes the labels in this screen.

Ta ble 62 Monitor > UTM Statistics > Content Filter

LABEL DESCRIPTION

General Settings

Collect Statistics Select this check box to have the ZyWALL/USG collect content filtering statistics.

The collection starting time displays after you click Apply. All of the statistics in this

screen are for the time period starting at the time displayed here. The format is

year, month, day and hour, minute, second. All of the statistics are erased if you

restart the ZyWALL/USG or click Flush Data. Collecting starts over and a new

collection start time displays.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Refresh Click this button to update the report display.

Flush Data Click this button to discard all of the screen’s statistics and update the report

display.

Web Request Statistics

Total Web Pages

Inspected

This field displays the number of web pages that the ZyWALL/USG’s content filter

feature has checked.

Blocked This is the number of web pages that the ZyWALL/USG blocked access.

Warned This is the number of web pages for which the ZyWALL/USG displayed a warning

message to the access requesters.

Passed This is the number of web pages to which the ZyWALL/USG allowed access.

Category Hit Summary

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

142

6.20 The IDP Screen

Click Monitor > UTM Statistics > IDP to display the following screen. This screen displays IDP

(Intrusion Detection and Prevention) statistics.

Figure 118 Monitor > UTM Statistics > IDP: Signature Name

Security Threat

(unsafe)

This is the number of requested web pages that the ZyWALL/USG’s content filtering

service identified as posing a threat to users.

Managed Web Pages This is the number of requested web pages that the ZyWALL/USG’s content filtering

service identified as belonging to a category that was selected to be managed.

Block Hit Summary

Web Pages Warned by

Category Service

This is the number of web pages that matched an external database content

filtering category selected in the ZyWALL/USG and for which the ZyWALL/USG

displayed a warning before allowing users access.

Web Pages Blocked by

Custom Service

This is the number of web pages to which the ZyWALL/USG did not allow access due

to the content filtering custom service configuration.

Restricted Web

Features This is the number of web pages to which the ZyWALL limited access or removed

cookies due to the content filtering custom service's restricted web features

configuration.

Forbidden Web Sites This is the number of web pages to which the ZyWALL/USG did not allow access

because they matched the content filtering custom service’s forbidden web sites

list.

URL Keywords This is the number of web pages to which the ZyWALL/USG did not allow access

because they contained one of the content filtering custom service’s list of

forbidden keywords.

Web Pages Blocked

Without Policy

This is the number of web pages to which the ZyWALL/USG did not allow access

because they were not rated by the external database content filtering service.

Report Server Click this link to go to http://www.myZyXEL.com where you can view content

filtering reports after you have activated the category-based content filtering

subscription service.

Ta ble 62 Monitor > UTM Statistics > Content Filter (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

143

The following table describes the labels in this screen.

The statistics display as follows when you display the top entries by source.

Ta ble 63 Monitor > UTM Statistics > IDP

LABEL DESCRIPTION

Collect Statistics Select this check box to have the ZyWALL/USG collect IDP statistics.

The collection starting time displays after you click Apply. All of the statistics in this

screen are for the time period starting at the time displayed here. The format is

year, month, day and hour, minute, second. All of the statistics are erased if you

restart the ZyWALL/USG or click Flush Data. Collecting starts over and a new

collection start time displays.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Refresh Click this button to update the report display.

Flush Data Click this button to discard all of the screen’s statistics and update the report display.

Total Session Scanned This field displays the number of sessions that the ZyWALL/USG has checked for

intrusion characteristics.

Total Packet Dropped The ZyWALL/USG can detect and drop malicious packets from network traffic. This

field displays the number of packets that the ZyWALL/USG has dropped.

Total Packet Reset The ZyWALL/USG can detect and drop malicious packets from network traffic. This

field displays the number of packets that the ZyWALL/USG has reset.

Top Entries By Use this field to have the following (read-only) table display the top IDP log entries

by Signature Name, Source or Destination. This table displays the most

common, recent IDP logs. See the log screen for less common IDP logs or use a

syslog server to record all IDP logs.

Select Signature Name to list the most common signatures that the ZyWALL/USG

has detected.

Select Source to list the source IP addresses from which the ZyWALL/USG has

detected the most intrusion attempts.

Select Destination to list the most common destination IP addresses for intrusion

attempts that the ZyWALL/USG has detected.

#This field displays the entry’s rank in the list of the top entries.

Signature Name This column displays when you display the entries by Signature Name. The

signature name identifies the type of intrusion pattern. Click the hyperlink for more

detailed information on the intrusion.

Signature ID This column displays when you display the entries by Signature Name. The

signature ID is a unique value given to each intrusion detected.

Type This column displays when you display the entries by Signature Name. It shows

the categories of intrusions.

Severity This column displays when you display the entries by Signature Name. It shows

the level of threat that the intrusions may pose.

Source IP This column displays when you display the entries by Source. It shows the source IP

address of the intrusion attempts.

Destination IP This column displays when you display the entries by Destination. It shows the

destination IP address at which intrusion attempts were targeted.

Occurrences This field displays how many times the ZyWALL/USG has detected the event

described in the entry.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

144

Figure 119 Monitor > UTM Statistics > IDP: Source

The statistics display as follows when you display the top entries by destination.

Figure 120 Monitor > UTM Statistics > IDP: Destination

6.21 The Anti-Virus Screen

Click Monitor > UTM Statistics > Anti-Virus to display the following screen. This screen displays

anti-virus statistics.

Figure 121 Monitor > UTM Statistics > Anti-Virus: Virus Name

The following table describes the labels in this screen.

Ta ble 64 Monitor > UTM Statistics > Anti-Virus

LABEL DESCRIPTION

Collect Statistics Select this check box to have the ZyWALL/USG collect anti-virus statistics.

The collection starting time displays after you click Apply. All of the statistics in this

screen are for the time period starting at the time displayed here. The format is year,

month, day and hour, minute, second. All of the statistics are erased if you restart

the ZyWALL/USG or click Flush Data. Collecting starts over and a new collection

start time displays.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Refresh Click this button to update the report display.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

145

The statistics display as follows when you display the top entries by source.

Figure 122 Monitor > UTM Statistics > Anti-Virus: Source IP

The statistics display as follows when you display the top entries by destination.

Figure 123 Monitor > UTM Statistics > Anti-Virus: Destination IP

6.22 The Anti-Spam Screens

The Anti-Spam menu contains the Report and Status screens.

Flush Data Click this button to discard all of the screen’s statistics and update the report display.

Total Viruses Detected This field displays the number of different viruses that the ZyWALL/USG has

detected.

Infected Files Detected This field displays the number of files in which the ZyWALL/USG has detected a

virus.

Top Entries By Use this field to have the following (read-only) table display the top anti-virus log

entries by Virus Name, Source IP or De stination IP. This table displays the most

common, recent virus logs. See the log screen for less common virus logs or use a

syslog server to record all virus logs.

Select Virus Name to list the most common viruses that the ZyWALL/USG has

detected.

Select Source IP to list the source IP addresses from which the ZyWALL/USG has

detected the most virus-infected files.

Select Destination IP to list the most common destination IP addresses for virus-

infected files that ZyWALL/USG has detected.

#This field displays the entry’s rank in the list of the top entries.

Virus name This column displays when you display the entries by Virus Name. This displays the

name of a detected virus.

Source IP This column displays when you display the entries by Source. It shows the source IP

address of virus-infected files that the ZyWALL/USG has detected.

Destination IP This column displays when you display the entries by Destination. It shows the

destination IP address of virus-infected files that the ZyWALL/USG has detected.

Occurrences This field displays how many times the ZyWALL/USG has detected the event

described in the entry.

Ta ble 64 Monitor > UTM Statistics > Anti-Virus (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

146

6.22.1 Anti-Spam Report

Click Monitor > UTM Statistics > Anti-Spam to display the following screen. This screen displays

spam statistics.

Figure 124 Monitor > UTM Statistics > Anti-Spam

The following table describes the labels in this screen.

Ta ble 65 Monitor > UTM Statistics > Anti-Spam

LABEL DESCRIPTION

Collect Statistics Select this check box to have the ZyWALL/USG collect anti-spam statistics.

The collection starting time displays after you click Apply. All of the statistics in this

screen are for the time period starting at the time displayed here. The format is

year, month, day and hour, minute, second. All of the statistics are erased if you

restart the ZyWALL/USG or click Flush Data. Collecting starts over and a new

collection start time displays.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Refresh Click this button to update the report display.

Flush Data Click this button to discard all of the screen’s statistics and update the report

display.

Total Mails Scanned This field displays the number of e-mails that the ZyWALL/USG’s anti-spam feature

has checked.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

147

Clear Mails This is the number of e-mails that the ZyWALL/USG has determined to not be

spam.

Clear Mails Detected by

Whitelist

This is the number of e-mails that matched an entry in the ZyWALL/USG’s anti-

spam white list.

Spam Mails This is the number of e-mails that the ZyWALL/USG has determined to be spam.

Spam Mails Detected by

Black List

This is the number of e-mails that matched an entry in the ZyWALL/USG’s anti-

spam black list.

Spam Mails Detected by

IP Reputation

This is the number of e-mails that the ZyWALL/USG has determined to be spam by

IP Reputation. Spam or Unwanted Bulk Email is determined by the sender’s IP

address.

Spam Mails Detected by

Mail Content

This is the number of e-mails that the ZyWALL/USG has determined to have

malicious contents.

Spam Mails Detected by

DNSBL

The ZyWALL/USG can check the sender and relay IP addresses in an e-mail’s

header against DNS (Domain Name Service)-based spam Black Lists (DNSBLs).

This is the number of e-mails that had a sender or relay IP address in the header

which matched one of the DNSBLs that the ZyWALL/USG uses.

Spam Mails with Virus

Detected by Mail

Content

This is the number of e-mails that the ZyWALL/USG has determined to have

malicious contents and attached with virus.

Virus Mails This is the number of e-mails that the ZyWALL/USG has determined to be attached

with virus.

Query Timeout This is how many queries that were sent to the ZyWALL/USG’s configured list of

DNSBL domains or Mail Scan services and did not receive a response in time.

Mail Sessions

Forwarded

This is how many e-mail sessions the ZyWALL/USG allowed because they exceeded

the maximum number of e-mail sessions that the anti-spam feature can check at a

time.

You can see the ZyWALL/USG’s threshold of concurrent e-mail sessions in the Anti-

Spam > Status screen.

Use the Anti-Spam > General screen to set whether the ZyWALL/USG forwards or

drops sessions that exceed this threshold.

Mail Sessions Dropped This is how many e-mail sessions the ZyWALL/USG dropped because they exceeded

the maximum number of e-mail sessions that the anti-spam feature can check at a

time.

You can see the ZyWALL/USG’s threshold of concurrent e-mail sessions in the Anti-

Spam > Status screen.

Use the Anti-Spam > General screen to set whether the ZyWALL/USG forwards or

drops sessions that exceed this threshold.

Top Sender By Use this field to list the top e-mail or IP addresses from which the ZyWALL/USG has

detected the most spam.

Select Sender IP to list the source IP addresses from which the ZyWALL/USG has

detected the most spam.

Select Sender Email Address to list the top e-mail addresses from which the

ZyWALL/USG has detected the most spam.

#This field displays the entry’s rank in the list of the top entries.

Sender IP This column displays when you display the entries by Sender IP. It shows the

source IP address of spam e-mails that the ZyWALL/USG has detected.

Ta ble 65 Monitor > UTM Statistics > Anti-Spam (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

148

6.22.2 The Anti-Spam Status Screen

Click Monitor > UTM Statistics > Anti-Spam > Status to display the Anti-Spam Status screen.

Use the Anti-Spam Status screen to see how many e-mail sessions the anti-spam feature is

scanning and statistics for the DNSBLs.

Figure 125 Monitor > UTM Statistics > Anti-Spam > Status

The following table describes the labels in this screen.

Sender Email Address This column displays when you display the entries by Sender Email Address. This

column displays the e-mail addresses from which the ZyWALL/USG has detected

the most spam.

Occurrence This field displays how many spam e-mails the ZyWALL/USG detected from the

sender.

Ta ble 65 Monitor > UTM Statistics > Anti-Spam (continued)

LABEL DESCRIPTION

Ta ble 66 Monitor > UTM Statistics > Anti-Spam > Status

LABEL DESCRIPTION

Refresh Click this button to update the information displayed on this screen.

Flush Click this button to clear the DNSBL statistics. This also clears the concurrent mail

session scanning bar’s historical high.

Concurrent Mail Session

Scanning

The darker shaded part of the bar shows how much of the ZyWALL/USG’s total

spam checking capability is currently being used.

The lighter shaded part of the bar and the pop-up show the historical high.

The first number to the right of the bar is how many e-mail sessions the ZyWALL/

USG is presently checking for spam. The second number is the maximum number

of e-mail sessions that the ZyWALL/USG can check at once. An e-mail session is

when an e-mail client and e-mail server (or two e-mail servers) connect through

the ZyWALL/USG.

Mail Scan Statistics These are the statistics for the service the ZyWALL/USG uses. These statistics are

for when the ZyWALL/USG actually queries the service servers.

#This is the entry’s index number in the list.

Service This displays the name of the service.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

149

6.23 The SSL Inspection Screens

The ZyWALL/USG uses SSL Inspection to decrypt SSL traffic, sends it to the UTM engines for

inspection, then encrypts traffic that passes inspection and forwards it.

Click Monitor > UTM Statistics > SSL Inspection > Report to display the following screen.

Figure 126 Monitor > UTM Statistics > SSL Inspection > Report

Total Queries This is the total number of queries the ZyWALL/USG has sent to this service.

Avg. Response Time (sec) This is the average for how long it takes to receive a reply from this service.

No Response This is how many queries the ZyWALL/USG sent to this service without receiving a

reply.

DNSBL Statistics These are the statistics for the DNSBL the ZyWALL/USG uses. These statistics are

for when the ZyWALL/USG actually queries the DNSBL servers. Matches for

DNSBL responses stored in the cache do not affect these statistics.

#This is the entry’s index number in the list.

DNSBL Domain These are the DNSBLs the ZyWALL/USG uses to check sender and relay IP

addresses in e-mails.

Total Queries This is the total number of DNS queries the ZyWALL/USG has sent to this DNSBL.

Avg. Response Time (sec) This is the average for how long it takes to receive a reply from this DNSBL.

No Response This is how many DNS queries the ZyWALL/USG sent to this DNSBL without

receiving a reply.

Ta ble 66 Monitor > UTM Statistics > Anti-Spam > Status (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

150

The following table describes the labels in this screen.

6.23.1 Certificate Cache List

SSL traffic to a server to be excluded from SSL Inspection is identified by its certificate. Traffic in an

Exclude List is not intercepted by SSL Inspection.

Click Monitor > UTM Statistics > SSL Inspection > Certificate Cache List to display a screen

that shows details on SSL traffic going to servers identified by its certificate and an option to add

that traffic to the Exclude List.

Ta ble 67 Monitor > UTM Statistics > SSL Inspection > Report

LABEL DESCRIPTION

Collect Statistics Select this check box to have the ZyWALL/USG collect SSL Inspection statistics.

The collection starting time displays after you click Apply. All of the statistics in

this screen are for the time period starting at the time displayed here. The format

is year, month, day and hour, minute, second. All of the statistics are erased if you

restart the ZyWALL/USG or click Flush Data. Collecting starts over and a new

collection start time displays.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Refresh Click this button to update the report display.

Flush Data Click this button to discard all of the screen’s statistics and update the report

display.

Status

Maximum Concurrent

Sessions This shows the maximum number of simultaneous SSL Inspection sessions

allowed for your ZyWALL/USG model.

Concurrent Sessions This shows the actual number of simultaneous SSL Inspection sessions in

progress.

Summary

Total SSL Sessions This is the total of SSL sessions inspected and number of sessions blocked and

number of sessions passed since data was last flushed or the ZyWALL/USG last

rebooted after Collect Statistic s was enabled.

Sessions Inspected This shows the total number of SSL sessions inspected since data was last flushed

or the ZyWALL/USG last rebooted after Collect Statisti cs was enabled

Decrypted (Kbytes) This shows the number of kilobytes (KB) of data that was decrypted for UTM

inspection.

Encrypted (Kbytes) This shows the number of kilobytes (KB) of data that was re-encrypted after UTM

inspection and then forwarded.

Sessions Blocked This shows the number of SSL sessions blocked.

Sessions Passed This shows the number of SSL sessions passed.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

151

Figure 127 Monitor > UTM Statistics > SSL Inspection > Certificate Cache List

The following table describes the labels in this screen.

Ta ble 68 Monitor > UTM Statistics > SSL Inspection > Certificate Cache List

LABEL DESCRIPTION

Certificate Cache List

Add to Exclude list Select and item in the list and click this icon to add the common name (CN) to the

Exclude List.

# This field is a sequential value, and it is not associated with a specific entry.

In Exclude List If any one of common name, DNS name, email address or IP address of the

certificate is in the Exclude List, then traffic to the server identified by the

certificate is excluded from inspection.

The icons here are defined as follows:

• Gray: The identity of the certificate is not in the Exclude List

• Green: The common name of the certificate is in the Exclude List

• Yellow: The common name of certificate is not in the Exclude List but one of

the DNS name, email address or IP address is.

Time This is the latest date (yyyy-mm-dd) and time (hh-mm-ss) that the record in the

certificate cache list was met.

Common Name This displays the common name in the certificate of the SSL traffic destination

server.

SNI Server Name Indication (SNI) is the domain name entered in the browser, FTP

client, etc. to begin the SSL session with the server. It allows multiple SSL

sessions to the same IP address and port number with different certificates from

different SNI. This field displays the SNI for this SSL session.

SSL Version This field shows the SSL version. SSLv3/TLS1.0 is currently supported

Destination This displays the IP address and port number of the SSL traffic destination server.

Valid Time This displays the cache item expiry time in seconds. The cache item is deleted

when the remaining time expires.

Refresh Click this button to update the information in the screen.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

152

6.24 Log Screens

Log messages are stored in two separate logs, one for regular log messages and one for debugging

messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can

select a specific category of log messages (for example, security policy or user). You can also look

at the debugging log by selecting Debug Log. All debugging messages have the same priority.

6.24.1 View Log

To access this screen, click Monitor > Log. The log is displayed in the following screen.

Note: When a log reaches the maximum number of log messages, new log messages

automatically overwrite existing log messages, starting with the oldest existing log

message first.

• The maximum possible number of log messages in the ZyWALL/USG varies by model.

Events that generate an alert (as well as a log message) display in red. Regular logs display in

black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the

heading cell again to reverse the sort order. The Web Configurator saves the filter settings if you

leave the View Log screen and return to it later.

Figure 128 Monitor > Log > View Log

The following table describes the labels in this screen.

Ta ble 69 Monitor > Log > View Log

LABEL DESCRIPTION

Show Filter Click this button to show or hide the filter settings.

If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear

Log fields are available.

If the filter settings are shown, the Display, Priority, Source Address,

Destination Address, Service, Keyword, and Search fields are available.

Display Select the category of log message(s) you want to view. You can also view All Logs

at one time, or you can view the Debug Log.

Email Log Now Click this button to send log message(s) to the Active e-mail address(es) specified

in the Send Log To field on the Log Settings page.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

153

6.24.2 View AP Log

Click on Monitor > Log > View AP Log to open the following screen.

Refresh Click this button to update the information in the screen.

Clear Log Click this button to clear the whole log, regardless of what is currently displayed on

the screen.

# This field is a sequential value, and it is not associated with a specific log message.

Time This field displays the time the log message was recorded.

Priority This displays when you show the filter. Select the priority of log messages to

display. The log displays the log messages with this priority or higher. Choices are:

any, emerg, alert, crit, error, warn, notice, and info, from highest priority to

lowest priority. This field is read-only if the Category is Debug Log.

Category This field displays the log that generated the log message. It is the same value used

in the Display and (other) Category fields.

Message This field displays the reason the log message was generated. The text “[count=x]”,

where x is a number, appears at the end of the Message field if log consolidation is

turned on and multiple entries were aggregated to generate into this one.

Source This displays when you show the filter. Type the source IP address of the incoming

packet that generated the log message. Do not include the port in this filter.

Destination This displays when you show the filter. Type the IP address of the destination of the

incoming packet when the log message was generated. Do not include the port in

this filter.

Protocol This displays when you show the filter. Select a service protocol whose log

messages you would like to see.

Search This displays when you show the filter. Click this button to update the log using the

current filter settings.

Priority This field displays the priority of the log message. It has the same range of values

as the Priority field above.

Source This field displays the source IP address and the port number in the event that

generated the log message.

Destination This field displays the destination IP address and the port number of the event that

generated the log message.

Note This field displays any additional information about the log message.

Ta ble 69 Monitor > Log > View Log (continued)

LABEL DESCRIPTION

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

154

Figure 129 Monitor > Log > View AP Log

The following table describes the labels in this screen.

LABEL DESCRIPTION

Show Filter Click this button to show or hide the filter settings.

If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear

Log fields are available.

If the filter settings are shown, the Display, Priority, Source Address,

Destination Address, Service, Keyword, and Search fields are available.

Select an AP Click the pull down menu to choose an AP.

Query Click Query to create a Query log.

Log Query Status The field displays the

AP Information This field displays the AP information. N/A is displayed when

Log File Status This field displays how many logs are available. It will display Empty if there’s none.

Last Log Query

Time This field displays the most recent time a log query was solicited.

Display Select the category of log message(s) you want to view. You can also view All Logs

at one time, or you can view the Debug Log.

Source Address Type the IP address of the source AP.

Source Interface Select the interface of the source AP from the pull down menu. Choose Any to

search all interface.

Service Select a policy service available from ZyWALL/USG from the pull down menu.

Protocol Select the protocol of the AP from the pull down menu.

Priority This displays when you show the filter. Select the priority of log messages to

display. The log displays the log messages with this priority or higher. Choices are:

any, emerg, alert, crit, error, warn, notice, and info, from highest priority to

lowest priority. This field is read-only if the Category is Debug Log.

Chapter 6 Monitor

ZyWALL/USG Series User’s Guide

155

Destination Address Type the IP ad re ss of the destination.

Destination Interface Select the destination interface from the pull down menu.

Keyword Type a keyword of the policy service available from ZyWALL/USG to search for a

log.

Search Click this to start the search.

Email Log Now Click this button to send log message(s) to the Active e-mail address(es) specified

in the Send Log To field on the Log Settings page.

Refresh Click this button to update the information in the screen.

Clear Log Click this button to clear the whole log, regardless of what is currently displayed on

the screen.

#This field is a sequential value, and it is not associated with a specific log message.

Time This field displays the time the log message was recorded.

Priority This displays when you show the filter. Select the priority of log messages to

display. The log displays the log messages with this priority or higher. Choices are:

any, emerg, alert, crit, error, warn, notice, and info, from highest priority to

lowest priority. This field is read-only if the Category is Debug Log.

Category This field displays the log that generated the log message. It is the same value used

in the Display and (other) Category fields.

Message This field displays the message of the log.

Source Address This displays when you show the filter. Type the source IP address of the incoming

packet that generated the log message. Do not include the port in this filter.

Destination Address This displays when you show the filter. Type the IP address of the destination of the

incoming packet when the log message was generated. Do not include the port in

this filter.

Source Interface This displays when you show the filter. Select the source interface of the packet that

generated the log message.

Destination Interface This displays when you show the filter. Select the destination interface of the packet

that generated the log message.

Note This field displays any additional information about the log message.

LABEL DESCRIPTION

ZyWALL/USG Series User’s Guide

156

CHAPTER 7

Licensing

7.1 Registration Overview

Use the Configuration > Licensing > Registration screens to register your ZyWALL/USG and

manage its service subscriptions.

•Use the Registration screen (see Section 7.1.2 on page 157) to go to portal.myzyxel.com to register your

ZyWALL/USG and activate a service, such as content filtering.

•Use the Service screen (see Section 7.1.3 on page 157) to display the status of your service registrations

and upgrade licenses.

Note: ZyWALL models need a license for UTM (Unified Threat management) functionality.

7.1.1 What you Need to Know

This section introduces the topics covered in this chapter.

myZyXEL.com

myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL/USG and

manage subscription services available for the ZyWALL/USG. To update signature files or use a

subscription service, you have to register the ZyWALL/USG and activate the corresponding service

at myZyXEL.com (through the ZyWALL/USG).

Note: You need to create a myZyXEL.com account before you can register your device

and activate the services at myZyXEL.com.

You need your ZyWALL/USG’s serial number and LAN MAC address to register it. Refer to the web

site’s on-line help for details.

Subscription Services Available

The ZyWALL/USG can use anti-virus, anti-spam, IDP/AppPatrol (Intrusion Detection and Prevention

and application patrol), SSL VPN, and content filtering subscription services.

ZyWALL models need a license for UTM (Unified Threat Management) functionality - see Section 1.1

on page 21 for details.

You can purchase an iCard and enter the license key from it, at www.myzyxel.com to have the

ZyWAL use UTM services or have the ZyWALL/USG use more SSL VPN tunnels. See below the

respective chapters in this guide for more information about UTM features.

Chapter 7 Licensing

ZyWALL/USG Series User’s Guide

157

7.1.2 Registration Screen

Click the link in this screen to register your ZyWALL/USG at myZyXEL.com. The ZyWALL/USG

should already have Internet access before you can access it. Click Configuration > Licensing >

Registration in the navigation panel to open the screen as shown next.

Figure 130 Configuration > Licensing > Registration > portal.myzyxel.com

7.1.3 Service Screen

Use this screen to display the status of your service registrations and upgrade licenses. To activate

or extend a standard service subscription, purchase an iCard and enter the iCard’s PIN number

(license key) in this screen. Click Configuration > Licensing > Registration > Service to open

the screen as shown next.

Figure 131 Configuration > Licensing > Registration > Service

The following table describes the labels in this screen.

Ta ble 70 Configuration > Licensing > Registration > Service

LABEL DESCRIPTION

License Status

# This is the entry’s position in the list.

Service This lists the services that available on the ZyWALL/USG.

Status This field displays whether a service is activated (Licensed) or not (Not

Licensed) or expired (Expired).

Chapter 7 Licensing

ZyWALL/USG Series User’s Guide

158

7.2 Signature Update

This section shows you how to update the ZyWALL/USG’s signature packages.

•Use the Configuration > Licensing > Signature Update > Anti-virus screen (Section 7.2.2

on page 158) to update the anti-virus signatures.

•Use the Configuration > Licensing > Signature Update > IDP/AppPatrol screen (Section

7.2.3 on page 160) to update the signatures used for IDP and application patrol.

7.2.1 What you Need to Know

• You need a valid service registration to update the anti-virus signatures and the IDP/AppPatrol

signatures.

• You do not need a service registration to update the system-protection signatures.

• Schedule signature updates for a day and time when your network is least busy to minimize

disruption to your network.

• Your custom signature configurations are not over-written when you download new signatures.

Note: The ZyWALL/USG does not have to reboot when you upload new signatures.

7.2.2 The Anti-Virus Update Screen

Click Configuration > Licensing > Signature Update > Anti-Virus to display the following

screen.

Registration Type This field displays whether you applied for a trial application (Trial) or

registered a service with your iCard’s PIN number (Standard). This field is

blank when a service is not activated. For an anti-virus service subscription this

field also displays the type of anti-virus engine.

Expiration Date This field displays the date your service expires.

You can continue to use IDP/AppPatrol or Anti-Virus after the registration

expires, you just won’t receive updated signatures.

Count This field displays how many VPN tunnels you can use with your current

license. This field does not apply to the other services.

Service License Refresh Click this button to renew service license information (such as the registration

status and expiration day).

Ta ble 70 Configuration > Licensing > Registration > Service (continued)

LABEL DESCRIPTION

Chapter 7 Licensing

ZyWALL/USG Series User’s Guide

159

Figure 132 Configuration > Licensing > Signature Update >Anti-Virus

The following table describes the labels in this screen.

Ta ble 71 Configuration > Licensing > Signature Update >Anti-Virus

LABEL DESCRIPTION

Signature Information The following fields display information on the current signature set that the

ZyWALL/USG is using.

Anti-Virus Engine

Type This field displays the anti-virus engine used by the ZyWALL/USG. Update to the

latest signatures and firmware for the best AV protection.

Current Version This field displays the anti-virus signatures version number currently used by the

ZyWALL/USG. This number gets larger as new signatures are added.

Signature Number This field displays the number of signatures in this set.

Released Date This field displays the date and time the set was released.

Signature Update Use these fields to have the ZyWALL/USG check for new signatures at

myZyXEL.com. If new signatures are found, they are then downloaded to the

ZyWALL/USG.

Update Now Click this button to have the ZyWALL/USG check for new signatures immediately. If

there are new ones, the ZyWALL/USG will then download them.

Auto Update Select this check box to have the ZyWALL/USG automatically check for new

signatures regularly at the time and day specified.

You should select a time when your network is not busy for minimal interruption.

Hourly Select this option to have the ZyWALL/USG check for new signatures every hour.

Daily Select this option to have the ZyWALL/USG check for new signatures every day at

the specified time. The time format is the 24 hour clock, so ‘23’ means 11 PM for

example.

Weekly Select this option to have the ZyWALL/USG check for new signatures once a week

on the day and at the time specified.

Chapter 7 Licensing

ZyWALL/USG Series User’s Guide

160

7.2.3 The IDP/AppPatrol Update Screen

Click Configuration > Licensing > Signature Update > IDP /AppPatrol to display the following

screen.

The ZyWALL/USG comes with signatures for the IDP and application patrol features. These

signatures are continually updated as new attack types evolve. New signatures can be downloaded

to the ZyWALL/USG periodically if you have subscribed for the IDP/AppPatrol signatures service.

You need to create an account at myZyXEL.com, register your ZyWALL/USG and then subscribe for

IDP service in order to be able to download new packet inspection signatures from myZyXEL.com

(see the Registration screens). Use the Update IDP /AppPatrol screen to schedule or

immediately download IDP signatures.

Figure 133 Configuration > Licensing > Signature Update > IDP/AppPatrol

The following table describes the fields in this screen.

Apply Click this button to save your changes to the ZyWALL/USG.

Reset Click this button to return the screen to its last-saved settings.

Ta ble 71 Configuration > Licensing > Signature Update >Anti-Virus (continued)

LABEL DESCRIPTION

Ta ble 72 Configuration > Licensing > Signature Update > IDP/AppPatrol

LABEL DESCRIPTION

Signature Information The following fields display information on the current signature set that the

ZyWALL/USG is using.

Current Version This field displays the IDP signature and anomaly rule set version number. This

number gets larger as the set is enhanced.

Chapter 7 Licensing

ZyWALL/USG Series User’s Guide

161

Signature Number This field displays the number of IDP signatures in this set. This number usually

gets larger as the set is enhanced. Older signatures and rules may be removed if

they are no longer applicable or have been supplanted by newer ones.

Released Date This field displays the date and time the set was released.

Signature Update Use these fields to have the ZyWALL/USG check for new IDP signatures at

myZyXEL.com. If new signatures are found, they are then downloaded to the

ZyWALL/USG.

Update Now Click this button to have the ZyWALL/USG check for new IDP signatures

immediately. If there are new ones, the ZyWALL/USG will then download them.

Auto Update Select this check box to have the ZyWALL/USG automatically check for new IDP

signatures regularly at the time and day specified.

You should select a time when your network is not busy for minimal interruption.

Hourly Select this option to have the ZyWALL/USG check for new IDP signatures every

hour.

Daily Select this option to have the ZyWALL/USG check for new IDP signatures everyday

at the specified time. The time format is the 24 hour clock, so ‘23’ means 11 PM for

example.

Weekly Select this option to have the ZyWALL/USG check for new IDP signatures once a

week on the day and at the time specified.

Apply Click this button to save your changes to the ZyWALL/USG.

Reset Click this button to return the screen to its last-saved settings.

Ta ble 72 Configuration > Licensing > Signature Update > IDP/AppPatrol (continued)

LABEL DESCRIPTION

ZyWALL/USG Series User’s Guide

162

CHAPTER 8

Wireless

8.1 Overview

Use the Wireless screens to configure how the ZyWALL/USG manages the Access Points (APs) that

are connected to it.

8.1.1 What You Can Do in this Chapter

•The Controller screen (Section 8.2 on page 162) sets how the ZyWALL/USG allows new APs to

connect to the network.

•The AP Management screen (Section 8.3 on page 163) manages all of the APs connected to the

ZyWALL/USG.

8.2 Controller Screen

Use this screen to set how the ZyWALL/USG allows new APs to connect to the network. Click

Configuration > Wireless > Controller to access this screen.

Figure 134 Configuration > Wireless > Controller

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

163

Each field is described in the following table.

8.3 AP Management Screen

Use this screen to manage all of the APs connected to the ZyWALL/USG. Click Configuration >

Wireless > AP Management to access this screen.

Figure 135 Configuration > Wireless > AP Management

Each field is described in the following table.

Ta ble 73 Configuration > Wireless > Controller

LABEL DESCRIPTION

Registration

Type

Select Manual to add each AP to the ZyWALL/USG for management, or Always Accept to

automatically add APs to the ZyWALL/USG for management.

If you select Manual, then go to Monitor > Wireless > AP Information > AP List, select

an AP to be managed and then click Add to Mgnt AP List. That AP will then appear in

Configuration > Wireless > Controller > Mgnt. AP List.

Note: Select the Manual option for managing a specific set of APs. This is recommended as the

registration mechanism cannot automatically differentiate between friendly and rogue

APs.

APs must be connected to the ZyWALL/USG by a wired connection or network.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Ta ble 74 Configuration > Wireless > AP Management

LABEL DESCRIPTION

Edit Select an AP and click this button to edit its properties.

Remove Select an AP and click this button to remove it from the list.

Note: If in the Configuration > Wireless > Controller screen you set the Registration

Type to Always Accept, then as soon as you remove an AP from this list it

reconnects.

Reboot Select an AP and click this button to force it to restart.

# This field is a sequential value, and it is not associated with any entry.

IP Address This field displays the IP address of the AP.

MAC Address This field displays the MAC address of the AP.

Model This field displays the AP’s hardware model information. It displays N/A (not

applicable) only when the AP disconnects from the ZyWALL/USG and the information is

unavailable as a result.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

164

8.3.1 Edit AP List

Select an AP and click the Edit button in the Configuration > Wireless > AP Management table

to display this screen.

Figure 136 Configuration > Wireless > AP Management > Edit AP List

Each field is described in the following table.

R1 Mode / Profile This field displays the operating mode (AP) and AP profile name for Radio 1. It displays

n/a for the profile for a radio not using an AP profile.

Mgmnt. VLAN

ID(AC)

This displays the Access Controller (the ZyWALL/USG) management VLAN ID setting for

the AP.

Mgmnt. VLAN

ID(AP)

This displays the runtime management VLAN ID setting on the AP. VLAN Conflict

displays if the AP’s management VLAN ID does not match the Mgmnt. VLAN ID(AC).

This field displays n/a if the ZyWALL/USG cannot get VLAN information from the AP.

Description This field displays the AP’s description, which you can configure by selecting the AP’s

entry and clicking the Edit button.

Ta ble 74 Configuration > Wireless > AP Management (continued)

LABEL DESCRIPTION

Ta ble 75 Configuration > Wireless > AP Management > Edit AP List

LABEL DESCRIPTION

Create new Object Use this menu to create a new Radio Profile object to associate with this AP.

MAC This displays the MAC address of the selected AP.

Model This field displays the AP’s hardware model information. It displays N/A (not

applicable) only when the AP disconnects from the ZyWALL/USG and the information is

unavailable as a result.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

165

8.3.2 AP Policy

Use this screen to configure the AP controller’s IP address on the managed APs and determine the

action the managed APs take if the current AP controller fails. Click Configuration > Wireless >

AP Management > AP Policy to access this screen.

Figure 137 Configuration > Wireless > AP Management > AP Policy

Description Enter a description for this AP. You can use up to 31 characters, spaces and underscores

allowed.

Radio 1/2 OP Mode Select the operating mode for radio 1 or radio 2.

AP Mode means the AP can receive connections from wireless clients and pass their

data traffic through to the ZyWALL/USG to be managed (or subsequently passed on to

an upstream gateway for managing).

Radio 1/2 Profile Select a profile from the list. If no profile exists, you can create a new one through the

Create new Object menu.

Force Overwrite

VLAN Config

Select this to have the ZyWALL/USG change the AP’s management VLAN to match the

configuration in this screen.

Management VLAN

Enter a VLAN ID for this AP.

As Native VLAN Select this option to treat this VLAN ID as a VLAN created on the ZyWALL/USG and not

one assigned to it from outside the network.

OK Click OK to save your changes back to the ZyWALL/USG.

Cancel Click Cancel to close the window with changes unsaved.

Ta ble 75 Configuration > Wireless > AP Management > Edit AP List (continued)

LABEL DESCRIPTION

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

166

Each field is described in the following table.

8.4 MON Mode

Use this screen to assign APs either to the rogue AP list or the friendly AP list. A rogue AP is a

wireless access point operating in a network’s coverage area that is not under the control of the

network administrator, and which can potentially open up holes in a network’s security.

Click Configuration > Wireless > MON Mode to access this screen.

Ta ble 76 Configuration > Wireless > AP Management > AP Policy

LABEL DESCRIPTION

Force Override AC

IP Config on AP

Select this to have the ZyWALL/USG change the AP controller’s IP address on the

managed AP(s) to match the configuration in this screen.

Override Type Select Auto to have the managed AP(s) automatically send broadcast packets to find

any other available AP controllers.

Select Manual to replace the AP controller’s IP address configured on the managed

AP(s) with the one(s) you specified below.

Primary Controller Specify the IP address of the primary AP controller if you set Override Type to

Manual.

Secondary

Controller

Specify the IP address of the secondary AP controller if you set Override Type to

Manual.

Fall back to Primary

Controller when

possible

Select this option to have the managed AP(s) change back to associate with the

primary AP controller as soon as the primary AP controller is available.

Fall Back Check

Interval

Set how often the managed AP(s) check whether the primary AP controller is available.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

167

Figure 138 Configuration > Wireless > MON Mode

Each field is described in the following table.

Ta ble 77 Configuration > Wireless > MON Mode

LABEL DESCRIPTION

General Settings

Enable Rogue AP

Containment

Select this to enable rogue AP containment.

Rogue/Friendly AP List

Add Click this button to add an AP to the list and assign it either friendly or rogue

status.

Edit Select an AP in the list to edit and reassign its status.

Remove Select an AP in the list to remove.

Containment Click this button to quarantine the selected AP.

A quarantined AP cannot grant access to any network services. Any stations that

attempt to connect to a quarantined AP are disconnected automatically.

Dis-Containment Click this button to take the selected AP out of quarantine.

An unquarantined AP has normal access to the network.

# This field is a sequential value, and it is not associated with any interface.

Containment This field indicates the selected AP’s containment status.

Role This field indicates whether the selected AP is a rogue-ap or a friendly-ap. To

change the AP’s role, click the Edit button.

MAC Address This field indicates the AP’s radio MAC address.

Description This field displays the AP’s description. You can modify this by clicking the Edit

button.

Rogue/Friendly AP List

Importing/Exporting

These controls allow you to export the current list of rogue and friendly APs or

import existing lists.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

168

8.4.1 Add/Edit Rogue/Friendly List

Select an AP and click the Edit button in the Configuration > Wireless > MON Mode table to

display this screen.

Figure 139 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly

Each field is described in the following table.

File Path / Browse /

Importing Enter the file name and path of the list you want to import or click the Browse

button to locate it. Once the File Path field has been populated, click Importing

to bring the list into the ZyWALL/USG.

Exporting Click this button to export the current list of either rogue APs or friendly APS.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Ta ble 77 Configuration > Wireless > MON Mode (continued)

LABEL DESCRIPTION

Ta ble 78 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly

LABEL DESCRIPTION

MAC Enter the MAC address of the AP you want to add to the list. A MAC address is a unique

hardware identifier in the following hexadecimal format: xx:xx:xx:xx:xx:xx where xx is a

hexadecimal number separated by colons.

Description Enter up to 60 characters for the AP’s description. Spaces and underscores are allowed.

Role Select either Rogue AP or Friendly AP for the AP’s role.

OK Click OK to save your changes back to the ZyWALL/USG.

Cancel Click Cancel to close the window with changes unsaved.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

169

8.5 Load Balancing

Use this screen to configure wireless network traffic load balancing between the APs on your

network. Click Configuration > Wireless > Load Balancing to access this screen.

Figure 140 Configuration > Wireless > Load Balancing

Each field is described in the following table.

Ta ble 79 Configuration > Wireless > Load Balancing

LABEL DESCRIPTION

Enable Load

Balancing

Select this to enable load balancing on the ZyWALL/USG.

Mode Select a mode by which load balancing is carried out.

Select By Station Number to balance network traffic based on the number of specified

stations connect to an AP.

Select By Traffi c Level to balance network traffic based on the volume generated by the

stations connected to an AP.

Once the threshold is crossed (either the maximum station numbers or with network

traffic), then the AP delays association request and authentication request packets from

any new station that attempts to make a connection. This allows the station to

automatically attempt to connect to another, less burdened AP if one is available.

Max Station

Number Enter the threshold number of stations at which an AP begins load balancing its

connections.

Traffic Level Select the threshold traffic level at which the AP begins load balancing its connections

(low, medium, high).

Disassociate

station when

overloaded

Select this option to disassociate wireless clients connected to the AP when it becomes

overloaded. If you do not enable this option, then the AP simply delays the connection

until it can afford the bandwidth it requires, or it transfers the connection to another AP

within its broadcast radius.

The disassociation priority is determined automatically by the ZyWALL/USG and is as

follows:

•Idle Timeout - Devices that have been idle the longest will be disassociated first. If

none of the connected devices are idle, then the priority shifts to Signal Strength.

•Signal Strength - Devices with the weakest signal strength will be disassociated first.

Note: If you enable this function, you should ensure that there are multiple APs within the

broadcast radius that can accept any rejected or kicked wireless clients; otherwise, a

wireless client attempting to connect to an overloaded AP will be kicked continuously

and never be allowed to connect.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

170

8.5.1 Disassociating and Delaying Connections

When your AP becomes overloaded, there are two basic responses it can take. The first one is to

“delay” a client connection. This means that the AP withholds the connection until the data transfer

throughput is lowered or the client connection is picked up by another AP. If the client is picked up

by another AP then the original AP cannot resume the connection.

For example, here the AP has a balanced bandwidth allotment of 6 Mbps. If laptop R connects and

it pushes the AP over its allotment, say to 7 Mbps, then the AP delays the red laptop’s connection

until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to

spare.

Figure 141 Delaying a Connection

The second response your AP can take is to kick the connections that are pushing it over its

balanced bandwidth allotment.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Ta ble 79 Configuration > Wireless > Load Balancing (continued)

LABEL DESCRIPTION

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

171

Figure 142 Kicking a Connection

Connections are kicked based on either idle timeout or signal strength. The ZyWALL/USG first

looks to see which devices have been idle the longest, then starts kicking them in order of highest

idle time. If no connections are idle, the next criteria the ZyWALL/USG analyzes is signal strength.

Devices with the weakest signal strength are kicked first.

8.6 DCS

Use DCS (Dynamic Channel Selection) in an environment where are many APs and there may be

interference. DCS allows APs to automatically find a less-used channel in such an environment. Use

this screen to configure dynamic radio channel selection on managed APs. Click Configuration >

Wireless > DCS to access this screen.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

172

Figure 143 Configuration > Wireless > DCS

Each field is described in the following table.

Ta ble 80 Configuration > Wireless > DCS

LABEL DESCRIPTION

General Settings

Select Now Click this to have the managed APs scan for and select an available channel

immediately.

Enable Dynamic

Channel Selection

Select this to turn on dynamic channel selection for the APs that the ZyWALL/USG

manages.

DCS Time Interval Enter a number of minutes. This regulates how often the ZyWALL/USG surveys the

other APs within its broadcast radius. If the channel on which it is currently

broadcasting suddenly comes into use by another AP, the ZyWALL/USG will then

dynamically select the next available clean channel or a channel with lower

interference.

Enable DCS Client

Aware

Select this to have the AP wait until all connected clients have disconnected before

switching channels.

If you disable this then the AP switches channels immediately regardless of any client

connections. In this instance, clients that are connected to the AP when it switches

channels are dropped.

2.4 GHz Settings

2.4 GHz Channel

Selection Method

Select auto to have the AP search for available channels automatically in the 2.4 GHz

band. The available channels vary depending on what you select in the 2.4 GHz

Channel Deployment field.

Select manual and specify the channels the AP uses in the 2.4 GHz band.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

173

Available

channels This text box lists the channels that are available in the 2.4 GHz band. Select the

channels that you want the AP to use, and click the right arrow button to add them.

Channels

selected This text box lists the channels that you allow the AP to use. Select any channels that

you want to prevent the AP from using it, and click the left arrow button to remove

them.

2.4 GHz Channel

Deployment

This field is available only when you set 2.4 GHz Channel Selection Method to auto.

Select Three-Channel Deployment to limit channel switching to channels 1,6, and

11, the three channels that are sufficiently attenuated to have almost no impact on one

another. In other words, this allows you to minimize channel interference by limiting

channel-hopping to these three “safe” channels.

Select Four-Channel Deployment to limit channel switching to four channels.

Depending on the country domain, if the only allowable channels are 1-11 then the

ZyWALL/USG uses channels 1, 4, 7, 11 in this configuration; otherwise, the ZyWALL/

USG uses channels 1, 5, 9, 13 in this configuration. Four channel deployment expands

your pool of possible channels while keeping the channel interference to a minimum.

5 GHz Settings

Enable 5 GHz DFS

Aware

Select this if your APs are operating in an area known to have RADAR devices. This

allows the device to downgrade its frequency to below 5 GHz in the event a RADAR

signal is detected, thus preventing it from interfering with that signal.

Enabling this forces the AP to select a non-DFS channel.

5 GHz Channel

Selection Method

Select auto to have the AP search for available channels automatically in the 5 GHz

band.

Select manual and specify the channels the AP uses in the 5 GHz band.

Available

channels This text box lists the channels that are available in the 5 GHz band. Select the

channels that you want the AP to use, and click the right arrow button to add them.

Channels

selected This text box lists the channels that you allow the AP to use. Select any channels that

you want to prevent the AP from using it, and click the left arrow button to remove

them.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Ta ble 80 Configuration > Wireless > DCS (continued)

LABEL DESCRIPTION

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

174

8.7 Auto Healing

Use this screen to enable auto healing, which allows you to extend the wireless service coverage

area of the managed APs when one of the APs fails. Click Configuration > Wireless > Auto

Healing to access this screen.

Figure 144 Configuration > Wireless > Auto Healing

Each field is described in the following table.

Ta ble 81 Configuration > Wireless > Auto Healing

LABEL DESCRIPTION

Enable Auto

Healing

Select this option to turn on the auto healing feature.

Save Current

State

Click this button to have all manged APs immediately scan their neighborhoods three

times in a row and update their neighbor lists to the AP controller (ZyWALL/USG).

Auto Healing

Interval

Set the time interval (in minutes) at which the managed APs scan their neighborhoods

and report the status of neighbor APs to the AP controller (ZyWALL/USG).

An AP is considered “failed” if the AP controller obtains the same scan result that the AP is

missing from the neighbor list of other APs three times.

Power Threshold Set the power level (in dBm) to which the neighbor APs of the failed AP increase their

output power in order to extend their wireless service coverage areas.

When the failed AP is working again, its neighbor APs return their output power to the

original level.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

175

8.8 Technical Reference

The following section contains additional technical information about the features described in this

chapter.

8.8.1 Dynamic Channel Selection

When numerous APs broadcast within a given area, they introduce the possibility of heightened

radio interference, especially if some or all of them are broadcasting on the same radio channel. If

the interference becomes too great, then the network administrator must open his AP configuration

options and manually change the channel to one that no other AP is using (or at least a channel

that has a lower level of interference) in order to give the connected stations a minimum degree of

interference. Dynamic channel selection frees the network administrator from this task by letting

the AP do it automatically. The AP can scan the area around it looking for the channel with the least

amount of interference.

In the 2.4 GHz spectrum, each channel from 1 to 13 is broken up into discrete 22 MHz segments

that are spaced 5 MHz apart. Channel 1 is centered on 2.412 GHz while channel 13 is centered on

2.472 GHz.

Figure 145 An Example Three-Channel Deployment

Three channels are situated in such a way as to create almost no interference with one another if

used exclusively: 1, 6 and 11. When an AP broadcasts on any of these three channels, it should not

interfere with neighboring APs as long as they are also limited to same trio.

Figure 146 An Example Four-Channel Deployment

However, some regions require the use of other channels and often use a safety scheme with the

following four channels: 1, 4, 7 and 11. While they are situated sufficiently close to both each other

and the three so-called “safe” channels (1,6 and 11) that interference becomes inevitable, the

severity of it is dependent upon other factors: proximity to the affected AP, signal strength, activity,

and so on.

Chapter 8 Wireless

ZyWALL/USG Series User’s Guide

176

Finally, there is an alternative four channel scheme for ETSI, consisting of channels 1, 5, 9, 13. This

offers significantly less overlap that the other one.

Figure 147 An Alternative Four-Channel Deployment

8.8.2 Load Balancing

Because there is a hard upper limit on an AP’s wireless bandwidth, load balancing can be crucial in

areas crowded with wireless users. Rather than let every user connect and subsequently dilute the

available bandwidth to the point where each connecting device receives a meager trickle, the load

balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.

There are two kinds of wireless load balancing available on the ZyWALL/USG:

Load balancing by station number limits the number of devices allowed to connect to your AP. If

you know exactly how many stations you want to let connect, choose this option.

For example, if your company’s graphic design team has their own AP and they have 10 computers,

you can load balance for 10. Later, if someone from the sales department visits the graphic design

team’s offices for a meeting and he tries to access the network, his computer’s connection is

delayed, giving it the opportunity to connect to a different, neighboring AP. If he still connects to

the AP regardless of the delay, then the AP may boot other people who are already connected in

order to associate with the new connection.

Load balancing by traffic level limits the number of connections to the AP based on maximum

bandwidth available. If you are uncertain as to the exact number of wireless connections you will

have then choose this option. By setting a maximum bandwidth cap, you allow any number of

devices to connect as long as their total bandwidth usage does not exceed the configured

bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or

delayed provided that there are other APs in range.

Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its

customers. The coffee shop owner can’t possibly know how many connections his AP will have at

any given moment. As such, he decides to put a limit on the bandwidth that is available to his

customers but not on the actual number of connections he allows. This means anyone can connect

to his wireless network as long as the AP has the bandwidth to spare. If too many people connect

and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get

shunted to the nearest identical AP.

ZyWALL/USG Series User’s Guide

177

CHAPTER 9

Interfaces

9.1 Interface Overview

Use the Interface screens to configure the ZyWALL/USG’s interfaces. You can also create

interfaces on top of other interfaces.

•Ports are the physical ports to which you connect cables.

•Interfaces are used within the system operationally. You use them in configuring various

features. An interface also describes a network that is directly connected to the ZyWALL/USG.

For example, You connect the LAN network to the LAN interface.

•Zones are groups of interfaces used to ease security policy configuration.

9.1.1 What You Can Do in this Chapter

•Use the Port Role screen (Section 9.2 on page 182) to create port groups and to assign physical

ports and port groups to Ethernet interfaces.

•Use the Ethernet screens (Section 9.3 on page 183) to configure the Ethernet interfaces.

Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP and

OSPF are also configured in these interfaces.

•Use the PPP screens (Section 9.4 on page 204) for PPPoE or PPTP Internet connections.

•Use the Cellular screens (Section 9.5 on page 210) to configure settings for interfaces for

Internet connections through an installed mobile broadband card.

•Use the Tunnel screens (Section 9.6 on page 219) to configure tunnel interfaces to be used in

Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels.

•Use the VLAN screens (Section 9.7 on page 226) to divide the physical network into multiple

logical networks. VLAN interfaces receive and send tagged frames. The ZyWALL/USG

automatically adds or removes the tags as needed. Each VLAN can only be associated with one

Ethernet interface.

•Use the Bridge screens (Section 9.8 on page 238) to combine two or more network segments

into a single network.

•Use the Auxiliary screens (Section 9.9 on page 250) to configure the ZyWALL/USG’s auxiliary

interface to use an external modem.

•Use the Virtual Interface screen (Section 9.9.1 on page 250) to create virtual interfaces on top

of Ethernet interfaces to tell the ZyWALL/USG where to route packets. You can create virtual

Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.

•Use the Trunk screens (Section 9.11 on page 255) to configure load balancing.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

178

9.1.2 What You Need to Know

Interface Characteristics

Interfaces generally have the following characteristics (although not all characteristics apply to each

type of interface).

• An interface is a logical entity through which (layer-3) packets pass.

• An interface is bound to a physical port or another interface.

• Many interfaces can share the same physical port.

• An interface belongs to at most one zone.

• Many interfaces can belong to the same zone.

• Layer-3 virtualization (IP alias, for example) is a kind of interface.

Types of Interfaces

You can create several types of interfaces in the ZyWALL/USG.

• Setting interfaces to the same port role forms a port group. Port groups creates a hardware

connection between physical ports at the layer-2 (data link, MAC address) level. Port groups are

created when you uUse the Interface > Port Roles or Interf ace > Port Group s screen to set

multiple physical ports to be part of the same interface.

•Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP

and OSPF are also configured in these interfaces.

•Tunnel interfaces send IPv4 or IPv6 packets from one network to a specific network through

the Internet or a public network.

•VLAN interfaces receive and send tagged frames. The ZyWALL/USG automatically adds or

removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.

•Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the

layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage

of some security features in the ZyWALL/USG. You can also assign an IP address and subnet

mask to the bridge.

•PPP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP

interfaces.

•Cellular interfaces are for mobile broadband WAN connections via a connected mobile

broadband device.

•Virtual interfaces provide additional routing information in the ZyWALL/USG. There are three

types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.

•Trunk interfaces manage load balancing between interfaces.

Port groups and trunks have a lot of characteristics that are specific to each type of interface. The

other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and virtual--have a lot of similar

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

179

characteristics. These characteristics are listed in the following table and discussed in more detail

below.

Note: - * The format of interface names other than the Ethernet and ppp interface

names is strict. Each name consists of 2-4 letters (interface type), followed by a

number (x). For most interfaces, x is limited by the maximum number of the type

of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN

name field. For example, Ethernet interface names are wan1, wan2, lan1, lan2,

dmz; VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.

** - The names of virtual interfaces are derived from the interfaces on which they

are created. For example, virtual interfaces created on Ethernet interface wan1 are

called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface

vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after

the colon(:) in the Web Configurator; it is a sequential number. You can specify the

number after the colon if you use the CLI to set up a virtual interface.

Relationships Between Interfaces

In the ZyWALL/USG, interfaces are usually created on top of other interfaces. Only Ethernet

interfaces are created directly on top of the physical ports or port groups. The relationships

between interfaces are explained in the following table.

Ta ble 82 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics

CHARACTERISTICS ETHERNET ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUAL

Name* wan1, wan2 lan1, lan2,

dmz

pppxcellularx vlanxbrx**

Configurable Zone No No Yes Yes Yes Yes No

IP Address Assignment

Static IP address Yes Yes Yes Yes Yes Yes Yes

DHCP client Yes No Yes Yes Yes Yes No

Routing metric Yes Yes Yes Yes Yes Yes Yes

Interface Parameters

Bandwidth

restrictions Yes Yes Yes Yes Yes Yes Yes

Packet size (MTU) Yes Yes Yes Yes Yes Yes No

DHCP

DHCP server No Yes No No Yes Yes No

DHCP relay No Yes No No Yes Yes No

Connectivity Check Yes No Yes Yes Yes Yes No

Ta ble 83 Relationships Between Different Types of Interfaces

INTERFACE REQUIRED PORT / INTERFACE

Ethernet interface physical port

VLAN interface Ethernet interface

bridge interface Ethernet interface*

VLAN interface*

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

180

Note: * You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN

interface if the underlying interface is a member of a bridge. You also cannot add

an Ethernet interface or VLAN interface to a bridge if the member interface has a

virtual interface or PPP interface on top of it.

IPv6 Overview

IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The

increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP

addresses.

IPv6 Addressing

An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This

is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.

IPv6 addresses can be abbreviated in two ways:

• Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can

be written as 2001:db8:1a2b:15:0:0:1a2f:0.

• Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can

only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be

written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015,

2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.

Prefix and Prefix Length

Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An

IPv6 prefix length specifies how many most significant bits (start from the left) in the address

PPP interface Ethernet interface*

VLAN interface*

bridge interface

WAN1, WAN2, OPT*

virtual interface

(virtual Ethernet interface)

(virtual VLAN interface)

(virtual bridge interface)

Ethernet interface*

VLAN interface*

bridge interface

trunk Ethernet interface

Cellular interface

VLAN interface

bridge interface

PPP interface

Ta ble 83 Relationships Between Different Types of Interfaces (continued)

INTERFACE REQUIRED PORT / INTERFACE

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

181

compose the network address. The prefix length is written as “/x” where x is a number. For

example,

2001:db8:1a2b:15::1a2f:0/32

means that the first 32 bits (2001:db8) from the left is the network prefix.

Link-local Address

A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a

“private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a

device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast

address format is as follows.

Subnet Masking

Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided

into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each

character (1 ~ 10, A ~ F). Each block’s 16 bits are then represented by four hexadecimal

characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000.

Stateless Autoconfiguration

With stateless autoconfiguration in IPv6, addresses can be uniquely and automatically generated.

Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful

autoconfiguration, the owner and status of addresses don’t need to be maintained by a DHCP

server. Every IPv6 device is able to generate its own and unique IP address automatically when

IPv6 is initiated on its interface. It combines the prefix and the interface ID (generated from its own

Ethernet MAC address) to form a complete IPv6 address.

When IPv6 is enabled on a device, its interface automatically generates a link-local address

(beginning with fe80).

When the ZyWALL/USG’s WAN interface is connected to an ISP with a router and the ZyWALL/USG

is set to automatically obtain an IPv6 network prefix from the router for the interface, it generates

another address which combines its interface ID and global and subnet information advertised from

the router. (In IPv6, all network interfaces can be associated with several addresses.) This is a

routable global IP address.

Prefix Delegation

Prefix delegation enables an IPv6 router (the ZyWALL/USG) to use the IPv6 prefix (network

address) received from the ISP (or a connected uplink router) for its LAN. The ZyWALL/USG uses

the received IPv6 prefix (for example, 2001:db2::/48) to generate its LAN IP address. Through

sending Router Advertisements (RAs) regularly by multicast, the router passes the IPv6 prefix

information to its LAN hosts. The hosts then can use the prefix to generate their IPv6 addresses.

Ta ble 84 Link-local Unicast Address Format

1111 1110 10 0 Interface ID

10 bits 54 bits 64 bits

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

182

IPv6 Router Advertisement

An IPv6 router sends router advertisement messages periodically to advertise its presence and

other parameters to the hosts in the same network.

DHCPv6

The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, RFC 3315) is a server-client protocol

that allows a DHCP server to assign and pass IPv6 network addresses, prefixes and other

configuration information to DHCP clients. DHCPv6 servers and clients exchange DHCP messages

using UDP.

Each DHCP client and server has a unique DHCP Unique IDentifier (DUID), which is used for

identification when they are exchanging DHCPv6 messages. The DUID is generated from the MAC

address, time, vendor assigned ID and/or the vendor's private enterprise number registered with

the IANA. It should not change over time even after you reboot the device.

9.1.3 What You Need to Do First

For IPv6 settings, go to the Configuration > System > IPv6 screen to enable IPv6 support on the

ZyWALL/USG first.

9.2 Port Role Screen

To access this screen, click Configuration > Network > Interface > Port Role. Use the Port

Role screen to set the ZyWALL/USG’s flexible ports as part of the lan1, lan2, ext-wlanext-lan or

dmz interfaces. This creates a hardware connection between the physical ports at the layer-2 (data

link, MAC address) level. This provides wire-speed throughput but no security.

The following table shows the models that support port role at the time of writing.

Note the following if you are configuring from a computer connected to a lan1, lan2, ext-wlanext-

lan or dmz port and change the port's role:

• A port's IP address varies as its role changes, make sure your computer's IP address is in the

same subnet as the ZyWALL/USG's lan1, lan2, ext-wlanext-lan or dmz IP address.

• Use the appropriate lan1, lan2, ext-wlanext-lan or dmz IP address to access the ZyWALL/

USG.

Table 85 Models with Port Role

MODEL WITH PORT ROLE MODEL WITH PORT ROLE

ZyWALL 110 USG60W

USG40 USG110

USG40W USG210

USG60

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

183

Figure 148 Configuration > Network > Interface > Port Role

The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown

at the bottom of the screen. Use the radio buttons to select for which interface (network) you want

to use each physical port. For example, select a port’s LAN radio button to use the port as part of

the LAN interface. The port will use the ZyWALL/USG’s LAN IP address and MAC address.

When you assign more than one physical port to a network, you create a port group. Port groups

have the following characteristics:

• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-

speed throughput but no security.

• It can increase the bandwidth between the port group and other interfaces.

• The port group uses a single MAC address.

Click Apply to save your changes and apply them to the ZyWALL/USG.

Click Reset to change the port groups to their current configuration (last-saved values).

9.3 Ethernet Summary Screen

This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces.

If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure

Ethernet interfaces used for your IPv6 networks on this screen. To access this screen, click

Configuration > Network > Interface > Ethernet.

Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any

of them. If an Ethernet interface does not have any physical ports assigned to it, the Ethernet

interface is effectively removed from the ZyWALL/USG, but you can still configure it.

Ethernet interfaces are similar to other types of interfaces in many ways. They have an IP address,

subnet mask, and gateway used to make routing decisions. They restrict the amount of bandwidth

and packet size. They can provide DHCP services, and they can verify the gateway is available.

Use Ethernet interfaces to control which physical ports exchange routing information with other

routers and how much information is exchanged through each one. The more routing information is

Physical Ports

Default

interface (ZONE)

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

184

exchanged, the more efficient the routers should be. However, the routers also generate more

network traffic, and some routing protocols require a significant amount of configuration and

management. The ZyWALL/USG supports two routing protocols, RIP and OSPF. See Chapter 10 on

page 275 for background information about these routing protocols.

Figure 149 Configuration > Network > Interface > Ethernet

Each field is described in the following table.

Ta ble 86 Configuration > Network > Interface > Ethernet

LABEL DESCRIPTION

Configuration / IPv6

Configuration

Use the Configuration section for IPv4 network settings. Use the IPv6

Configuration section for IPv6 network settings if you connect your ZyWALL/USG to

an IPv6 network. Both sections have similar fields as described below.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove a virtual interface, select it and click Remove. The ZyWALL/USG confirms

you want to remove it before doing so.

Activate To turn on an interface, select it and click Activate.

Inactivate To turn off an interface, select it and click Inactivate.

Create Virtual

Interface

To open the screen where you can create a virtual Ethernet interface, select an

Ethernet interface and click Create Virtual Interface.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status This icon is lit when the entry is active and dimmed when the entry is inactive.

Name This field displays the name of the interface.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

185

9.3.1 Ethernet Edit

The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP

settings, OSPF settings, DHCP settings, connectivity check, and MAC address settings. To access

this screen, click an Edit icon in the Ethernet Summary screen. (See Section 9.3 on page 183.)

The OPT interface’s Edit > Configuration screen is shown here as an example. The screens for

other interfaces are similar and contain a subset to the OPT interface screen’s fields.

Note: If you create IP address objects based on an interface’s IP address, subnet, or

gateway, the ZyWALL/USG automatically updates every rule or setting that uses

the object whenever the interface’s IP address settings change. For example, if you

change the LAN’s IP address, the ZyWALL/USG automatically updates the

corresponding interface-based, LAN subnet address object.

With RIP, you can use Ethernet interfaces to do the following things.

• Enable and disable RIP in the underlying physical port or port group.

• Select which direction(s) routing information is exchanged - The ZyWALL/USG can receive

routing information, send routing information, or do both.

• Select which version of RIP to support in each direction - The ZyWALL/USG supports RIP-1, RIP-

2, and both versions.

• Select the broadcasting method used by RIP-2 packets - The ZyWALL/USG can use subnet

broadcasting or multicasting.

With OSPF, you can use Ethernet interfaces to do the following things.

• Enable and disable OSPF in the underlying physical port or port group.

• Select the area to which the interface belongs.

• Override the default link cost and authentication method for the selected area.

• Select in which direction(s) routing information is exchanged - The ZyWALL/USG can receive

routing information, send routing information, or do both.

IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (in

the IPv4 network) or :: (in the IPv6 network), the interface does not have an IP

address yet.

In the IPv4 network, this screen also shows whether the IP address is a static IP

address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in

virtual interfaces.

In the IPv6 network, this screen also shows whether the IP address is a static IP

address (STATIC), link-local IP address (LINK LOCAL), dynamically assigned

(DHCP), or an IPv6 StateLess Address AutoConfiguration IP address (SLAAC). See

Section 9.1.2 on page 178 for more information about IPv6.

Mask This field displays the interface’s subnet mask in dot decimal notation.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Ta ble 86 Configuration > Network > Interface > Ethernet (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

186

Set the priority used to identify the DR or BDR if one does not exist.

IGMP Proxy

Internet Group Management Protocol (IGMP) proxy is used for multicast routing. IGMP proxy enables the

ZyWALL/USG to issue IGMP host messages on behalf of hosts that the ZyWALL/USG discovered on its IGMP-

enabled interfaces. The ZyWALL/USG acts as a proxy for its hosts. Refer to the following figure.

• DS: Downstream traffic

• US: Upstream traffic

•R: Router

• MS: Multicast Server

• Enable IGMP Upstream (US) on the ZyWALL/USG interface that connects to a router (R) running

IGMP that is closer to the multicast server (MS).

• Enable IGMP Downstream on the ZyWALL/USG interface which connects to the multicast hosts.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

187

• Configuration > Network > Interface > Ethernet > Edit (External Type)

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

188

Configuration > Network > Interface > Ethernet > Edit (External Type

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

189

Figure 150 Configuration > Network > Interface > Ethernet > Edit (Internal Type)

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

190

Configuration > Network > Interface > Ethernet > Edit (Internal Type)

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

191

Figure 151 Configuration > Network > Interface > Ethernet > Edit (OPT)

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

192

Configuration > Network > Interface > Ethernet > Edit (OPT)

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

193

This screen’s fields are described in the table below.

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use

for the DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to enable this interface. Clear this to disable this interface.

General IPv6

Setting

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Type This field is configurable for the OPT interface only. Select to which type of network

you will connect this interface. When you select internal or external the rest of the

screen’s options automatically adjust to correspond. The ZyWALL/USG automatically

adds default route and SNAT settings for traffic it routes from internal interfaces to

external interfaces; for example LAN to WAN traffic.

internal is for connecting to a local network. Other corresponding configuration

options: DHCP server and DHCP relay. The ZyWALL/USG automatically adds default

SNAT settings for traffic flowing from this interface to an external interface.

external is for connecting to an external network (like the Internet). The ZyWALL/USG

automatically adds this interface to the default WAN trunk.

For general, the rest of the screen’s options do not automatically adjust and you must

manually configure a policy route to add routing and SNAT settings for the interface.

Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and

underscores, and it can be up to 11 characters long.

Port This is the name of the Ethernet interface’s physical port.

Zone Select the zone to which this interface is to belong. You use zones to apply security

settings such as security policy, IDP, remote management, anti-virus, and application

patrol.

MAC Address This field is read-only. This is the MAC address that the Ethernet interface uses.

Description Enter a description of this interface. It is not used elsewhere. You can use

alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters

long.

IP Address

Assignment

These IP address fields configure an IPv4 IP address on the interface itself. If you

change this IP address on the interface, you may also need to change a related

address object for the network connected to the interface. For example, if you use this

screen to change the IP address of your LAN interface, you should also change the

corresponding LAN subnet address object.

Get

Automatically This option appears when Interface Type is external or general. Select this to make

the interface a DHCP client and automatically get the IP address, subnet mask, and

gateway address from a DHCP server.

You should not select this if the interface is assigned to a VRRP group. See Chapter 34

on page 548.

Use Fixed IP

Address This option appears when Interface Type is external or general. Select this if you

want to specify the IP address, subnet mask, and gateway manually.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

194

IP Address Enter the IP address for this interface.

Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Gateway This option appears when Interface Type is external or general. Enter the IP

address of the gateway. The ZyWALL/USG sends packets to the gateway when it does

not know how to route the packet to its destination. The gateway should be on the

same network as the interface.

Metric This option appears when Interface Type is external or general. Enter the priority

of the gateway (if any) on this interface. The ZyWALL/USG decides which gateway to

use based on this priority. The lower the number, the higher the priority. If two or more

gateways have the same priority, the ZyWALL/USG uses the one that was configured

first.

Enable IGMP

Support

Select this to allow the ZyWALL/USG to act as an IGMP proxy for hosts connected on

the IGMP downstream interface.

IGMP Version: Select the IGMP version to be used on this ZyWALL/USG interface.

IGMP Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that

is closer to the multicast server.

IGMP

Downstream Enable IGMP Downstream on the interface which connects to the multicast hosts.

IPv6 Address

Assignment

These IP address fields configure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Link-Local

address This displays the IPv6 link-local address and the network prefix that the ZyWALL/USG

generates itself for the interface.

IPv6 Address/

Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a

static IP address. This field is optional.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Gateway Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal

notation.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the

one that was configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to have the ZyWALL/USG obtain an IPv6 prefix from the ISP or a

connected uplink router for an internal network, such as the LAN or DMZ. You have to

also enter a suffix address which is appended to the delegated prefix to form an

address for this interface. See Prefix Delegation on page 181 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

195

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The

ZyWALL/USG will append it to the delegated prefix.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

DHCPv6 Setting

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 182 for more information.

DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Information

Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information

retrieved from DHCPv6.

Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an

IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP

address information through DHCPv6.

DHCPv6 Request

Options /

DHCPv6 Lease

Options

If this interface is a DHCPv6 client, use this section to configure DHCPv6 request

settings that determine what additional information to get from the DHCPv6 server. If

the interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings

that determine what additional information to offer to the DHCPv6 clients.

Add Click this to create an entry in this table. See Section 9.3.3 on page 201 for more

information.

Remove Select an entry and click this to delete it from this table.

Object

Reference Select an entry and click Object Reference to open a screen that shows which

settings use the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request or lease object.

Type This field displays the type of the object.

Value This field displays the IPv6 prefix that the ZyWALL/USG obtained from an uplink router

(Server is selected) or will advertise to its clients (Client is selected).

Interface When Relay is selected, select this check box and an interface from the drop-down list

if you want to use it as the relay server.

Relay Server When Relay is selected, select this check box and enter the IP address of a DHCPv6

server as the relay server.

IPv6 Router

Setting

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

196

Enable Router

Advertisement Select this to enable this interface to send router advertisement messages periodically.

See IPv6 Router Advertisement on page 182 for more information.

Advertised Hosts

Get Network

Configuration

From DHCPv6

Select this to have the ZyWALL/USG indicate to hosts to obtain network settings (such

as prefix and DNS settings) through DHCPv6.

Clear this to have the ZyWALL/USG indicate to hosts that DHCPv6 is not available and

they should use the prefix in the router advertisement message.

Advertised Hosts

Get Other

Configuration

From DHCPv6

Select this to have the ZyWALL/USG indicate to hosts to obtain DNS information

through DHCPv6.

Clear this to have the ZyWALL/USG indicate to hosts that DNS information is not

available in this network.

Router

Preference Select the router preference (Low, Medium or High) for the interface. The interface

sends this preference in the router advertisements to tell hosts what preference they

should use for the ZyWALL/USG. This helps hosts to choose their default router

especially when there are multiple IPv6 router in the network.

Note: Make sure the hosts also support router preference to make this function work.

MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in

bytes, that can move through this interface. If a larger packet arrives, the ZyWALL/

USG discards the packet and sends an error message to the sender to inform this.

Hop Limit Enter the maximum number of network segments that a packet can cross before

reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to

decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.

Advertised

Prefix Table Configure this table only if you want the ZyWALL/USG to advertise a fixed prefix to the

network.

Add Click this to create an IPv6 prefix address.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

IPv6

Address/

Prefix Length

Enter the IPv6 network prefix address and the prefix length.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Advertised

Prefix from

DHCPv6 Prefix

Delegation

This table is available when the Interface Type is internal. Use this table to

configure the network prefix if you want to use a delegated prefix as the beginning part

of the network prefix.

Add Click this to create an entry in this table.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use for generating the network prefix for the

network.

Suffix

Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix

length. The ZyWALL/USG will append it to the selected delegated prefix. The combined

address is the network prefix for the network.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it

into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for

another interface. You can use ::1111/64 and ::2222/64 for the suffix address

respectively. But if you do not want to divide the delegated prefix into subnetworks,

enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

197

Address This is the final network prefix combined by the delegated prefix and the suffix.

Note: This field displays the combined address after you click OK and reopen this

screen.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

send through the interface to the network. Allowed values are 0 - 1048576.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

receive from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL/USG

divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is

1500.

Connectivity Check These fields appear when Interface Properties is External or General.

The interface can regularly check the connection to the gateway you specified to make

sure it is still available. You specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL/USG stops routing to the gateway. The

ZyWALL/USG resumes routing to the gateway the first time the gateway passes the

connectivity check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make

sure it is still available.

Select tcp to have the ZyWALL/USG regularly perform a TCP handshake with the

gateway you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL/USG stops routing

through the gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

DHCP Setting This section appears when Interface Type is internal or general.

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

198

DHCP Select what type of DHCP service the ZyWALL/USG provides to the network. Choices

are:

None - the ZyWALL/USG does not provide any DHCP services. There is already a DHCP

server on the network.

DHCP Relay - the ZyWALL/USG routes DHCP requests to one or more DHCP servers

you specify. The DHCP server(s) may be on another network.

DHCP Server - the ZyWALL/USG assigns IP addresses and provides subnet mask,

gateway, and DNS server information to the network. The ZyWALL/USG is the DHCP

server for the network.

These fields appear if the ZyWALL/USG is a DHCP Rel ay.

Relay Server 1 Enter the IP address of a DHCP server for the network.

Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.

These fields appear if the ZyWALL/USG is a DHCP Se rver.

IP Pool Start

Address Enter the IP address from which the ZyWALL/USG begins allocating IP addresses. If

you want to assign a static IP address to a specific computer, use the Static DHCP

Table.

If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL/USG

can assign every IP address allowed by the interface’s IP address and subnet mask,

except for the first address (network address), last address (broadcast address) and

the interface’s IP address.

Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is

limited by the interface’s Subnet Mask. For example, if the Subnet Mask is

255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL/USG can

allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.

If this field is blank, the IP Pool Start Address must also be blank. In this case, the

ZyWALL/USG can assign every IP address allowed by the interface’s IP address and

subnet mask, except for the first address (network address), last address (broadcast

address) and the interface’s IP address.

First DNS

Server, Second

DNS Server,

Third DNS

Server

Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one

of the following ways to specify these IP addresses.

Custom Defined - enter a static IP address.

From ISP - select the DNS server that another interface received from its DHCP

server.

ZyWALL/USG - the DHCP clients use the IP address of this interface and the ZyWALL/

USG works as a DNS relay.

First WINS

Server, Second

WINS Server

Type the IP address of the WINS (Windows Internet Naming Service) server that you

want to send to the DHCP clients. The WINS server keeps a mapping table of the

computer names on your network and the IP addresses that they are currently using.

Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP

address or another IP address as the default router. This default router will become the

DHCP clients’ default gateway.

To use another IP address as the default router, select Custom Defined and enter the

IP address.

Lease time Specify how long each computer can use the information (especially the IP address)

before it has to request the information again. Choices are:

infinite - select this if IP addresses never expire.

days, hours, and minutes - select this to enter how long IP addresses are valid.

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

199

Extended

Options This table is available if you selected DHCP server.

Configure this table if you want to send more information to DHCP clients through

DHCP packets.

Add Click this to create an entry in this table. See Section 9.3.4 on page 202.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Name This is the name of the DHCP option.

Code This is the code number of the DHCP option.

Type This is the type of the set value for the DHCP option.

Value This is the value set for the DHCP option.

Enable IP/MAC

Binding Select this option to have this interface enforce links between specific IP addresses and

specific MAC addresses. This stops anyone else from manually using a bound IP

address on another device connected to this interface. Use this to make use only the

intended users get to use specific IP addresses.

Enable Logs for

IP/MAC Binding

Violation

Select this option to have the ZyWALL/USG generate a log if a device connected to this

interface attempts to use an IP address that is bound to another device’s MAC address.

Static DHCP

Table Configure a list of static IP addresses the ZyWALL/USG assigns to computers

connected to the interface. Otherwise, the ZyWALL/USG assigns an IP address

dynamically using the interface’s IP Pool Start Address and Pool Si ze.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

# This field is a sequential value, and it is not associated with a specific entry.

IP Address Enter the IP address to assign to a device with this entry’s MAC address.

MAC Enter the MAC address to which to assign this entry’s IP address.

Description Enter a description to help identify this static DHCP entry. You can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

RIP Setting See Section 10.6 on page 275 for more information about RIP.

Enable RIP Select this to enable RIP in this interface.

Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down

list box.

BiDir - This interface sends and receives routing information.

In-Only - This interface receives routing information.

Out-Only - This interface sends routing information.

Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending

RIP packets. Choices are 1, 2, and 1 and 2.

Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving

RIP packets. Choices are 1, 2, and 1 and 2.

V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using

subnet broadcasting; otherwise, the ZyWALL/USG uses multicasting.

OSPF Setting See Section 10.7 on page 277 for more information about OSPF.

Area Select the area in which this interface belongs. Select None to disable OSPF in this

interface.

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

200

Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a

Designated Router (DR) or Backup Designated Router (BDR). The highest-priority

interface identifies the DR, and the second-highest-priority interface identifies the

BDR. Set the priority to zero if the interface can not be the DR or BDR.

Link Cost Enter the cost (between 1 and 65,535) to route packets through this interface.

Passive

Interface Select this to stop forwarding OSPF routing information from the selected interface. As

a result, this interface only receives routing information.

Authentication Select an authentication method, or disable authentication. To exchange OSPF routing

information with peer border routers, you must use the same authentication method

that they use. Choices are:

Same-as-Area - use the default authentication method in the area

None - disable authentication

Text - authenticate OSPF routing information using a plain-text password

MD5 - authenticate OSPF routing information using MD5 encryption

Text

Authentication

Key

This field is available if the Authentication is Text. Type the password for text

authentication. The key can consist of alphanumeric characters and the underscore,

and it can be up to 16 characters long.

MD5

Authentication

This field is available if the Authentication is MD5. Type the ID for MD5

authentication. The ID can be between 1 and 255.

MD5

Authentication

Key

This field is available if the Authentication is MD5. Type the password for MD5

authentication. The password can consist of alphanumeric characters and the

underscore, and it can be up to 16 characters long.

MAC Address

Setting

This section appears when Interface Properties is External or General. Have the

interface use either the factory assigned default MAC address, a manually specified

MAC address, or clone the MAC address of another device or computer.

Use Default MAC

Address Select this option to have the interface use the factory assigned default MAC address.

By default, the ZyWALL/USG uses the factory assigned MAC address to identify itself.

Overwrite

Default MAC

Address

Select this option to have the interface use a different MAC address. Either enter the

MAC address in the fields or click Clone by host and enter the IP address of the device

or computer whose MAC you are cloning. Once it is successfully configured, the

address will be copied to the configuration file. It will not change unless you change the

setting or upload a different configuration file.

Related Setting

Configure

PPPoE/PPTP Click PPPoE/PPTP if this interface’s Internet connection uses PPPoE or PPTP.

Configure VLAN Click VLAN if you want to configure a VLAN interface for this Ethernet interface.

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can set this interface to be part of a

WAN trunk for load balancing.

Configure Policy

Route Click Policy Rou te to go to the policy route summary screen where you can manually

associate traffic with this interface.

You must manually configure a policy route to add routing and SNAT settings for an

interface with the Interface Type set to general. You can also configure a policy

route to override the default routing and SNAT behavior for an interface with an

Interface Type of internal or external.

OK Click OK to save your changes back to the ZyWALL/USG.

Cancel Click Cancel to exit this screen without saving.

Ta ble 87 Configuration > Network > Interface > Ethernet > Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

201

9.3.2 Object References

When a configuration screen includes an Object Reference icon, select a configuration object and

click Object Reference to open the Object References screen. This screen displays which

configuration settings reference the selected object. The fields shown vary with the type of object.

Figure 152 Object References

The following table describes labels that can appear in this screen.

9.3.3 Add/Edit DHCPv6 Request/Release Options

When you configure an interface as a DHCPv6 server or client, you can additionally add DHCPv6

request or lease options which have the ZyWALL/USG to add more information in the DHCPv6

packets. To open the screen, click Configuration > Network > Interface > Ethernet > Edit,

select DHCPv6 Server or DHCPv6 Client in the DHCPv6 Setting section, and then click Add in

the DHCPv6 Request Options or DHCPv6 Lease Options table.

Ta ble 88 Object References

LABEL DESCRIPTION

Object Name This identifies the object for which the configuration settings that use it are displayed.

Click the object’s name to display the object’s configuration screen in the main window.

# This field is a sequential value, and it is not associated with any entry.

Service This is the type of setting that references the selected object. Click a service’s name to

display the service’s configuration screen in the main window.

Priority If it is applicable, this field lists the referencing configuration item’s position in its list,

otherwise N/A displays.

Name This field identifies the configuration item that references the object.

Description If the referencing configuration item has a description configured, it displays here.

Refresh Click this to update the information in this screen.

Cancel Click Cancel to close the screen.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

202

Figure 153 Configuration > Network > Interface > Ethernet > Edit > Add DHCPv6 Request/Lease

Options

Select a DHCPv6 request or lease object in the Select one object field and click OK to save it.

Click Cancel to exit without saving the setting.

9.3.4 Add/Edit DHCP Extended Options

When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended

options which have the ZyWALL/USG to add more information in the DHCP packets. The available

fields vary depending on the DHCP option you select in this screen. To open the screen, click

Configuration > Network > Interface > Ethernet > Edit, select DHCP Server in the DHCP

Setting section, and then click Add or Edit in the Extended Options table.

Figure 154 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options

The following table describes labels that can appear in this screen.

Ta ble 89 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options

LABEL DESCRIPTION

Option Select which DHCP option that you want to add in the DHCP packets sent through the

interface. See the next table for more information.

Name This field displays the name of the selected DHCP option. If you selected User Def ined in

the Option field, enter a descriptive name to identify the DHCP option. You can enter up

to 16 characters (“a-z”, “A-Z, “0-9”, “-”, and “_”) with no spaces allowed. The first

character must be alphabetical (a-z, A-Z).

Code This field displays the code number of the selected DHCP option. If you selected User

Defined in the Option field, enter a number for the option. This field is mandatory.

Type This is the type of the selected DHCP option. If you selected User Defined in the Option

field, select an appropriate type for the value that you will enter in the next field. Only

advanced users should configure User Defined. Misconfiguration could result in interface

lockout.

Value Enter the value for the selected DHCP option. For example, if you selected TFTP Server

Name (66) and the type is TEXT, enter the DNS domain name of a TFTP server here. This

field is mandatory.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

203

The following table lists the available DHCP extended options (defined in RFCs) on the ZyWALL/

USG. See RFCs for more information.

First IP Address,

Second IP

Address, Third IP

Address

If you selected Time Server (4), NTP Server (41), SIP Server (120), CAPWAP AC

(138), or TFTP Server (150), you have to enter at least one IP address of the

corresponding servers in these fields. The servers should be listed in order of your

preference.

First Enterprise

ID, Second

Enterprise ID

If you selected VIVC (124) or VIVS (125), you have to enter at least one vendor’s 32-

bit enterprise number in these fields. An enterprise number is a unique number that

identifies a company.

First Class,

Second Class

If you selected VIVC (124), enter the details of the hardware configuration of the host on

which the client is running, or of industry consortium compliance.

First

Information,

Second

Information

If you selected VIV S (125), enter additional information for the corresponding enterprise

number in these fields.

OK Click this to close this screen and update the settings to the previous Edit screen.

Cancel Click Cancel to close the screen.

Ta ble 90 DHCP Extended Options

OPTION NAME CODE DESCRIPTION

Time Offset 2 This option specifies the offset of the client's subnet in seconds from

Coordinated Universal Time (UTC).

Time Server 4 This option specifies a list of Time servers available to the client.

NTP Server 42 This option specifies a list of the NTP servers available to the client by IP

address.

TFTP Server Name 66 This option is used to identify a TFTP server when the “sname” field in the

DHCP header has been used for DHCP options. The minimum length of the

value is 1.

Bootfile 67 This option is used to identify a bootfile when the “file” field in the DHCP

header has been used for DHCP options. The minimum length of the value is

SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used

by the SIP client to locate a SIP server.

VIVC 124 Vendor-Identifying Vendor Class option

A DHCP client may use this option to unambiguously identify the vendor that

manufactured the hardware on which the client is running, the software in

use, or an industry consortium to which the vendor belongs.

VIVS 125 Vendor-Identifying Vendor-Specific option

DHCP clients and servers may use this option to exchange vendor-specific

information.

CAPWAP AC 138 CAPWAP Access Controller addresses option

The Control And Provisioning of Wireless Access Points Protocol allows a

Wireless Termination Point (WTP) to use DHCP to discover the Access

Controllers to which it is to connect. This option carries a list of IPv4

addresses indicating one or more CAPWAP ACs available to the WTP.

TFTP Server 150 The option contains one or more IPv4 addresses that the client may use. The

current use of this option is for downloading configuration from a VoIP server

via TFTP; however, the option may be used for purposes other than

contacting a VoIP configuration server.

Ta ble 89 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

204

9.4 PPP Interfaces

Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage

PPPoE/PPTP software on each computer in the network.

Figure 155 Example: PPPoE/PPTP Interfaces

PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address,

subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet

size; and they can verify the gateway is available. There are two main differences between PPPoE/

PPTP interfaces and other interfaces.

• You must also configure an ISP account object for the PPPoE/PPTP interface to use.

Each ISP account specifies the protocol (PPPoE or PPTP), as well as your ISP account information.

If you change ISPs later, you only have to create a new ISP account, not a new PPPoE/PPTP

interface. You should not have to change any network policies.

• You do not set up the subnet mask or gateway.

PPPoE/PPTP interfaces are interfaces between the ZyWALL/USG and only one computer.

Therefore, the subnet mask is always 255.255.255.255. In addition, the ZyWALL/USG always

treats the ISP as a gateway.

9.4.1 PPP Interface Summary

This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration >

Network > Interface > PPP.

Figure 156 Configuration > Network > Interface > PPP

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

205

Each field is described in the table below.

9.4.2 PPP Interface Add or Edit

Note: You have to set up an ISP account before you create a PPPoE/PPTP interface.

This screen lets you configure a PPPoE or PPTP interface. If you enabled IPv6 in the Configuration

> System > IPv6 screen, you can also configure PPP interfaces used for your IPv6 networks on

this screen. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen.

Ta ble 91 Configuration > Network > Interface > PPP

LABEL DESCRIPTION

User Configuration /

System Default

The ZyWALL/USG comes with the (non-removable) System Default PPP interfaces

pre-configured. You can create (and delete) User Configuration PPP interfaces.

System Default PPP interfaces vary by model.

Add Click this to create a new user-configured PPP interface.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove a user-configured PPP interface, select it and click Remove. The ZyWALL/

USG confirms you want to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Connect To connect an interface, select it and click Connect. You might use this in testing the

interface or to manually establish the connection for a Dial-on-Demand PPPoE/PPTP

interface.

Disconnect To disconnect an interface, select it and click Disconnect. You might use this in testing

the interface.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry

is inactive.

The connect icon is lit when the interface is connected and dimmed when it is

disconnected.

Name This field displays the name of the interface.

Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is.

Account Profile This field displays the ISP account used by this PPPoE/PPTP interface.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

206

Figure 157 Configuration > Network > Interface > PPP > Add

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

207

Each field is explained in the following table.

Ta ble 92 Configuration > Network > Interface > PPP > Add

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click this button to create an ISP Account or a DHCPv6 request object that you may

use for the ISP or DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to enable this interface. Clear this to disable this interface.

General IPv6

Setting

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and

underscores, and it can be up to 11 characters long.

Base Interface Select the interface upon which this PPP interface is built.

Note: Multiple PPP interfaces can use the same base interface.

Zone Select the zone to which this PPP interface belongs. The zone determines the security

settings the ZyWALL/USG uses for the interface.

Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

Connectivity

Nailed-Up Select this if the PPPoE/PPTP connection should always be up. Clear this to have the

ZyWALL/USG establish the PPPoE/PPTP connection only when there is traffic. You might

use this option if a lot of traffic needs to go through the interface or it does not cost

extra to keep the connection up all the time.

Dial-on-Demand Select this to have the ZyWALL/USG establish the PPPoE/PPTP connection only when

there is traffic. You might use this option if there is little traffic through the interface or

if it costs money to keep the connection available.

ISP Setting

Account Profile Select the ISP account that this PPPoE/PPTP interface uses. The drop-down box lists

ISP accounts by name. Use Create new Object if you need to configure a new ISP

account (see Chapter 35 on page 645 for details).

Protocol This field is read-only. It displays the protocol specified in the ISP account.

User Name This field is read-only. It displays the user name for the ISP account.

Service Name This field is read-only. It displays the PPPoE service name specified in the ISP account.

This field is blank if the ISP account uses PPTP.

IP Address

Assignment

Click Show Advance d Settings to display more settings. Click Hide Advanced

Settings to display fewer settings.

Get

Automatically Select this if this interface is a DHCP client. In this case, the DHCP server configures

the IP address automatically. The subnet mask and gateway are always defined

automatically in PPPoE/PPTP interfaces.

Use Fixed IP

Address Select this if you want to specify the IP address manually.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

208

IP Address This field is enabled if you select Use Fixed IP Address.

Enter the IP address for this interface.

Metric Enter the priority of the gateway (the ISP) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

IPv6 Address

Assignment

These IP address fields configure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to have the ZyWALL/USG obtain an IPv6 prefix from the ISP or a

connected uplink router for an internal network, such as the LAN or DMZ. You have to

also enter a suffix address which is appended to the delegated prefix to form an

address for this interface. See Prefix Delegation on page 181 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The

ZyWALL/USG will append it to the delegated prefix.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

DHCPv6 Setting

DHCPv6 Select Client to obtain an IP address and DNS information from the service provider

for the interface. Otherwise, select N/A to diable the function.

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 182 for more information.

DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Ta ble 92 Configuration > Network > Interface > PPP > Add (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

209

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Request Address Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this

to not get any IP address information through DHCPv6.

DHCPv6 Request

Options Use this section to configure DHCPv6 request settings that determine what additional

information to get from the DHCPv6 server.

Add Click this to create an entry in this table. See Section 9.3.4 on page 202 for more

information.

Remove Select an entry and click this to delete it from this table.

Object

Reference Select an entry and click Object Reference to open a screen that shows which

settings use the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request object.

Type This field displays the type of the object.

Value This field displays the IPv6 prefix that the ZyWALL/USG will advertise to its clients.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can send

through the interface to the network. Allowed values are 0 - 1048576.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

receive from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL/USG

divides it into smaller fragments. Allowed values are 576 - 1492. Usually, this value is

1492.

Connectivity Check The interface can regularly check the connection to the gateway you specified to make

sure it is still available. You specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL/USG stops routing to the gateway. The

ZyWALL/USG resumes routing to the gateway the first time the gateway passes the

connectivity check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make

sure it is still available.

Select tcp to have the ZyWALL/USG regularly perform a TCP handshake with the

gateway you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL/USG stops routing through

the gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Ta ble 92 Configuration > Network > Interface > PPP > Add (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

210

9.5 Cellular Configuration Screen

Mobile broadband is a digital, packet-switched wireless technology. Bandwidth usage is optimized

as multiple users share the same channel and bandwidth is only allocated to users when they send

data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to

mobile devices.

Note: The actual data rate you obtain varies depending on the mobile broadband device

you use, the signal strength to the service provider’s base station, and so on.

You can configure how the ZyWALL/USG’s mobile broadband device connects to a network (refer to

Section 9.5.1 on page 213):

• You can set the mobile broadband device to connect only to the home network, which is the

network to which you are originally subscribed.

• You can set the mobile broadband device to connect to other networks if the signal strength of

the home network is too low or it is unavailable.

3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is

optimized as multiple users share the same channel and bandwidth is only allocated to users when

they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet

access to mobile devices.

4G is the fourth generation of the mobile telecommunications technology and a successor of 3G.

Both the WiMAX and Long Term Evolution (LTE) standards are the 4G candidate systems. 4G only

supports all-IP-based packet-switched telephony services and is required to offer gigabit speed

access.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

Related Setting

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of a

WAN trunk for load balancing.

Policy Route Click Policy Route to go to the screen where you can manually configure a policy

route to associate traffic with this interface.

OK Click OK to save your changes back to the ZyWALL/USG.

Cancel Click Cancel to exit this screen without saving.

Ta ble 92 Configuration > Network > Interface > PPP > Add (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

211

Note: Note: The actual data rate you obtain varies depending on your mobile

environment. The environmental factors may include the number of mobile devices

which are currently connected to the mobile network, the signal strength to the

mobile network, and so on.

See the following table for a comparison between 2G, 2.5G, 2.75G, 3G and 4G wireless

technologies.

To change your mobile broadband WAN settings, click Configuration > Network > Interface >

Cellular.

Note: Install (or connect) a compatible mobile broadband USB device to use a cellular

connection.

Note: The WAN IP addresses of a ZyWALL/USG with multiple WAN interfaces must be on

different subnets.

Table 93 2G, 2.5G, 2.75G, 3G, 3.5G and 4G Wireless Technologies

NAME TYPE MOBILE PHONE AND DATA STANDARDS DAT A

SPEED

GSM-BASED CDMA-BASED

2G Circuit-

switched

GSM (Global System for Mobile

Communications), Personal Handy-

phone System (PHS), etc.

Interim Standard 95 (IS-95), the first CDMA-

based digital cellular standard pioneered by

Qualcomm. The brand name for IS-95 is

cdmaOne. IS-95 is also known as TIA-EIA-95.

Slow

2.5G Packet-

switched

GPRS (General Packet Radio Services),

High-Speed Circuit-Switched Data

(HSCSD), etc.

CDMA2000 is a hybrid 2.5G / 3G protocol of

mobile telecommunications standards that use

CDMA, a multiple access scheme for digital radio.

CDMA2000 1xRTT (1 times Radio Transmission

Technology) is the core CDMA2000 wireless air

interface standard. It is also known as 1x, 1xRTT,

or IS-2000 and considered to be a 2.5G or 2.75G

technology.

2.75G Packet-

switched

Enhanced Data rates for GSM Evolution

(EDGE), Enhanced GPRS (EGPRS), etc.

3G Packet-

switched

UMTS (Universal Mobile

Telecommunications System), a third-

generation (3G) wireless standard

defined in ITU specification, is

sometimes marketed as 3GSM. The

UMTS uses GSM infrastructures and W-

CDMA (Wideband Code Division

Multiple Access) as the air interface.

The International Telecommunication

Union (ITU) is an international

organization within which governments

and the private sector coordinate

global telecom networks and services.

CDMA2000 EV-DO (Evolution-Data Optimized,

originally 1x Evolution-Data Only), also referred

to as EV-DO, EVDO, or just EV, is an evolution of

CDMA2000 1xRTT and enables high-speed

wireless connectivity. It is also denoted as IS-856

or High Data Rate (HDR).

3.5G Packet-

switched

HSDPA (High-Speed Downlink Packet

Access) is a mobile telephony protocol,

used for UMTS-based 3G networks and

allows for higher data transfer speeds.

4G/LTE Packet-

switched

The LTE (Long Term Evolution)

standard is based on the GSM and

UMTS network technologies. Fast

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

212

Figure 158 Configuration > Network > Interface > Cellular

The following table describes the labels in this screen.

Ta ble 94 Configuration > Network > Interface > Cellular

LABEL DESCRIPTION

Add Click this to create a new cellular interface.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to

remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Connect To connect an interface, select it and click Connect. You might use this in testing the

interface or to manually establish the connection.

Disconnect To disconnect an interface, select it and click Disconnect. You might use this in testing

the interface.

Object

References

Select an entry and click Object Reference to open a screen that shows which settings

use the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is

inactive.

The connect icon is lit when the interface is connected and dimmed when it is

disconnected.

Name This field displays the name of the interface.

Extension Slot This field displays where the entry’s cellular card is located.

Connected

Device

This field displays the name of the cellular card.

ISP Settings This field displays the profile of ISP settings that this cellular interface is set to use.

Mobile

Broadband

Dongle Support

You should have registered your ZyWALL/USG at myzyxel.com. Myzyxel.com hosts a list

of supported mobile broadband dongle devices. You should have an Internet connection to

access this website.

Latest

Version This displays the latest supported mobile broadband dongle list version number.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

213

9.5.1 Cellular Choose Slot

To change your mobile broadband settings, click Configuration > Network > Interface >

Cellular > Add (or Edit). In the pop-up window that displays, select the slot that contains the

mobile broadband device, then the Add Cellular configuration screen displays.

9.5.2 Add / Edit Cellular Configuration

This screen displays after you select the slot that contains the mobile broadband device in the

previous pop-up window.

Current

Version This displays the currently supported (by the ZyWALL/USG) mobile broadband dongle list

version number.

Update Now If the latest version number is greater than the current version number, then click this

button to download the latest list of supported mobile broadband dongle devices to the

ZyWALL/USG.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Ta ble 94 Configuration > Network > Interface > Cellular (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

214

Figure 159 Configuration > Network > Interface > Cellular > Add / Edit

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

215

The following table describes the labels in this screen.

Ta ble 95 Configuration > Network > Interface > Cellular > Add / Edit

LABEL DESCRIPTION

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

General Settings

Enable Interface Select this option to turn on this interface.

Interface Properties

Interface Name Select a name for the interface.

Zone Select the zone to which you want the cellular interface to belong. The zone

determines the security settings the ZyWALL/USG uses for the interface.

Extension Slot This is the USB slot that you are configuring for use with a mobile broadband card.

Connected

Device This displays the manufacturer and model name of your mobile broadband card if you

inserted one in the ZyWALL/USG. Otherwise, it displays none.

Description Enter a description of this interface. It is not used elsewhere. You can use

alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters

long.

Connectivity

Nailed-Up Select this if the connection should always be up. Clear this to have the ZyWALL/USG

to establish the connection only when there is traffic. You might not nail up the

connection if there is little traffic through the interface or if it costs money to keep the

connection available.

Idle timeout This value specifies the time in seconds (0~360) that elapses before the ZyWALL/USG

automatically disconnects from the ISP’s server. Zero disables the idle timeout.

ISP Settings

Profile Selection Select Device to use one of the mobile broadband device’s profiles of device settings.

Then select the profile (use Profile 1 unless your ISP instructed you to do otherwise).

Select Custom to configure your device settings yourself.

APN This field is read-only if you selected Device in the profile selection. Select Custom in

the profile selection to be able to manually input the APN (Access Point Name)

provided by your service provider. This field applies with a GSM or HSDPA mobile

broadband card. Enter the APN from your service provider. Connections with different

APNs may provide different services (such as Internet access or MMS (Multi-Media

Messaging Service)) and charge method.

You can enter up to 63 ASCII printable characters. Spaces are allowed.

Dial String Enter the dial string if your ISP provides a string, which would include the APN, to

initialize the mobile broadband card.

You can enter up to 63 ASCII printable characters. Spaces are allowed.

This field is available only when you insert a GSM mobile broadband card.

Authentication

Type The ZyWALL/USG supports PAP (Password Authentication Protocol) and CHAP

(Challenge Handshake Authentication Protocol). CHAP is more secure than PAP;

however, PAP is readily available on more platforms.

Use the drop-down list box to select an authentication protocol for outgoing calls.

Options are:

None: No authentication for outgoing calls.

CHAP - Your ZyWALL/USG accepts CHAP requests only.

PAP - Your ZyWALL/USG accepts PAP requests only.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

216

User Name This field displays when you select an authentication type other than None. This field

is read-only if you selected Device in the profile selection. If this field is configurable,

enter the user name for this mobile broadband card exactly as the service provider

gave it to you.

You can use 1 ~ 64 alphanumeric and #:%-_@$./ characters. The first character must

be alphanumeric or -_@$./. Spaces are not allowed.

Password This field displays when you select an authentication type other than None. This field

is read-only if you selected Device in the profile selection and the password is included

in the mobile broadband card’s profile. If this field is configurable, enter the password

for this SIM card exactly as the service provider gave it to you.

You can use 0 ~ 63 alphanumeric and `~!@#$%^&*()_-+={}|;:'<,>./ characters.

Spaces are not allowed.

Retype to

Confirm This field displays when you select an authentication type other than None. This field

is read-only if you selected Device in the profile selection and the password is included

in the mobile broadband card’s profile. If this field is configurable, re-enter the

password for this SIM card exactly as the service provider gave it to you.

SIM Card Setting

PIN Code This field displays with a GSM or HSDPA mobile broadband card. A PIN (Personal

Identification Number) code is a key to a mobile broadband card. Without the PIN

code, you cannot use the mobile broadband card.

Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the

PIN code incorrectly, the mobile broadband card may be blocked by your ISP and you

cannot use the account to access the Internet.

If your ISP disabled PIN code authentication, enter an arbitrary number.

Retype to

Confirm Type the PIN code again to confirm it.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

send through the interface to the network. Allowed values are 0 - 1048576. This

setting is used in WAN load balancing and bandwidth management.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

receive from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL/USG

divides it into smaller fragments. Allowed values are 576 - 1492. Usually, this value is

1492.

Connectivity Check The interface can regularly check the connection to the gateway you specified to make

sure it is still available. You specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL/USG stops routing to the gateway. The

ZyWALL/USG resumes routing to the gateway the first time the gateway passes the

connectivity check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Ta ble 95 Configuration > Network > Interface > Cellular > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

217

Check Method Select the method that the gateway allows.

Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make

sure it is still available.

Select tcp to have the ZyWALL/USG regularly perform a TCP handshake with the

gateway you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL/USG stops routing

through the gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

Related Setting

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of

a WAN trunk for load balancing.

Configure Policy

Route Click Policy Route to go to the policy route summary screen where you can configure

a policy route to override the default routing and SNAT behavior for the interface.

IP Address

Assignment

Get

Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default

selection.

Use Fixed IP

Address Select this option If the ISP assigned a fixed IP address.

IP Address

Assignment Enter the cellular interface’s WAN IP address in this field if you selected Use Fixed IP

Address.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the

one that was configured first.

Device Settings

Ta ble 95 Configuration > Network > Interface > Cellular > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

218

Band Selection This field appears if you selected a mobile broadband device that allows you to select

the type of network to use. Select the type of mobile broadband service for your

mobile broadband connection. If you are unsure what to select, check with your mobile

broadband service provider to find the mobile broadband service available to you in

your region.

Select auto to have the card connect to an available network. Choose this option if you

do not know what networks are available.

You may want to manually specify the type of network to use if you are charged

differently for different types of network or you only have one type of network

available to you.

Select GPRS / EDGE (GSM) only to have this interface only use a 2.5G or 2.75G

network (respectively). If you only have a GSM network available to you, you may

want to select this so the ZyWALL/USG does not spend time looking for a WCDMA

network.

Select UMTS / HSDPA (WCDMA) only to have this interface only use a 3G or 3.5G

network (respectively). You may want to do this if you want to make sure the interface

does not use the GSM network.

Select LTE only to have this interface only use a 4G LTE network. This option only

appears when a USG dongle for 4G technology is inserted.

Network

Selection Home network is the network to which you are originally subscribed.

Select Home to have the mobile broadband device connect only to the home network.

If the home network is down, the ZyWALL/USG’s mobile broadband Internet

connection is also unavailable.

Select Auto (Default) to allow the mobile broadband device to connect to a network to

which you are not subscribed when necessary, for example when the home network is

down or another mobile broadband base station's signal is stronger. This is

recommended if you need continuous Internet connectivity. If you select this, you may

be charged using the rate of a different network.

Budget Setup

Enable Budget

Control Select this to set a monthly limit for the user account of the installed mobile broadband

card. You can set a limit on the total traffic and/or call time. The ZyWALL/USG takes

the actions you specified when a limit is exceeded during the month.

Time Budget Select this and specify the amount of time (in hours) that the mobile broadband

connection can be used within one month. If you change the value after you configure

and enable budget control, the ZyWALL/USG resets the statistics.

Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes)

can be transmitted via the mobile broadband connection within one month.

Select Download to set a limit on the downstream traffic (from the ISP to the

ZyWALL/USG).

Select Upload to set a limit on the upstream traffic (from the ZyWALL/USG to the

ISP).

Select Download/Upload to set a limit on the total traffic in both directions.

If you change the value after you configure and enable budget control, the ZyWALL/

USG resets the statistics.

Reset time and

data budget

counters on

Select the date on which the ZyWALL/USG resets the budget every month. If the date

you selected is not available in a month, such as 30th or 31st, the ZyWALL/USG resets

the budget on the last day of the month.

Ta ble 95 Configuration > Network > Interface > Cellular > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

219

9.6 Tunnel Interfaces

The ZyWALL/USG uses tunnel interfaces in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and

6to4 tunnels.

GRE Tunneling

GRE tunnels encapsulate a wide variety of network layer protocol packet types inside IP tunnels. A

GRE tunnel serves as a virtual point-to-point link between the ZyWALL/USG and another router

over an IPv4 network. At the time of writing, the ZyWALL/USG only supports GRE tunneling in IPv4

networks.

Reset time and

data budget

counters

This button is available only when you enable budget control in this screen.

Click this button to reset the time and data budgets immediately. The count starts over

with the mobile broadband connection’s full configured monthly time and data

budgets. This does not affect the normal monthly budget restart; so if you configured

the time and data budget counters to reset on the second day of the month and you

use this button on the first, the time and data budget counters will still reset on the

second.

Actions when

over budget Specify the actions the ZyWALL/USG takes when the time or data limit is exceeded.

Log Select None to not create a log, Log to create a log, or Log-alert to create an alert

log. If you select Log or Log-alert you can also select recurr ing every to have the

ZyWALL/USG send a log or alert for this event periodically. Specify how often (from 1

to 65535 minutes) to send the log or alert.

New connection Select Allow to permit new mobile broadband connections or Disallow to drop/block

new mobile broadband connections.

Current

connection Select Keep to maintain an existing mobile broadband connection or Drop to

disconnect it. You cannot set New connection to Allow and Current connection to

Drop at the same time.

If you set New connection to Disallow and Cur re nt connection to Keep, the

ZyWALL/USG allows you to transmit data using the current connection, but you cannot

build a new connection if the existing connection is disconnected.

Actions when over

% of time budget or

% of data budget

Specify the actions the ZyWALL/USG takes when the specified percentage of time

budget or data limit is exceeded. Enter a number from 1 to 99 in the percentage fields.

If you change the value after you configure and enable budget control, the ZyWALL/

USG resets the statistics.

Log Select None to not create a log when the ZyWALL/USG takes this action, Log to create

a log, or Log-alert to create an alert log. If you select Log or Log-alert you can also

select recurring every to have the ZyWALL/USG send a log or alert for this event

periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert.

OK Click OK to save your changes back to the ZyWALL/USG.

Cancel Click Cancel to exit this screen without saving.

Ta ble 95 Configuration > Network > Interface > Cellular > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

220

Figure 160 GRE Tunnel Example

IPv6 Over IPv4 Tunnels

To route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to

be used.

Figure 161 IPv6 over IPv4 Network

On the ZyWALL/USG, you can either set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4

tunnel. The following describes each method:

IPv6-in-IPv4 Tunneling

Use this mode on the WAN of the ZyWALL/USG if

• your ZyWALL/USG has a public IPv4 IP address given from your ISP,

and

• you want to transmit your IPv6 packets to one and only one remote site whose LAN network is

also an IPv6 network.

With this mode, the ZyWALL/USG encapsulates IPv6 packets within IPv4 packets across the

Internet. You must know the WAN IP address of the remote gateway device. This mode is normally

used for a site-to-site application such as two branch offices.

Figure 162 IPv6-in-IPv4 Tunnel

Internet

IPv4

IPv6 IPv6

IPv6

IPv4

IPv6

Internet

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

221

In the ZyWALL/USG, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to

make the tunnel work.

6to4 Tunneling

This mode also enables IPv6 packets to cross IPv4 networks. Unlike IPv6-in-IPv4 tunneling, you do

not need to configure a policy route for a 6to4 tunnel. Through your properly pre-configuring the

destination router’s IP address in the IP address assignments to hosts, the ZyWALL/USG can

automatically forward 6to4 packets to the destination they want to go. A 6to4 relay router is

required to route 6to4 packets to a native IPv6 network if the packet’s destination do not match

your specified criteria.

In this mode, the ZyWALL/USG should get a public IPv4 address for the WAN. The ZyWALL/USG

adds an IPv4 IP header to an IPv6 packet when transmitting the packet to the Internet. In reverse,

the ZyWALL/USG removes the IPv4 header from an IPv6 packet when receiving it from the

Internet.

An IPv6 address using the 6to4 mode consists of an IPv4 address, the format is as the following:

2002:[a public IPv4 address in hexadecimal]::/48

For example, a public IPv4 address is 202.156.30.41. The converted hexadecimal IP string is

ca.9c.1Ee.29. The IPv6 address prefix becomes 2002:ca9c:1e29::/48.

Figure 163 6to4 Tunnel

9.6.1 Configuring a Tunnel

This screen lists the ZyWALL/USG’s configured tunnel interfaces. To access this screen, click

Network > Interface > Tunnel.

Internet

IPv6

IPv4

IPv6

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

222

Figure 164 Network > Interface > Tunnel

Each field is explained in the following table.

9.6.2 Tunnel Add or Edit Screen

This screen lets you configure a tunnel interface. Click Configuration > Network > Interface >

Tunnel > Add (or Edit) to open the following screen.

Ta ble 96 Network > Interface > Tunnel

LABEL DESCRIPTION

Add Click this to create a new GRE tunnel interface.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want

to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry

is inactive.

Name This field displays the name of the interface.

IP Address This is the IP address of the interface. If the interface is active (and connected), the

ZyWALL/USG tunnels local traffic sent to this IP address to the Remote Gateway

Address.

Tunnel Mode This is the tunnel mode of the interface (GRE, IPv6-in-IPv4 or 6to4). This field also

displays the interface’s IPv4 IP address and subnet mask if it is a GRE tunnel.

Otherwise, it displays the interface’s IPv6 IP address and prefix length.

My Address This is the interface or IP address uses to identify itself to the remote gateway. The

ZyWALL/USG uses this as the source for the packets it tunnels to the remote gateway.

Remote Gateway

Address

This is the IP address or domain name of the remote gateway to which this interface

tunnels traffic.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to begin configuring this screen afresh.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

223

Figure 165 Network > Interface > Tunnel > Add/Edit

Each field is explained in the following table.

Ta ble 97 Network > Interface > Tunnel > Add/Edit

LABEL DESCRIPTION

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

General Settings

Enable Select this to enable this interface. Clear this to disable this interface.

Interface Properties

Interface Name This field is read-only if you are editing an existing tunnel interface. Enter the name of

the tunnel interface. The format is tunnelx, where x is 0 - 3. For example, tunnel0.

Zone Use this field to select the zone to which this interface belongs. This controls what

security settings the ZyWALL/USG applies to this interface.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

224

Tunnel Mode Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See

Section 9.6 on page 219 for more information.

IP Address

Assignment

This section is available if you are configuring a GRE tunnel.

IP Address Enter the IP address for this interface.

Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

IPv6 Address

Assignment

This section is available if you are configuring an IPv6-in-IPv4 or a 6to4 tunnel.

IPv6 Address/

Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a static

IP address. This field is optional.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

6to4 Tunnel

Parameter

This section is available if you are configuring a 6to4 tunnel which encapsulates IPv6 to

IPv4 packets.

6to4 Prefix Enter the IPv6 prefix of a destination network. The ZyWALL/USG forwards IPv6 packets

to the hosts in the matched network.

If you enter a prefix starting with 2002, the ZyWALL/USG will forward the matched

packets to the IPv4 IP address converted from the packets’ destination address. The

IPv4 IP address can be converted from the next 32 bits after the prefix you specified in

this field. See 6to4 Tunneling on page 221 for an example. The ZyWALL/USG forwards

the unmatched packets to the specified Relay Router.

Relay Router Enter the IPv4 address of a 6to4 relay router which helps forward packets between

6to4 networks and native IPv6 networks.

Remote

Gateway Prefix Enter the IPv4 network address and network bits of a remote 6to4 gateway, for

example, 14.15.0.0/16.

This field works if you enter a 6to4 Prefix not starting with 2002 (2003 for example).

The ZyWALL/USG forwards the matched packets to a remote gateway with the network

address you specify here, and the bits converted after the 6to4 Prefix in the packets.

For example, you configure the 6to4 prefix to 2003:A0B::/32 and the remote gateway

prefix to 14.15.0.0/16. If a packet’s destination is 2003:A0B:1011:5::8, the ZyWALL/

USG forwards the packet to 14.15.16.17, where the network address is 14.15.0.0 and

the host address is the remain bits converted from 1011 after the packet’s 6to4 prefix

(2003:A0B).

Gateway Settings

My Address Specify the interface or IP address to use as the source address for the packets this

interface tunnels to the remote gateway. The remote gateway sends traffic to this

interface or IP address.

Remote

Gateway

Address

Enter the IP address or domain name of the remote gateway to which this interface

tunnels traffic.

Automatic displays in this field if you are configuring a 6to4 tunnel. It means the 6to4

tunnel will help forward packets to the corresponding remote gateway automatically by

looking at the packet’s destination address.

Ta ble 97 Network > Interface > Tunnel > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

225

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can send

through the interface to the network. Allowed values are 0 - 1048576. This setting is

used in WAN load balancing and bandwidth management.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

receive from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL/USG

divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is

1500.

Connectivity Check This section is available if you are configuring a GRE tunnel.

The interface can regularly check the connection to the gateway you specified to make

sure it is still available. You specify how often the interface checks the connection, how

long to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL/USG stops routing to the gateway. The

ZyWALL/USG resumes routing to the gateway the first time the gateway passes the

connectivity check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make

sure it is still available.

Select tcp to have the ZyWALL/USG regularly perform a TCP handshake with the

gateway you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL/USG stops routing through

the gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field displays when you set the Check Method to tcp. Specify the port number to

use for a TCP connectivity check.

Related Setting

WAN TRUNK Click this link to go to a screen where you can configure WAN trunk load balancing.

Policy Route Click this link to go to the screen where you can manually configure a policy route to

associate traffic with this interface.

OK Click OK to save your changes back to the ZyWALL/USG.

Cancel Click Cancel to exit this screen without saving.

Ta ble 97 Network > Interface > Tunnel > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

226

9.7 VLAN Interfaces

A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The

standard is defined in IEEE 802.1q.

Figure 166 Example: Before VLAN

In this example, there are two physical networks and three departments A, B, and C. The physical

networks are connected to hubs, and the hubs are connected to the router.

Alternatively, you can divide the physical networks into three VLANs.

Figure 167 Example: After VLAN

Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each

VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the

MAC header. The VLANs are connected to switches, and the switches are connected to the router.

(If one switch has enough connections for the entire network, the network does not need switches

A and B.)

• Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled

by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is

only broadcast inside each VLAN, not each physical network.

• Traffic between VLANs (or between a VLAN and another type of network) is layer-3

communication (network layer, IP addresses). It is handled by the router.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

227

This approach provides a few advantages.

• Increased performance - In VLAN 2, the extra switch should route traffic inside the sales

department faster than the router does. In addition, broadcasts are limited to smaller, more

logical groups of users.

• Higher security - If each computer has a separate physical connection to the switch, then

broadcast traffic in each VLAN is never sent to computers in another VLAN.

• Better manageability - You can align network policies more appropriately for users. For example,

you can create different content filtering rules for each VLAN (each department in the example

above), and you can set different bandwidth limits for each VLAN. These rules are also

independent of the physical network, so you can change the physical network without changing

policies.

In this example, the new switch handles the following types of traffic:

•Inside VLAN 2.

• Between the router and VLAN 1.

• Between the router and VLAN 2.

• Between the router and VLAN 3.

VLAN Interfaces Overview

In the ZyWALL/USG, each VLAN is called a VLAN interface. As a router, the ZyWALL/USG routes

traffic between VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for

each VLAN interface can go through only one Ethernet interface, though each Ethernet interface

can have one or more VLAN interfaces.

Note: Each VLAN interface is created on top of only one Ethernet interface.

Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address,

subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet

size. They can provide DHCP services, and they can verify the gateway is available.

9.7.1 VLAN Summary Screen

This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. If you

enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure VLAN

interfaces used for your IPv6 networks on this screen. To access this screen, click Configuration >

Network > Interface > VLAN.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

228

Figure 168 Configuration > Network > Interface > VLAN

Each field is explained in the following table.

Ta ble 98 Configuration > Network > Interface > VLAN

LABEL DESCRIPTION

Configuration

/ IPv6

Configuration

Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration

section for IPv6 network settings if you connect your ZyWALL/USG to an IPv6 network. Both

sections have similar fields as described below.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the

entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to

remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Create Virtual

Interface

To open the screen where you can create a virtual interface, select an interface and click

Create Virtual Interface.

Object

References

Select an entry and click Object Reference to open a screen that shows which settings use

the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status This icon is lit when the entry is active and dimmed when the entry is inactive.

Name This field displays the name of the interface.

Port/VID For VLAN interfaces, this field displays

• the Ethernet interface on which the VLAN interface is created

• the VLAN ID

For virtual interfaces, this field is blank.

IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the

interface does not have an IP address yet.

This screen also shows whether the IP address is a static IP address (STATIC) or dynamically

assigned (DHCP). IP addresses are always static in virtual interfaces.

Mask This field displays the interface’s subnet mask in dot decimal notation.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

229

9.7.2 VLAN Add/Edit

Select an existing entry in the previous scrren and click Edit or click Add to create a new entry. The

following screen appears.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

230

Figure 169 Configuration > Network > Interface > VLAN > Add /Edit

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

231

Each field is explained in the following table.

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use

for the DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to turn this interface on. Clear this to disable this interface.

General IPv6

Setting

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Type Select one of the following option depending on the type of network to which the

ZyWALL/USG is connected or if you want to additionally manually configure some

related settings.

internal is for connecting to a local network. Other corresponding configuration

options: DHCP server and DHCP relay. The ZyWALL/USG automatically adds default

SNAT settings for traffic flowing from this interface to an external interface.

external is for connecting to an external network (like the Internet). The ZyWALL/USG

automatically adds this interface to the default WAN trunk.

For general, the rest of the screen’s options do not automatically adjust and you must

manually configure a policy route to add routing and SNAT settings for the interface.

Interface Name This field is read-only if you are editing an existing VLAN interface. Enter the number of

the VLAN interface. You can use a number from 0~4094. For example, use vlan0,

vlan8, and so on. The total number of VLANs you can configure on the ZyWALL/USG

depends on the model.

Zone Select the zone to which the VLAN interface belongs.

Base Port Select the Ethernet interface on which the VLAN interface runs.

VLAN ID Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values

are 1 - 4094. (0 and 4095 are reserved.)

Priority Code This is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated

outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. See Table

186 on page 451. The setting configured in Configuration > BWM overwrites the

priority setting here.

Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

IP Address

Assignment

Get

Automatically Select this if this interface is a DHCP client. In this case, the DHCP server configures

the IP address, subnet mask, and gateway automatically.

You should not select this if the interface is assigned to a VRRP group.

Use Fixed IP

Address Select this if you want to specify the IP address, subnet mask, and gateway manually.

IP Address This field is enabled if you select Use Fixed IP Address.

Enter the IP address for this interface.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

232

Subnet Mask This field is enabled if you select Use Fixed IP Address.

Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Gateway This field is enabled if you select Use Fixed IP Address.

Enter the IP address of the gateway. The ZyWALL/USG sends packets to the gateway

when it does not know how to route the packet to its destination. The gateway should

be on the same network as the interface.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

Enable IGMP

Support

Select this to allow the ZyWALL/USG to act as an IGMP proxy for hosts connected on

the IGMP downstream interface.

IGMP Version: Select the IGMP version to be used on this ZyWALL/USG interface.

IGMP Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that

is closer to the multicast server.

IGMP

Downstream Enable IGMP Downstream on the interface which connects to the multicast hosts.

IPv6 Address

Assignment

These IP address fields configure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Link-Local

address This displays the IPv6 link-local address and the network prefix that the ZyWALL/USG

generates itself for the interface.

IPv6 Address/

Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to configure a

static IP address for this interface. This field is optional.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Gateway Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal

notation.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to have the ZyWALL/USG obtain an IPv6 prefix from the ISP or a

connected uplink router for an internal network, such as the LAN or DMZ. You have to

also enter a suffix address which is appended to the delegated prefix to form an

address for this interface. See Prefix Delegation on page 181 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

233

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The

ZyWALL/USG will append it to the delegated prefix.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

DHCPv6 Setting

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 182 for more information.

DUID as MAC Select this to have the DUID generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Information

Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information

retrieved from DHCPv6.

Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an

IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP

address information through DHCPv6.

DHCPv6 Request

Options /

DHCPv6 Lease

Options

If this interface is a DHCPv6 client, use this section to configure DHCPv6 request

settings that determine what additional information to get from the DHCPv6 server.

If this interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings

that determine what to offer to the DHCPv6 clients.

Add Click this to create an entry in this table. See Section 9.3.3 on page 201 for more

information.

Remove Select an entry and click this to change the settings.

Object

Reference Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request or lease object.

Type This field displays the type of the object.

Value This field displays the IPv6 prefix that the ZyWALL/USG obtained from an uplink router

(Server is selected) or will advertise to its clients (Client is selected).

Interface When Relay is selected, select this check box and an interface from the drop-down list

if you want to use it as the relay server.

Relay Server When Relay is selected, select this check box and enter the IP address of a DHCPv6

server as the relay server.

IPv6 Router

Setting

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

234

Enable Router

Advertisement Select this to enable this interface to send router advertisement messages periodically.

See IPv6 Router Advertisement on page 182 for more information.

Advertised Hosts

Get Network

Configuration

From DHCPv6

Select this to have the ZyWALL/USG indicate to hosts to obtain network settings (such

as prefix and DNS settings) through DHCPv6.

Clear this to have the ZyWALL/USG indicate to hosts that DHCPv6 is not available and

they should use the prefix in the router advertisement message.

Advertised Hosts

Get Other

Configuration

From DHCPv6

Select this to have the ZyWALL/USG indicate to hosts to obtain DNS information

through DHCPv6.

Clear this to have the ZyWALL/USG indicate to hosts that DNS information is not

available in this network.

Router

Preference Select the router preference (Low, Medium or High) for the interface. The interface

sends this preference in the router advertisements to tell hosts what preference they

should use for the ZyWALL/USG. This helps hosts to choose their default router

especially when there are multiple IPv6 router in the network.

Note: Make sure the hosts also support router preference to make this function work.

MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in

bytes, that can move through this interface. If a larger packet arrives, the ZyWALL/

USG divides it into smaller fragments.

Hop Limit Enter the maximum number of network segments that a packet can cross before

reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to

decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.

Advertised

Prefix Table Configure this table only if you want the ZyWALL/USG to advertise a fixed prefix to the

network.

Add Click this to create an IPv6 prefix address.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

IPv6

Address/

Prefix Length

Enter the IPv6 network prefix address and the prefix length.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Advertised

Prefix from

DHCPv6 Prefix

Delegation

Use this table to configure the network prefix if you want to use a delegated prefix as

the beginning part of the network prefix.

Add Click this to create an entry in this table.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use for generating the network prefix for the

network.

Suffix

Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix

length. The ZyWALL/USG will append it to the selected delegated prefix. The combined

address is the network prefix for the network.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it

into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for

another interface. You can use ::1111/64 and ::2222/64 for the suffix address

respectively. But if you do not want to divide the delegated prefix into subnetworks,

enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

235

Address This is the final network prefix combined by the delegated prefix and the suffix.

Note: This field displays the combined address after you click OK and reopen this

screen.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can send

through the interface to the network. Allowed values are 0 - 1048576.

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

receive from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL/USG

divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is

1500.

Connectivity Check The ZyWALL/USG can regularly check the connection to the gateway you specified to

make sure it is still available. You specify how often to check the connection, how long

to wait for a response before the attempt is a failure, and how many consecutive

failures are required before the ZyWALL/USG stops routing to the gateway. The

ZyWALL/USG resumes routing to the gateway the first time the gateway passes the

connectivity check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make

sure it is still available.

Select tcp to have the ZyWALL/USG regularly perform a TCP handshake with the

gateway you specify to make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance Enter the number of consecutive failures before the ZyWALL/USG stops routing through

the gateway.

Check Default

Gateway Select this to use the default gateway for the connectivity check.

Check this

address Select this to specify a domain name or IP address for the connectivity check. Enter

that domain name or IP address in the field next to it.

Check Port This field only displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces.

DHCP Select what type of DHCP service the ZyWALL/USG provides to the network. Choices

are:

None - the ZyWALL/USG does not provide any DHCP services. There is already a DHCP

server on the network.

DHCP Relay - the ZyWALL/USG routes DHCP requests to one or more DHCP servers

you specify. The DHCP server(s) may be on another network.

DHCP Server - the ZyWALL/USG assigns IP addresses and provides subnet mask,

gateway, and DNS server information to the network. The ZyWALL/USG is the DHCP

server for the network.

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

236

These fields appear if the ZyWALL/USG is a DHCP Rel ay.

Relay Server 1 Enter the IP address of a DHCP server for the network.

Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.

These fields appear if the ZyWALL/USG is a DHCP Se rver.

IP Pool Start

Address Enter the IP address from which the ZyWALL/USG begins allocating IP addresses. If

you want to assign a static IP address to a specific computer, click Add Static DHCP.

If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL/USG

can assign every IP address allowed by the interface’s IP address and subnet mask,

except for the first address (network address), last address (broadcast address) and

the interface’s IP address.

Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is

limited by the interface’s Subnet Mask. For example, if the Subnet Mask is

255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL/USG can

allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.

If this field is blank, the IP Pool Start Address must also be blank. In this case, the

ZyWALL/USG can assign every IP address allowed by the interface’s IP address and

subnet mask, except for the first address (network address), last address (broadcast

address) and the interface’s IP address.

First DNS Server

Second DNS

Server

Third DNS

Server

Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one

of the following ways to specify these IP addresses.

Custom Defined - enter a static IP address.

From ISP - select the DNS server that another interface received from its DHCP server.

ZyWALL/USG - the DHCP clients use the IP address of this interface and the ZyWALL/

USG works as a DNS relay.

First WINS

Server, Second

WINS Server

Type the IP address of the WINS (Windows Internet Naming Service) server that you

want to send to the DHCP clients. The WINS server keeps a mapping table of the

computer names on your network and the IP addresses that they are currently using.

Default Router If you set this interface to DHCP Serve r, you can select to use either the interface’s IP

address or another IP address as the default router. This default router will become the

DHCP clients’ default gateway.

To use another IP address as the default router, select Custom Defined and enter the

IP address.

Lease time Specify how long each computer can use the information (especially the IP address)

before it has to request the information again. Choices are:

infinite - select this if IP addresses never expire

days, hours, and minutes - select this to enter how long IP addresses are valid.

Extended

Options This table is available if you selected DHCP server.

Configure this table if you want to send more information to DHCP clients through

DHCP packets.

Add Click this to create an entry in this table. See Section 9.3.4 on page 202.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Name This is the option’s name.

Code This is the option’s code number.

Type This is the option’s type.

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

237

Value This is the option’s value.

Enable IP/MAC

Binding Select this option to have the ZyWALL/USG enforce links between specific IP addresses

and specific MAC addresses for this VLAN. This stops anyone else from manually using

a bound IP address on another device connected to this interface. Use this to make use

only the intended users get to use specific IP addresses.

Enable Logs for

IP/MAC Binding

Violation

Select this option to have the ZyWALL/USG generate a log if a device connected to this

VLAN attempts to use an IP address that is bound to another device’s MAC address.

Static DHCP

Table Configure a list of static IP addresses the ZyWALL/USG assigns to computers connected

to the interface. Otherwise, the ZyWALL/USG assigns an IP address dynamically using

the interface’s IP Pool Start Address and Pool Size.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

# This field is a sequential value, and it is not associated with a specific entry.

IP Address Enter the IP address to assign to a device with this entry’s MAC address.

MAC Address Enter the MAC address to which to assign this entry’s IP address.

Description Enter a description to help identify this static DHCP entry. You can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

RIP Setting See Section 10.6 on page 275 for more information about RIP.

Enable RIP Select this to enable RIP on this interface.

Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down

list box.

BiDir - This interface sends and receives routing information.

In-Only - This interface receives routing information.

Out-Only - This interface sends routing information.

Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending

RIP packets. Choices are 1, 2, and 1 and 2.

Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving

RIP packets. Choices are 1, 2, and 1 and 2.

V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using

subnet broadcasting; otherwise, the ZyWALL/USG uses multicasting.

OSPF Setting See Section 10.7 on page 277 for more information about OSPF.

Area Select the area in which this interface belongs. Select None to disable OSPF in this

interface.

Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a

Designated Router (DR) or Backup Designated Router (BDR). The highest-priority

interface identifies the DR, and the second-highest-priority interface identifies the BDR.

Set the priority to zero if the interface can not be the DR or BDR.

Link Cost Enter the cost (between 1 and 65,535) to route packets through this interface.

Passive

Interface Select this to stop forwarding OSPF routing information from the selected interface. As

a result, this interface only receives routing information.

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

238

9.8 Bridge Interfaces

This section introduces bridges and bridge interfaces and then explains the screens for bridge

interfaces.

Bridge Overview

A bridge creates a connection between two or more network segments at the layer-2 (MAC

address) level. In the following example, bridge X connects four network segments.

Authentication Select an authentication method, or disable authentication. To exchange OSPF routing

information with peer border routers, you must use the same authentication method

that they use. Choices are:

Same-as-Area - use the default authentication method in the area

None - disable authentication

Text - authenticate OSPF routing information using a plain-text password

MD5 - authenticate OSPF routing information using MD5 encryption

Text

Authentication

Key

This field is available if the Authentication is Text. Type the password for text

authentication. The key can consist of alphanumeric characters and the underscore,

and it can be up to 16 characters long.

MD5

Authentication

This field is available if the Authentication is MD5. Type the ID for MD5

authentication. The ID can be between 1 and 255.

MD5

Authentication

Key

This field is available if the Authentication is MD5. Type the password for MD5

authentication. The password can consist of alphanumeric characters and the

underscore, and it can be up to 16 characters long.

Related Setting

Configure WAN

TRUNK Click WAN TRUNK to go to a screen where you can set this VLAN to be part of a WAN

trunk for load balancing.

Configure Policy

Route Click Policy Route to go to the screen where you can manually configure a policy

route to associate traffic with this VLAN.

OK Click OK to save your changes back to the ZyWALL/USG.

Cancel Click Cancel to exit this screen without saving.

Ta ble 99 Configuration > Network > Interface > VLAN > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

239

When the bridge receives a packet, the bridge records the source MAC address and the port on

which it was received in a table. It also looks up the destination MAC address in the table. If the

bridge knows on which port the destination MAC address is located, it sends the packet to that port.

If the destination MAC address is not in the table, the bridge broadcasts the packet on every port

(except the one on which it was received).

In the example above, computer A sends a packet to computer B. Bridge X records the source

address 0A:0A:0A:0A:0A:0A and port 2 in the table. It also looks up 0B:0B:0B:0B:0B:0B in the

table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4.

If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B

and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to

port 2 accordingly.

Bridge Interface Overview

A bridge interface creates a software bridge between the members of the bridge interface. It also

becomes the ZyWALL/USG’s interface for the resulting network.

Unlike the device-wide bridge mode in ZyNOS-based ZyWALL/USGs, this ZyWALL/USG can bridge

traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also

support more functions, like interface bandwidth parameters, DHCP settings, and connectivity

check. To use the whole ZyWALL/USG as a transparent bridge, add all of the ZyWALL/USG’s

interfaces to a bridge interface.

A bridge interface may consist of the following members:

• Zero or one VLAN interfaces (and any associated virtual VLAN interfaces)

• Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces)

When you create a bridge interface, the ZyWALL/USG removes the members’ entries from the

routing table and adds the bridge interface’s entries to the routing table. For example, this table

shows the routing table before and after you create bridge interface br0 (250.250.250.0/23)

between lan1 and vlan1.

Table 100 Example: Bridge Table After Computer A Sends a Packet to Computer B

MAC ADDRESS PORT

0A:0A:0A:0A:0A:0A 2

Table 101 Example: Bridge Table After Computer B Responds to Computer A

MAC ADDRESS PORT

0A:0A:0A:0A:0A:0A 2

0B:0B:0B:0B:0B:0B 4

Table 102 Example: Routing Table Before and After Bridge Interface br0 Is Created

IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION

210.210.210.0/24 lan1 221.221.221.0/24 vlan0

210.211.1.0/24 lan1:1 230.230.230.192/26 wan2

221.221.221.0/24 vlan0 241.241.241.241/32 dmz

222.222.222.0/24 vlan1 242.242.242.242/32 dmz

230.230.230.192/26 wan2 250.250.250.0/23 br0

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

240

In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1

is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface

when the underlying interface is added or removed.

9.8.1 Bridge Summary

This screen lists every bridge interface and virtual interface created on top of bridge interfaces. If

you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure bridge

interfaces used for your IPv6 network on this screen. To access this screen, click Configuration >

Network > Interface > Bridge.

Figure 170 Configuration > Network > Interface > Bridge

Each field is described in the following table.

241.241.241.241/32 dmz

242.242.242.242/32 dmz

Table 102 Example: Routing Table Before and After Bridge Interface br0 Is Created (continued)

IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION

Table 103 Configuration > Network > Interface > Bridge

LABEL DESCRIPTION

Configuration / IPv6

Configuration

Use the Configuration section for IPv4 network settings. Use the IPv6

Configuration section for IPv6 network settings if you connect your ZyWALL/USG to

an IPv6 network. Both sections have similar fields as described below.

Add Click this to create a new entry.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want

to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Create Virtual

Interface

To open the screen where you can create a virtual interface, select an interface and

click Create Virtual Interface.

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

241

9.8.2 Bridge Add/Edit

This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP

settings, and connectivity check for each bridge interface. To access this screen, click the Add or

Edit icon in the Bridge Summary screen. The following screen appears.

Object References Select an entry and click Object Reference to open a screen that shows which

settings use the entry. See Section 9.3.2 on page 201 for an example.

# This field is a sequential value, and it is not associated with any interface.

Status This icon is lit when the entry is active and dimmed when the entry is inactive.

Name This field displays the name of the interface.

IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0,

the interface does not have an IP address yet.

This screen also shows whether the IP address is a static IP address (STATIC) or

dynamically assigned (DHCP). IP addresses are always static in virtual interfaces.

Member This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It

is blank for virtual interfaces.

Apply Click Apply to save your changes back to the ZyWALL/USG.

Reset Click Reset to return the screen to its last-saved settings.

Table 103 Configuration > Network > Interface > Bridge (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

242

Figure 171 Configuration > Network > Interface > Bridge > Add / Edit

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

243

Configuration > Network > Interface > Bridge > Add

Each field is described in the table below.

Table 104 Configuration > Network > Interface > Bridge > Add / Edit

LABEL DESCRIPTION

IPv4/IPv6 View /

IPv4 View / IPv6

View

Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration

fields.

Show Advanced

Settings / Hide

Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use

for the DHCPv6 settings in this screen.

General Settings

Enable Interface Select this to enable this interface. Clear this to disable this interface.

General IPv6

Setting

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

244

Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.

Interface Properties

Interface Type Select one of the following option depending on the type of network to which the

ZyWALL/USG is connected or if you want to additionally manually configure some

related settings.

internal is for connecting to a local network. Other corresponding configuration

options: DHCP server and DHCP relay. The ZyWALL/USG automatically adds default

SNAT settings for traffic flowing from this interface to an external interface.

external is for connecting to an external network (like the Internet). The ZyWALL/USG

automatically adds this interface to the default WAN trunk.

For general, the rest of the screen’s options do not automatically adjust and you must

manually configure a policy route to add routing and SNAT settings for the interface.

Interface Name This field is read-only if you are editing the interface. Enter the name of the bridge

interface. The format is brx, where x is 0 - 11. For example, br0, br3, and so on.

Zone Select the zone to which the interface is to belong. You use zones to apply security

settings such as security policy, IDP, remote management, anti-virus, and application

patrol.

Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric

and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

Member

Configuration

Available This field displays Ethernet interfaces and VLAN interfaces that can become part of the

bridge interface. An interface is not available in the following situations:

• There is a virtual interface on top of it

• It is already used in a different bridge interface

Select one, and click the >> arrow to add it to the bridge interface. Each bridge

interface can only have one VLAN interface.

Member This field displays the interfaces that are part of the bridge interface. Select one, and

click the << arrow to remove it from the bridge interface.

IP Address

Assignment

Get

Automatically Select this if this interface is a DHCP client. In this case, the DHCP server configures

the IP address, subnet mask, and gateway automatically.

Use Fixed IP

Address Select this if you want to specify the IP address, subnet mask, and gateway manually.

IP Address This field is enabled if you select Use Fixed IP Address.

Enter the IP address for this interface.

Subnet Mask This field is enabled if you select Use Fixed IP Address.

Enter the subnet mask of this interface in dot decimal notation. The subnet mask

indicates what part of the IP address is the same for all computers in the network.

Gateway This field is enabled if you select Use Fixed IP Address.

Enter the IP address of the gateway. The ZyWALL/USG sends packets to the gateway

when it does not know how to route the packet to its destination. The gateway should

be on the same network as the interface.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

Table 104 Configuration > Network > Interface > Bridge > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

245

Enable IGMP

Support Select this to allow the ZyWALL/USG to act as an IGMP proxy for hosts connected on

the IGMP downstream interface.

IGMP Version: Select the IGMP version to be used on this ZyWALL/USG interface.

IGMP

Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that

is closer to the multicast server.

IGMP

Downstream Enable IGMP Downstream on the interface which connects to the multicast hosts.

IPv6 Address

Assignment

These IP address fields configure an IPv6 IP address on the interface itself.

Enable Stateless

Address Auto-

configuration

(SLAAC)

Select this to enable IPv6 stateless auto-configuration on this interface. The interface

will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the

network.

Link-Local

address This displays the IPv6 link-local address and the network prefix that the ZyWALL/USG

generates itself for the interface.

IPv6 Address/

Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a static

IP address. This field is optional.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Gateway Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal

notation.

Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL/USG decides

which gateway to use based on this priority. The lower the number, the higher the

priority. If two or more gateways have the same priority, the ZyWALL/USG uses the one

that was configured first.

Address from

DHCPv6 Prefix

Delegation

Use this table to have the ZyWALL/USG obtain an IPv6 prefix from the ISP or a

connected uplink router for an internal network, such as the LAN or DMZ. You have to

also enter a suffix address which is appended to the delegated prefix to form an

address for this interface. See Prefix Delegation on page 181 for more information.

To use prefix delegation, you must:

• Create at least one DHCPv6 request object before configuring this table.

• The external interface must be a DHCPv6 client. You must configure the DHCPv6

request options using a DHCPv6 request object with the type of prefix-delegation.

• Assign the prefix delegation to an internal interface and enable router

advertisement on that interface.

Add Click this to create an entry.

Edit Select an entry and click this to change the settings.

Remove Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use from the drop-down list.

Suffix

Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The

ZyWALL/USG will append it to the delegated prefix.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure

an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter

::1111:0:0:0:1/128 in this field.

Address This field displays the combined IPv6 IP address for this interface.

Note: This field displays the combined address after you click OK and reopen this

screen.

Table 104 Configuration > Network > Interface > Bridge > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

246

DHCPv6 Setting

DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique

and used for identification purposes when the interface is exchanging DHCPv6

messages with others. See DHCPv6 on page 182 for more information.

DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.

Customized

DUID If you want to use a customized DUID, enter it here for the interface.

Enable Rapid

Commit Select this to shorten the DHCPv6 message exchange process from four to two steps.

This function helps reduce heavy network traffic load.

Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit

work.

Information

Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information

retrieved from DHCPv6.

Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an

IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP

address information through DHCPv6.

DHCPv6 Request

Options /

DHCPv6 Lease

Options

If this interface is a DHCPv6 client, use this section to configure DHCPv6 request

settings that determine what additional information to get from the DHCPv6 server.

If the interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings

that determine what to offer to the DHCPv6 clients.

Add Click this to create an entry in this table. See Section 9.3.3 on page 201 for more

information.

Remove Select an entry and click this to change the settings.

Object

Reference Select an entry and click this to delete it from this table.

# This field is a sequential value, and it is not associated with any entry.

Name This field displays the name of the DHCPv6 request or lease object.

Type This field displays the type of the object.

Value This field displays the IPv6 prefix that the ZyWALL/USG obtained from an uplink router

(Server is selected) or will advertise to its clients (Client is selected).

Interface When Relay is selected, select this check box and an interface from the drop-down list

if you want to use it as the relay server.

Relay Server When Relay is selected, select this check box and enter the IP address of a DHCPv6

server as the relay server.

IPv6 Router

Setting

Enable Router

Advertisement Select this to enable this interface to send router advertisement messages periodically.

See IPv6 Router Advertisement on page 182 for more information.

Advertised Hosts

Get Network

Configuration

From DHCPv6

Select this to have the ZyWALL/USG indicate to hosts to obtain network settings (such

as prefix and DNS settings) through DHCPv6.

Clear this to have the ZyWALL/USG indicate to hosts that DHCPv6 is not available and

they should use the prefix in the router advertisement message.

Advertised Hosts

Get Other

Configuration

From DHCPv6

Select this to have the ZyWALL/USG indicate to hosts to obtain DNS information

through DHCPv6.

Clear this to have the ZyWALL/USG indicate to hosts that DNS information is not

available in this network.

Table 104 Configuration > Network > Interface > Bridge > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

247

Router

Preference Select the router preference (Low, Medium or High) for the interface. The interface

sends this preference in the router advertisements to tell hosts what preference they

should use for the ZyWALL/USG. This helps hosts to choose their default router

especially when there are multiple IPv6 router in the network.

Note: Make sure the hosts also support router preference to make this function work.

MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in

bytes, that can move through this interface. If a larger packet arrives, the ZyWALL/

USG divides it into smaller fragments.

Hop Limit Enter the maximum number of network segments that a packet can cross before

reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to

decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.

Advertised

Prefix Table Configure this table only if you want the ZyWALL/USG to advertise a fixed prefix to the

network.

Add Click this to create an IPv6 prefix address.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

IPv6

Address/

Prefix Length

Enter the IPv6 network prefix address and the prefix length.

The prefix length indicates what the left-most part of the IP address is the same for all

computers in the network, that is, the network address.

Advertised

Prefix from

DHCPv6 Prefix

Delegation

Use this table to configure the network prefix if you want to use a delegated prefix as

the beginning part of the network prefix.

Add Click this to create an entry in this table.

Edit Select an entry in this table and click this to modify it.

Remove Select an entry in this table and click this to delete it.

# This field is a sequential value, and it is not associated with any entry.

Delegated

Prefix Select the DHCPv6 request object to use for generating the network prefix for the

network.

Suffix

Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix

length. The ZyWALL/USG will append it to the selected delegated prefix. The combined

address is the network prefix for the network.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it

into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for

another interface. You can use ::1111/64 and ::2222/64 for the suffix address

respectively. But if you do not want to divide the delegated prefix into subnetworks,

enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.

Address This is the final network prefix combined by the selected delegated prefix and the

suffix.

Note: This field displays the combined address after you click OK and reopen this

screen.

Interface

Parameters

Egress

Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can send

through the interface to the network. Allowed values are 0 - 1048576.

Table 104 Configuration > Network > Interface > Bridge > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

248

Ingress

Bandwidth This is reserved for future use.

Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can

receive from the network through the interface. Allowed values are 0 - 1048576.

MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes,

that can move through this interface. If a larger packet arrives, the ZyWALL/USG

divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is

1500.

DHCP Setting

DHCP Select what type of DHCP service the ZyWALL/USG provides to the network. Choices

are:

None - the ZyWALL/USG does not provide any DHCP services. There is already a DHCP

server on the network.

DHCP Relay - the ZyWALL/USG routes DHCP requests to one or more DHCP servers

you specify. The DHCP server(s) may be on another network.

DHCP Server - the ZyWALL/USG assigns IP addresses and provides subnet mask,

gateway, and DNS server information to the network. The ZyWALL/USG is the DHCP

server for the network.

These fields appear if the ZyWALL/USG is a DHCP Rel ay.

Relay Server 1 Enter the IP address of a DHCP server for the network.

Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.

These fields appear if the ZyWALL/USG is a DHCP Se rver.

IP Pool Start

Address Enter the IP address from which the ZyWALL/USG begins allocating IP addresses. If

you want to assign a static IP address to a specific computer, click Add Static DHCP.

If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL/USG

can assign every IP address allowed by the interface’s IP address and subnet mask,

except for the first address (network address), last address (broadcast address) and

the interface’s IP address.

Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is

limited by the interface’s Subnet Mask. For example, if the Subnet Mask is

255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL/USG can

allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.

If this field is blank, the IP Pool Start Address must also be blank. In this case, the

ZyWALL/USG can assign every IP address allowed by the interface’s IP address and

subnet mask, except for the first address (network address), last address (broadcast

address) and the interface’s IP address.

First DNS Server

Second DNS

Server

Third DNS

Server

Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one

of the following ways to specify these IP addresses.

Custom Defined - enter a static IP address.

From ISP - select the DNS server that another interface received from its DHCP server.

ZyWALL/USG - the DHCP clients use the IP address of this interface and the ZyWALL/

USG works as a DNS relay.

First WINS

Server, Second

WINS Server

Type the IP address of the WINS (Windows Internet Naming Service) server that you

want to send to the DHCP clients. The WINS server keeps a mapping table of the

computer names on your network and the IP addresses that they are currently using.

Table 104 Configuration > Network > Interface > Bridge > Add / Edit (continued)

LABEL DESCRIPTION

Chapter 9 Interfaces

ZyWALL/USG Series User’s Guide

249