Configuration Basics
This section provides information to help you configure the ZyWALL effectively.
Granular Configuration
ZyWALL configuration is granular. When you configure a feature, you can often reuse settings that you have already configured (in one screen) in other screens. These reusable settings are called objects.
For example, when you set up a policy route, each criterion is an object. You can use criterion that you have already configured or select Create Object to configure new criteria. Any objects that you create in this screen, you can reuse --without configuring them again--in other policy routes or in other features such as firewall rules or remote management.
For a list of common objects, see Objects.
Terminology in the ZyWALL
This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers.
ZyWALL Terminology That Might Be Different Than Other Products
Feature / Term ZyWALL Feature / Term Hub-and-spoke VPN (VPN) concentrator
Physical Ports, Interfaces, and Zones
If you want to configure the ZyWALL effectively, you should understand the differences between physical ports, interfaces, and zones. The following illustration provides an overview of the relationship between physical ports, interfaces, and zones in the ZyWALL. It also identifies the types of features you can configure with each one.
A physical port is the place to which you connect the cable. As shown above, you do not usually configure physical ports to use various features. You configure interfaces and zones. The ZyWALL supports one-to-one, one-to-many, many-to-one, and many-to-none relationships between physical ports and interfaces.
There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL.
- Port groups create a hardware connection between physical ports at the layer-2 (MAC address) level.
- Ethernet interfaces are the foundation for defining other interfaces and network policies. You also configure RIP and OSPF in these interfaces.
- VLAN interfaces recognize tagged frames. The ZyWALL automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
- Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge.
- PPPoE/PPTP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces.
- Virtual interfaces increase the amount of routing information in the ZyWALL. There are three types: virtual Ethernet interfaces (also known as IP alias), virtual VLAN interfaces, and virtual bridge interfaces.
- The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port.
Zones are used for security policies. A zone is simply a group of interfaces and/or VPN tunnels; by default, the ZyWALL has LAN, WAN and DMZ zones. Each interface and VPN tunnel can be assigned to one and only one zone. You can add, change, or remove the interfaces and VPN tunnels in each zone without affecting the settings that are based on zones.
Feature Configuration Overview
This section provides information about configuring the main features in the ZyWALL. The features are listed in the same sequence as the menu item(s) in the web configurator. Each feature is organized as shown below.
Feature
This provides a brief description. See the appropriate chapter(s) in this User's Guide for more information about any feature.
Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry.
Interface
See Physical Ports, Interfaces, and Zones for background information.
Note: When you create an interface, no security is applied on it until you assign it to a zone.
Most of the features that use interfaces support Ethernet, VLAN, bridge, and PPPoE/PPTP interfaces.
Trunks
Use trunks to set up load balancing using two or more interfaces.
IPSec VPN
Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN.
SSL VPN
Use SSL VPN to provide secure network access to remote users.
L2TP VPN
Use L2TP VPN to let remote users use the L2TP and IPSec client software included with their computers' operating systems to securely connect to the network behind the ZyWALL.
Zones
A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security settings, such as firewall rules and remote management.
Zones cannot overlap. Each interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run.
When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for the new zone.
Menu Item(s) Network > Zone Prerequisites Interfaces, IPSec VPN, SSL VPN Where Used Firewall, IDP, remote management, anti-virus, ADP, application patrol
Device HA
Use device HA to create redundant backup gateways. The ZyWALL 1050 runs VRRP v2. You can only set up device HA with other ZyWALL 1050s running the same firmware version.
DDNS
Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping.
Policy Routes
Use policy routes to control the routing of packets through the ZyWALL's interfaces, trunks, and VPN connections. You also use policy routes for bandwidth management (out of the ZyWALL), port triggering, and general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings in other screens first.
Static Routes
Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL.
Firewall
The firewall controls the travel of traffic between or within zones. You can also configure the firewall to control traffic for virtual server (port forwarding) and policy routes (NAT). You can configure firewall rules based on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). Each of these objects must be configured in a different screen.
To-ZyWALL firewall rules control access to the ZyWALL. Configure to-ZyWALL firewall rules for remote management. By default, the firewall allows any computer from the LAN zone to access or manage the ZyWALL. The ZyWALL drops packets from the WAN or DMZ zone to the ZyWALL itself, except for Device HA and VPN traffic.
Menu Item(s) Firewall Prerequisites Zones, schedules, users, user groups, addresses (source, destination), address groups (source, destination), services, service groups
Note: The ZyWALL checks the firewall rules in order. Make sure each rule is in the correct place in the sequence.
Application Patrol
Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so). You can also specify allowed amounts of bandwidth and priorities. You must subscribe to use application patrol. You can subscribe using the Licensing > Registration screens or using one of the wizards.
Anti-Virus
Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or using one of the wizards.
IDP
Use IDP to detect and take action on malicious or suspicious packets. You must subscribe to use IDP. You can subscribe using the Licensing > Registration screens or using one of the wizards.
ADP
Use ADP to detect and take action on traffic and protocol anomalies. You can subscribe using the Licensing > Registration screens or using one of the wizards.
Content Filter
Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering. You can subscribe using the menu item or using one of the wizards.
Menu Item(s) Anti-X > Content Filter Prerequisites Registration, addresses (source), schedules, users, user groups
Virtual Server (Port Forwarding)
Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding.
The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by virtual server. It does check regular (through-ZyWALL) firewall rules.
HTTP Redirect
Configure this feature to have the ZyWALL transparently forward HTTP (web) traffic to a proxy server. This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next time one of your users needs to access that page.
The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by HTTP redirect. It does check regular (through-ZyWALL) firewall rules.
ALG
The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the ZyWALL. You can also specify additional signaling port numbers.
Objects
Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object.
The following table introduces the objects. You can also use this table when you want to delete an object because you have to delete references to the object first.
Object Where Used user/group See the User/Group section for details on users and user groups. address VPN connections (local / remote network, NAT), policy routes (criteria, next-hop [HOST], NAT), firewall, application patrol (source, destination), content filter, virtual server (HOST), user settings (force user authentication), address groups, remote management (System) address group Policy routes (criteria), firewall, application patrol (source, destination), content filter, user settings (force user authentication), address groups, remote management (System) service, service group Policy routes (criteria, port triggering), firewall, service groups, log (criteria) schedule Policy routes (criteria), firewall, application patrol, content filter, user settings (force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP ISP account PPPoE/PPTP interfaces SSL Application SSL VPN
User/Group
Use these screens to configure the ZyWALL's administrator and user accounts. The ZyWALL provides the following user types.
If you want to force users to log in to the ZyWALL before the ZyWALL routes traffic for them, you might have to configure prerequisites first.
System Management and Maintenance
This section introduces some of the management and maintenance features in the ZyWALL. Use Host Name to configure the system and domain name for the ZyWALL. Use Date/Time to configure the current date, time, and time zone in the ZyWALL. Use Console Speed to set the console speed. Use Language to select a language for the web configurator screens.
DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM
Use these screens to set which services or protocols can be used to access the ZyWALL through which zone and from which addresses (address objects) the access can come. Use Dial-in Mgmt for a remote management connection through an external serial modem connected to the DIAL BACKUP port.
File Manager
Use these screens to upload, download, delete, or run scripts of CLI commands. You can manage
- Configuration files. Use configuration files to back up and restore the complete configuration of the ZyWALL. You can store multiple configuration files in the ZyWALL and switch between them without restarting.
- Shell scripts. Use shell scripts to run a series of CLI commands. These are useful for large, repetitive configuration changes (for example, creating a lot of VPN tunnels) and for troubleshooting.
You can edit configuration files and shell scripts in any text editor.
Licensing Registration
Use these screens to register your ZyWALL and subscribe to services like anti-virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com.
Licensing Update
Use these screens to update the ZyWALL's signature packages for the anti-virus, IDP and application patrol, and system protect features. You must have a valid subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com.
Menu Item(s) Licensing > Update Prerequisites Registration (for anti-virus and IDP/application patrol), Internet access to myZyXEL.com
Logs and Reports
The ZyWALL provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It also provides statistical reports to track user activity, web site hits, virus traffic and intrusions.
Diagnostics
The ZyWALL can generate a file containing the ZyWALL's configuration and diagnostic information.