Configuration Basics

This section provides information to help you configure the ZyWALL effectively.

Granular Configuration

ZyWALL configuration is granular. When you configure a feature, you can often reuse settings that you have already configured (in one screen) in other screens. These reusable settings are called objects.

For example, when you set up a policy route, each criterion is an object. You can use criterion that you have already configured or select Create Object to configure new criteria. Any objects that you create in this screen, you can reuse --without configuring them again--in other policy routes or in other features such as firewall rules or remote management.

For a list of common objects, see Objects.

Terminology in the ZyWALL

This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers.

ZyWALL Terminology That is Different Than ZyNOS 

ZyNOS Feature / Term
ZyWALL Feature / Term
Port forwarding
Virtual server
IP alias
Virtual interface
Gateway policy
VPN gateway
Network policy (IPSec SA)
VPN connection

ZyWALL Terminology That Might Be Different Than Other Products 

Feature / Term
ZyWALL Feature / Term
Hub-and-spoke VPN
(VPN) concentrator

NAT: Differences Between the ZyWALL and ZyNOS 

ZyNOS Feature / Screen
ZyWALL Feature / Screen
Port forwarding
Virtual server
Trigger port, port triggering
Policy route
Address mapping
Policy route
Address mapping (VPN)
IPSec VPN

Bandwidth Management: Differences Between the ZyWALL and ZyNOS 

ZyNOS Feature / Screen
ZyWALL Feature / Screen
Interface bandwidth (outbound)
Interface
OSI level-7 bandwidth
Application patrol
General bandwidth
Policy route

Physical Ports, Interfaces, and Zones

If you want to configure the ZyWALL effectively, you should understand the differences between physical ports, interfaces, and zones. The following illustration provides an overview of the relationship between physical ports, interfaces, and zones in the ZyWALL. It also identifies the types of features you can configure with each one.

Physical Ports, Interfaces, and Zones

Zones
(LAN, DMZ, WAN, ...)
Used in firewall, IDP, remote management, anti-virus, ADP, application patrol
Interfaces
(Ethernet, VLAN,...)
Used in VPN, zones, trunks, device HA, DDNS, policy routes, static routes, HTTP redirect, application patrol, and virtual server
Physical Ports
(1, 2, 3, 4, 5)
Used in port groups.

A physical port is the place to which you connect the cable. As shown above, you do not usually configure physical ports to use various features. You configure interfaces and zones. The ZyWALL supports one-to-one, one-to-many, many-to-one, and many-to-none relationships between physical ports and interfaces.

There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL.

Zones are used for security policies. A zone is simply a group of interfaces and/or VPN tunnels; by default, the ZyWALL has LAN, WAN and DMZ zones. Each interface and VPN tunnel can be assigned to one and only one zone. You can add, change, or remove the interfaces and VPN tunnels in each zone without affecting the settings that are based on zones.

Feature Configuration Overview

This section provides information about configuring the main features in the ZyWALL. The features are listed in the same sequence as the menu item(s) in the web configurator. Each feature is organized as shown below.

Feature

This provides a brief description. See the appropriate chapter(s) in this User's Guide for more information about any feature.

Menu Item(s)
This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the web help or the related User's Guide chapter for information about each screen.
Prerequisites
These are other features you should configure before you configure the main screen(s) for this feature.
If you did not configure one of the prerequisites first, you can often select an option to create a new object. After you create the object you return to the main screen to finish configuring the feature.
You may not have to configure everything in the list of prerequisites. For example, you do not have to create a schedule for a policy route unless time is one of the criterion.
Where Used
There are two uses for this.
These are other features you should usually configure or check right after you configure the main screen(s) for this feature. For example, you should usually create a policy route for a VPN tunnel.
You have to delete the references to this feature before you can delete any settings. For example, you have to delete (or modify) all the policy routes that refer to a VPN tunnel before you can delete the VPN tunnel.

Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry.

Interface

See Physical Ports, Interfaces, and Zones for background information.

Note: When you create an interface, no security is applied on it until you assign it to a zone.

Most of the features that use interfaces support Ethernet, VLAN, bridge, and PPPoE/PPTP interfaces.

Menu Item(s)
Network > Interface (except Network > Interface > Trunk)
Prerequisites
OSPF (Ethernet interfaces), ISP accounts (PPPoE/PPTP interfaces)
Where Used
Zones, trunks, IPSec VPN, device HA, DDNS, policy routes, static routes, HTTP redirect, virtual server, application patrol

Trunks

Use trunks to set up load balancing using two or more interfaces.

Menu Item(s)
Network > Interface > Trunk
Prerequisites
Interfaces
Where Used
Policy routes

IPSec VPN

Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN.

Menu Item(s)
VPN > IPSec VPN; you can also use the VPN Setup Wizard, which handles most of the prerequisites for you.
Prerequisites
Interfaces, certificates (authentication), authentication methods (extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall
Where Used
Policy routes, zones, L2TP VPN

SSL VPN

Use SSL VPN to provide secure network access to remote users.

Menu Item(s)
VPN > SSL VPN
Prerequisites
Interfaces, SSL application, users, user groups, addresses (network list, IP pool for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall
Where Used
Policy routes, zones

L2TP VPN

Use L2TP VPN to let remote users use the L2TP and IPSec client software included with their computers' operating systems to securely connect to the network behind the ZyWALL.

Menu Item(s)
VPN > L2TP VPN
Prerequisites
Interfaces, IPSec VPN connection, certificates (authentication), authentication methods (extended authentication), addresses (local network, remote network, NAT, IP pool for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall
Where Used
The IPSec VPN connection used for L2TP VPN can be used in policy routes and zones

Zones

A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security settings, such as firewall rules and remote management.

Zones cannot overlap. Each interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run.

When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for the new zone.

Menu Item(s)
Network > Zone
Prerequisites
Interfaces, IPSec VPN, SSL VPN
Where Used
Firewall, IDP, remote management, anti-virus, ADP, application patrol

Device HA

Use device HA to create redundant backup gateways. The ZyWALL 1050 runs VRRP v2. You can only set up device HA with other ZyWALL 1050s running the same firmware version.

Menu Item(s)
Device HA
Prerequisites
Interfaces (with a static IP address), to-ZyWALL firewall

DDNS

Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping.

Menu Item(s)
Network > DDNS
Prerequisites
Interfaces

Policy Routes

Use policy routes to control the routing of packets through the ZyWALL's interfaces, trunks, and VPN connections. You also use policy routes for bandwidth management (out of the ZyWALL), port triggering, and general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings in other screens first.

Menu Item(s)
Network > Routing > Policy Route
Prerequisites
Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups
Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces
NAT: addresses (translated address), services and service groups (port triggering)

Static Routes

Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL.

Menu Item(s)
Network > Routing > Static Route
Prerequisites
Interfaces

Firewall

The firewall controls the travel of traffic between or within zones. You can also configure the firewall to control traffic for virtual server (port forwarding) and policy routes (NAT). You can configure firewall rules based on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). Each of these objects must be configured in a different screen.

To-ZyWALL firewall rules control access to the ZyWALL. Configure to-ZyWALL firewall rules for remote management. By default, the firewall allows any computer from the LAN zone to access or manage the ZyWALL. The ZyWALL drops packets from the WAN or DMZ zone to the ZyWALL itself, except for Device HA and VPN traffic.

Menu Item(s)
Firewall
Prerequisites
Zones, schedules, users, user groups, addresses (source, destination), address groups (source, destination), services, service groups

Note: The ZyWALL checks the firewall rules in order. Make sure each rule is in the correct place in the sequence.

Application Patrol

Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so). You can also specify allowed amounts of bandwidth and priorities. You must subscribe to use application patrol. You can subscribe using the Licensing > Registration screens or using one of the wizards.

Menu Item(s)
AppPatrol
Prerequisites
Registration, zones, Schedules, users, user groups, addresses (source, destination), address groups (source, destination). These are only used as criteria in exceptions and conditions.

Anti-Virus

Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or using one of the wizards.

Menu Item(s)
Anti-X > AV
Prerequisites
Registration, zones

IDP

Use IDP to detect and take action on malicious or suspicious packets. You must subscribe to use IDP. You can subscribe using the Licensing > Registration screens or using one of the wizards.

Menu Item(s)
Anti-X > IDP
Prerequisites
Registration, zones

ADP

Use ADP to detect and take action on traffic and protocol anomalies. You can subscribe using the Licensing > Registration screens or using one of the wizards.

Menu Item(s)
Anti-X > ADP
Prerequisites
Registration, zones

Content Filter

Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering. You can subscribe using the menu item or using one of the wizards.

Menu Item(s)
Anti-X > Content Filter
Prerequisites
Registration, addresses (source), schedules, users, user groups

Virtual Server (Port Forwarding)

Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding.

The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by virtual server. It does check regular (through-ZyWALL) firewall rules.

Menu Item(s)
Network > Virtual Server
Prerequisites
Interfaces, addresses (HOST)

HTTP Redirect

Configure this feature to have the ZyWALL transparently forward HTTP (web) traffic to a proxy server. This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next time one of your users needs to access that page.

The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by HTTP redirect. It does check regular (through-ZyWALL) firewall rules.

Menu Item(s)
Network > HTTP Redirect
Prerequisites
Interfaces

ALG

The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the ZyWALL. You can also specify additional signaling port numbers.

Menu Item(s)
Network > ALG

Objects

Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object.

The following table introduces the objects. You can also use this table when you want to delete an object because you have to delete references to the object first.

Object
Where Used
user/group
See the User/Group section for details on users and user groups.
address
VPN connections (local / remote network, NAT), policy routes (criteria, next-hop [HOST], NAT), firewall, application patrol (source, destination), content filter, virtual server (HOST), user settings (force user authentication), address groups, remote management (System)
address group
Policy routes (criteria), firewall, application patrol (source, destination), content filter, user settings (force user authentication), address groups, remote management (System)
service, service group
Policy routes (criteria, port triggering), firewall, service groups, log (criteria)
schedule
Policy routes (criteria), firewall, application patrol, content filter, user settings (force user authentication)
AAA server
Authentication methods
authentication methods
VPN gateways (extended authentication), WWW (client authentication)
certificates
VPN gateways, WWW, SSH, FTP
ISP account
PPPoE/PPTP interfaces
SSL Application
SSL VPN

User/Group

Use these screens to configure the ZyWALL's administrator and user accounts. The ZyWALL provides the following user types.

Type
Abilities
Admin
Change ZyWALL configuration (web, CLI)
Limited-Admin
Look at ZyWALL configuration (web)
User
Access network services, browse user-mode commands (CLI)
Guest
Access network services
Ext-User
The same as a User or a Guest. The ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings.

If you want to force users to log in to the ZyWALL before the ZyWALL routes traffic for them, you might have to configure prerequisites first.

Menu Item(s)
Object > User/Group
Prerequisites
Addresses, address groups, schedules. The prerequisites are only used in policies to force user authentication
Where Used
Policy routes, firewall, application patrol, content filter, user groups, VPN

System Management and Maintenance

This section introduces some of the management and maintenance features in the ZyWALL. Use Host Name to configure the system and domain name for the ZyWALL. Use Date/Time to configure the current date, time, and time zone in the ZyWALL. Use Console Speed to set the console speed. Use Language to select a language for the web configurator screens.

DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM

Use these screens to set which services or protocols can be used to access the ZyWALL through which zone and from which addresses (address objects) the access can come. Use Dial-in Mgmt for a remote management connection through an external serial modem connected to the DIAL BACKUP port.

Menu Item(s)
System > DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM, Language
Prerequisites
To-ZyWALL firewall, zones, addresses, address groups, certificates (WWW, SSH, FTP, Vantage CNM), authentication methods (WWW)

File Manager

Use these screens to upload, download, delete, or run scripts of CLI commands. You can manage

You can edit configuration files and shell scripts in any text editor.

Menu Item(s)
Maintenance > File Manager

Licensing Registration

Use these screens to register your ZyWALL and subscribe to services like anti-virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com.

Menu Item(s)
Licensing > Registration
Prerequisites
Internet access to myZyXEL.com

Licensing Update

Use these screens to update the ZyWALL's signature packages for the anti-virus, IDP and application patrol, and system protect features. You must have a valid subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com.

Menu Item(s)
Licensing > Update
Prerequisites
Registration (for anti-virus and IDP/application patrol), Internet access to myZyXEL.com

Logs and Reports

The ZyWALL provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It also provides statistical reports to track user activity, web site hits, virus traffic and intrusions.

Menu Item(s)
Maintenance > Log, Report

Diagnostics

The ZyWALL can generate a file containing the ZyWALL's configuration and diagnostic information.

Menu Item(s)
Maintenance > Diagnostics