ZyWALL USG 100/200 Support Notes ZyWALL USG 100/200 Unified Security Gateway Support Notes Revision 2.10 March, 2008 1 All contents copyright (c) 2008 ZyXEL Communications Corporation. ZyWALL USG 100/200 Support Notes INDEX The comparison of ZyNOS and ZLD ............................................................................................. 8 1. Deploying VPN .......................................................................................................................... 9 1.1 Extended Intranets .......................................................................................................... 11 1.1.2 Site to Site VPN solutions (ZyWALL 1050 Ù ZyWALL USG 100/200): ......... 11 1.2 Extranet Deployment ..................................................................................................... 17 1.2.1 Site to site VPN solutions (ZyWALL USG 100/200 to ZyWALL70) ................. 18 1.2.2 Interoperability – VPN with other vendors ......................................................... 22 1.2.2.1 ZyWALL with FortiGate VPN Tunneling ................................................ 22 1.2.2.2 ZyWALL with NetScreen VPN Tunneling .............................................. 29 1.2.2.3 ZyWALL with SonicWall VPN Tunneling ............................................... 37 1.3 Remote Access VPN ...................................................................................................... 44 1.3.1 IPSec VPN for Remote Access ........................................................................... 44 1.3.1.1 Steps to configure ..................................................................................... 46 1.3.2 SSL VPN Application - Reverse Proxy ............................................................... 51 1.3.2.1 Scenario topology ..................................................................................... 51 1.3.2.2 Configuration flow ................................................................................... 51 1.3.2.3 Configuration procedure .......................................................................... 51 1.3.3 SSL VPN Application – Network Extension ...................................................... 55 1.3.3.1 Scenario topology ..................................................................................... 55 1.3.3.2 Configuration flow ................................................................................... 55 1.3.3.3 Configuration procedure .......................................................................... 55 1.3.4 L2TP over IPSec Application .............................................................................. 61 1.3.4.1 Scenario topology ..................................................................................... 61 1.3.4.2 Configuration flow ................................................................................... 61 1.3.4.3 Configuration Procedure .......................................................................... 61 1.4 Device HA ...................................................................................................................... 70 1.4.1 Device HA ........................................................................................................... 71 1.4.1.1 Configuration procedure .......................................................................... 71 1.4.2 Device High Availability (HA) Active-Passive mode ......................................... 85 1.4.2.1 Scenario Topology ................................................................................... 85 1.4.2.2 Configuration Flow .................................................................................. 85 1.4.2.3 Configuration procedure .......................................................................... 86 1.4.2.4 Steps to configure ..................................................................................... 87 2. Security Policy Enforcement .................................................................................................... 97 2 All contents copyright (c) 2008 ZyXEL Communications Corporation. ZyWALL USG 100/200 Support Notes 2.1 Managing IM/P2P Applications ..................................................................................... 97 2.1.1 Why bother with managing IM/P2P applications? .............................................. 97 2.1.2 What does ZyWALL USG 100/200 provide for managing IM/P2P applications? ...................................................................................................................................... 98 2.1.3 Configuration Example ....................................................................................... 98 2.2 Zone-based Anti-Virus Protection ................................................................................ 106 2.2.1 Applying Zone-Based Anti-Virus to ZyWALL USG 100/200 .......................... 106 2.2.2 Enabling Black and White List ......................................................................... 113 2.2.3 Enabling Anti-Virus Statistics Report ............................................................... 114 2.3 Configuring ZyWALL USG 100/200 as a Wireless Router ......................................... 115 2.3.1 Configuration procedure ................................................................................... 115 2.3.2 MAC filter in WLAN ........................................................................................ 117 2.4 Mobility Internet Access .............................................................................................. 119 2.4.1 Utilize 3G Wireless for Accessing the Internet ................................................. 120 2.4.1.1 Configuration procedure ........................................................................ 121 3. Seamless Incorporation .......................................................................................................... 128 3.1 Transparent Firewall ..................................................................................................... 128 3.1.1 Bridge mode & Router (NAT) mode co-exist ................................................... 128 3.1.2 NAT & Virtual Server........................................................................................ 131 3.2 Zone-based IDP Protection .......................................................................................... 134 3.2.1 Applying Zone-Based IDP to ZyWALL USG 100/200 ..................................... 135 3.3 Anti-spam on the ZyWALL USG 100/200 ................................................................... 141 3.3.1 How Anti-Spam works on ZyWALL USG ....................................................... 142 3.3.2 Using DNSBL (DNS-based blacklist) ............................................................... 142 3.3.2.1 Application scenario to apply DNSBL ................................................... 142 3.3.2.1.1 Scenario I: Email server is located in the ISP/ Internet ...................... 142 3.3.2.1.2 Scenario II: Company’s Email server located in the DMZ ................. 145 3.3.3 Using Black/White list (B/W list) ..................................................................... 148 3.3.3.1 Configuration procedure ........................................................................ 148 3.3.3.2 Scenario topology ................................................................................... 149 3.3.3.3 Steps to configure B/W list .................................................................... 149 FAQ ............................................................................................................................................ 152 A. Device Management FAQ ............................................................................................. 152 A01. How can I connect to ZyWALL USG 100/200 to perform administrator’s tasks? .................................................................................................................................... 152 A02. Why can’t I login into ZyWALL USG 100/200? .............................................. 153 A03. What’s difference between “Admin Service Control” and “User Service 3 All contents copyright (c) 2008 ZyXEL Communications Corporation. ZyWALL USG 100/200 Support Notes Control” configuration in GUI menu System > WWW? ........................................... 154 A04. Why ZyWALL USG 100/200 redirects me to the login page when I am performing the management tasks in GUI? ............................................................... 155 A05. Why do I lose my configuration setting after ZyWALL USG 100/200 restarts?155 A06. How can I do if the system is keeping at booting up stage for a long time? ..... 155 B. Registration FAQ ........................................................................................................... 157 B01. Why do I need to do the Device Registration? .................................................. 157 B02. Why do I need to activate services? .................................................................. 157 B03. Why can’t I active trial service? ........................................................................ 157 B04. Will the UTM service registration information be reset once restore configuration in ZyWALL USG 100/200 back to manufactory default? ................... 157 C. File Manager FAQ ......................................................................................................... 158 C01. How can ZyWALL