Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 101 / 944 Scroll up to view Page 96 - 100

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

101

6.5.14

Firewall

The firewall controls the travel of traffic between or within zones. You can also

configure the firewall to control traffic for NAT (DNAT) and policy routes (SNAT).

You can configure firewall rules based on schedules, specific users (or user

groups), source or destination addresses (or address groups) and services (or

service groups). Each of these objects must be configured in a different screen.

To-ZyWALL firewall rules control access to the ZyWALL. Configure to-ZyWALL

firewall rules for remote management. By default, the firewall only allows

management connections from the LAN or WAN zone.

Example:

Suppose you have a SIP proxy server connected to the DMZ zone for

VoIP calls. You could configure a firewall rule to allow VoIP sessions from the SIP

proxy server on DMZ to the LAN so VoIP users on the LAN can receive calls.

1

Create a VoIP service object for UDP port 5060 traffic (

Configuration > Object >

Service

).

2

Create an address object for the VoIP server (

Configuration > Object >

Address

).

3

Click

Configuration > Firewall

to go to the firewall configuration.

4

Select from the

DMZ

zone to the

LAN1

zone, and add a firewall rule using the

items you have configured.

• You don’t need to specify the schedule or the user.

• In the

Source

field, select the address object of the VoIP server.

• You don’t need to specify the destination address.

• Leave the

Access

field set to

Allow

and the

Log

field set to

No

.

Note: The ZyWALL checks the firewall rules in order. Make sure each rule is in the

correct place in the sequence.

MENU ITEM(S)

Configuration > Firewall

PREREQUISITES

Zones, schedules, users, user groups, addresses (source,

destination), address groups (source, destination), services, service

groups

Page 102 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

102

6.5.15

IPSec VPN

Use IPSec VPN to provide secure communication between two sites over the

Internet or any insecure network that uses TCP/IP for communication. The

ZyWALL also offers hub-and-spoke VPN.

Example:

See

Chapter 7 on page 109

.

6.5.16

SSL VPN

Use SSL VPN to give remote users secure network access.

Example:

See

Chapter 7 on page 109

.

6.5.17

Application Patrol

Use application patrol to control which individuals can use which services through

the ZyWALL (and when they can do so). You can also specify allowed amounts of

bandwidth and priorities. You must subscribe to use application patrol. You can

subscribe using the

Configuration > Licensing > Registration

screens or one

of the wizards.

Example:

Suppose you want to allow vice president Bob to use BitTorrent and

block everyone else from using it.

1

Create a user account for Bob (

User/Group

).

MENU ITEM(S)

Configuration > VPN > IPSec VPN

; you can also use the

Quick

Setup VPN Setup

wizard.

PREREQUISITES

Interfaces, certificates (authentication), authentication methods

(extended authentication), addresses (local network, remote network,

NAT), to-ZyWALL firewall, firewall

WHERE USED

Policy routes, zones

MENU ITEM(S)

Configuration > VPN > SSL VPN

PREREQUISITES

Interfaces, SSL application, users, user groups, addresses (network

list, IP pool for assigning to clients, DNS and WINS server addresses),

to-ZyWALL firewall, firewall

WHERE USED

Policy routes, zones

MENU ITEM(S)

Configuration > AppPatrol

PREREQUISITES

Registration, zones, Schedules, users, user groups, addresses

(source, destination), address groups (source, destination). These are

only used as criteria in exceptions and conditions.

Page 103 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

103

2

Click

AppPatrol > Peer to Peer

to go to the application patrol configuration

screen. Click the BitTorrent application patrol entry’s

Edit

icon.

• Set the default policy’s access to

Drop

.

• Add another policy.

• Select the user account that you created for Bob.

• You can leave the source, destination and log settings at the default.

Note: With this example, Bob would have to log in using his account. If you do not

want him to have to log in, you might create an exception policy with Bob’s

computer IP address as the source.

6.5.18

Anti-Virus

Use anti-virus to detect and take action on viruses. You must subscribe to use

anti-virus. You can subscribe using the

Licensing > Registration

screens or one

of the wizards.

6.5.19

IDP

Use IDP to detect and take action on malicious or suspicious packets. You must

subscribe to use IDP. You can subscribe using the

Licensing > Registration

screens or one of the wizards.

6.5.20

ADP

Use ADP to detect and take action on traffic and protocol anomalies.

MENU ITEM(S)

Configuration > Anti-X > AV

PREREQUISITES

Registration, zones

MENU ITEM(S)

Configuration > Anti-X > IDP

PREREQUISITES

Registration, zones

MENU ITEM(S)

Configuration > BWM

PREREQUISITES

Zones

MENU ITEM(S)

Configuration > Anti-X > ADP

PREREQUISITES

Zones

Page 104 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

104

6.5.21

Content Filter

Use content filtering to block or allow access to specific categories of web site

content, individual web sites and web features (such as cookies). You can define

which user accounts (or groups) can access what content and at what times. You

must have a subscription in order to use the category-based content filtering. You

can subscribe using the menu item or one of the wizards.

Example:

You can configure a policy that blocks Bill’s access to arts and

entertainment web pages during the workday. You must have already subscribed

to the content filter service.

1

Create a user account for Bill if you have not done so already (

Configuration >

Object > User/Group

).

2

Create a schedule for the work day (

Configuration > Object > Schedule

).

3

Click

Configuration > Anti-X > Content Filter > Filter Profile

. Click the

Add

icon to go to the screen where you can configure a category-based profile.

4

Name the profile and enable it.

5

Enable the external web filter service.

6

Decide what to do for matched web sites (

Block

in this example), unrated web

sites and what to do when the category-based content filtering service is not

available.

7

Select the

Arts/Entertainment

category (you need to click

Advanced

to display

it) and click

OK

.

8

Click

General

to go to the content filter general configuration screen.

9

Enable the content filter.

10

Add a policy that uses the schedule, the filtering profile and the user that you

created.

6.5.22

Anti-Spam

Use anti-spam to detect and take action on spam mail.

MENU ITEM(S)

Configuration > Anti-X > Content Filter

PREREQUISITES

Registration, addresses (source), schedules, users, user groups

MENU ITEM(S)

Configuration > Anti-X > Anti-Spam

Page 105 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

105

6.6

Objects

Objects store information and are referenced by other features. If you update this

information in response to changes, the ZyWALL automatically propagates the

change through the features that use the object. Move your cursor over a

configuration object that has a magnifying-glass icon (such as a user group,

address, address group, service, service group, zone, or schedule) to display basic

information about the object.

The following table introduces the objects. You can also use this table when you

want to delete an object because you have to delete references to the object first.

PREREQUISITES

Zones

Table 16

Objects Overview

OBJECT

WHERE USED

user/group

See the User/Group section on page 106

for details on users and user

groups.

address

VPN connections (local / remote network, NAT), policy routes

(criteria, next-hop [HOST], NAT), authentication policies, firewall,

application patrol (source, destination), content filter, NAT (HOST),

user settings (force user authentication), address groups, remote

management (System)

address group

Policy routes (criteria), firewall, application patrol (source,

destination), content filter, user settings (force user authentication),

address groups, remote management (System)

service, service

group

Policy routes (criteria, port triggering), firewall, service groups, log

(criteria)

schedule

Policy routes (criteria), authentication policies, firewall, application

patrol, content filter, user settings (force user authentication)

AAA server

Authentication methods

authentication

methods

VPN gateways (extended authentication), WWW (client

authentication)

certificates

VPN gateways, WWW, SSH, FTP

SSL Application

SSL VPN

Endpoint Security

Authentication policies, SSL VPN

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share