Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 436 / 944 Scroll up to view Page 431 - 435

Chapter 27 ZyWALL SecuExtender

ZyWALL USG 50 User’s Guide

436

connected but not send any traffic through it until you right-click the icon and

resume the connection.

27.5

Stop the Connection

Right-click the icon and select

Stop Connection

to disconnect the SSL VPN

tunnel.

27.6

Uninstalling the ZyWALL SecuExtender

Do the following if you need to remove the ZyWALL SecuExtender.

1

Click

start > All Programs > ZyXEL >

ZyWALL SecuExtender > Uninstall

.

2

In the confirmation screen, click

Yes

.

Figure 265

Uninstalling the ZyWALL SecuExtender Confirmation

3

Windows uninstalls the ZyWALL SecuExtender.

Figure 266

ZyWALL SecuExtender Uninstallation

Page 437 / 944

ZyWALL USG 50 User’s Guide

437

C

HAPTER

28

Application Patrol

28.1

Overview

Application patrol provides a convenient way to manage the use of various

applications on the network. It manages general protocols (for example, HTTP and

FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and

streaming (RSTP) applications. You can even control the use of a particular

application’s individual features (like text messaging, voice, video conferencing,

and file transfers). Application patrol also has powerful bandwidth management

including traffic prioritization to enhance the performance of delay-sensitive

applications like voice and video.

There is also an option that gives SIP traffic priority over all other traffic going

through the ZyWALL. This maximizes SIP traffic throughput for improved VoIP call

sound quality.

28.1.1

What You Can Do in this Chapter

•

Use the

General

summary screen (see

Section 28.2 on page 447

) to enable and

disable application patrol.

•

Use the

Common

,

Instant Messenger

,

Peer to Peer

,

VoIP

, and

Streaming

(see

Section 28.3 on page 448

) screens to look at the applications the ZyWALL

can recognize, and review the settings for each one. You can also enable and

disable the rules for each application and specify the default and custom policies

for each application.

•

Use the

Application Patrol Edit

screen (see

Section 28.3.1 on page 449

) to

edit the settings for an application.

•

Use the

Application Policy Edit

screen (see

Section 28.3.2 on page 453

) to

edit a group of settings for an application.

•

Use the

Other

screens (see

Section 28.4 on page 456

) to control what the

ZyWALL does when it does not recognize the application, and it identifies the

conditions that refine this. It also lets you open the

Other Configuration Add/

Edit

screen to create new conditions or edit existing ones.

Page 438 / 944

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

438

28.1.2

What You Need to Know

If you want to use a service, make sure both the firewall and application patrol

allow the service’s packets to go through the ZyWALL.

Note: The ZyWALL checks firewall rules before it checks application patrol rules for

traffic going through the ZyWALL.

Application patrol examines every TCP and UDP connection passing through the

ZyWALL and identifies what application is using the connection. Then, you can

specify, by application, whether or not the ZyWALL continues to route the

connection.

Configurable Application Policies

The ZyWALL has policies for individual applications. For each policy, you can

specify the default action the ZyWALL takes once it identifies one of the service’s

connections.

You can also specify custom policies that have the ZyWALL forward, drop, or reject

a service’s connections based on criteria that you specify (like the source zone,

destination zone, original destination port of the connection, schedule, user,

source, and destination information). Your custom policies take priority over the

policy’s default settings.

Classification of Applications

There are two ways the ZyWALL can identify the application. The first is called

auto. The ZyWALL looks at the IP payload (OSI level-7 inspection) and attempts to

match it with known patterns for specific applications. Usually, this occurs at the

beginning of a connection, when the payload is more consistent across

connections, and the ZyWALL examines several packets to make sure the match is

correct.

Note: The ZyWALL allows the first eight packets to go through the firewall, regardless

of the application patrol policy for the application. The ZyWALL examines these

first eight packets to identify the application.

The second approach is called service ports. The ZyWALL uses only OSI level-4

information, such as ports, to identify what application is using the connection.

This approach is available in case the ZyWALL identifies a lot of “false positives”

for a particular application.

Custom Ports for SIP and the SIP ALG

Configuring application patrol to use custom port numbers for SIP traffic also

configures the SIP ALG (see

Chapter 19 on page 335

) to use the same port

Page 439 / 944

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

439

numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port

numbers for SIP traffic also configures application patrol to use the same port

numbers for SIP traffic.

DiffServ and DSCP Marking

QoS is used to prioritize source-to-destination traffic flows. All packets in the same

flow are given the same priority. CoS (class of service) is a way of managing traffic

in a network by grouping similar types of traffic together and treating each type as

a class. You can use CoS to give different priorities to different packet types.

DiffServ (Differentiated Services) is a class of service (CoS) model that marks

packets so that they receive specific per-hop treatment at DiffServ-compliant

network devices along the route based on the application types and traffic flow.

Packets are marked with DiffServ Code Points (DSCPs) indicating the level of

service desired. This allows the intermediary DiffServ-compliant network devices

to handle the packets differently depending on the code points without the need to

negotiate paths or remember state information for every flow. In addition,

applications do not have to request a particular service or give advanced notice of

where the traffic is going.

Use application patrol to set a DSCP value for an application’s traffic that the

ZyWALL sends out.

Bandwidth Management

When you allow an application, you can restrict the bandwidth it uses or even the

bandwidth that particular features in the application (like voice, video, or file

sharing) use. This restriction may be ineffective in certain cases, however, such as

using MSN to send files via P2P.

The application patrol bandwidth management is more flexible and powerful than

the bandwidth management in policy routes. Application patrol controls TCP and

UDP traffic. Use policy routes to manage other types of traffic (like ICMP).

Note: Bandwidth management in policy routes has priority over application patrol

bandwidth management. It is recommended to use application patrol instead of

policy routes to manage the bandwidth of TCP and UDP traffic.

Connection and Packet Directions

Application patrol looks at the connection direction, that is from which zone the

connection was initiated and to which zone the connection is going.

A connection has outbound and inbound packet flows. The ZyWALL controls the

bandwidth of traffic of each flow as it is going out through an interface or VPN

tunnel.

Page 440 / 944

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

440

•

The outbound traffic flows from the connection initiator to the connection

responder.

•

The inbound traffic flows from the connection responder to the connection

initiator.

For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the

WAN.

•

Outbound traffic goes from a LAN1 zone device to a WAN zone device.

Bandwidth management is applied before sending the packets out a WAN zone

interface on the ZyWALL.

•

Inbound traffic comes back from the WAN zone device to the LAN1 zone device.

Bandwidth management is applied before sending the traffic out a LAN1 zone

interface.

Figure 267

LAN1

to WAN Connection and Packet Directions

Outbound and Inbound Bandwidth Limits

You can limit an application’s outbound or inbound bandwidth. This limit keeps the

traffic from using up too much of the out-going interface’s bandwidth. This way

you can make sure there is bandwidth for other applications. When you apply a

bandwidth limit to outbound or inbound traffic, each member of the out-going

zone can send up to the limit. Take a LAN1 to WAN policy for example.

•

Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN1

so outbound means the traffic traveling from the LAN1 to the WAN. Each of the

WAN zone’s two interfaces can send the limit of 200 kbps of traffic.

Connection

BWM

Outbound

Inbound

LAN1

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share