Configuration Basics

This section provides a lot of information to help you configure the ZyWALL effectively.

Granular Configuration

ZyWALL configuration is granular. When you configure a feature, you may have to configure other screens first before you can finish configuring the feature. When you configure these other screens, you are configuring objects.

For example, when you set up a policy route, each criterion is an object. You should configure each criterion in a different screen before you configure the policy route itself. A policy route can have up to six criteria, so you might have to configure several screens before you finish the policy route.

Fortunately, when you finish, you can reuse the objects--without configuring them again--in other policy routes or in other features such as firewall rules or remote management.

Terminology in the ZyWALL

This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers.

ZyWALL Terminology That is Different Than ZyNOS
ZyNOS Feature / Term	ZyWALL Feature / Term
Port forwarding	Virtual server
IP alias	Virtual interface
Gateway policy	VPN gateway
Network policy (IPSec SA)	VPN connection

ZyWALL Terminology That Might Be Different Than Other Products
Feature / Term	ZyWALL Feature / Term
Hub-and-spoke VPN	(VPN) concentrator

NAT: Differences Between the ZyWALL and ZyNOS
ZyNOS Feature / Screen	ZyWALL Feature / Screen
Port forwarding	Virtual server
Trigger port, port triggering	Policy route
Address mapping	Policy route
Address mapping (VPN)	IPSec VPN

Bandwidth Management: Differences Between the ZyWALL and ZyNOS
ZyNOS Feature / Screen	ZyWALL Feature / Screen
Interface bandwidth (outbound)	Interface
OSI level-7 bandwidth	Application patrol
General bandwidth	Policy route

Physical Ports, Interfaces, and Zones

If you want to configure the ZyWALL effectively, you should understand the differences between physical ports, interfaces, and zones. The following illustration provides an overview of the relationship between physical ports, interfaces, and zones in the ZyWALL. It also identifies the types of features you can configure with each one.

Physical Ports, Interfaces, and Zones
Zones (LAN, DMZ, WAN, ...)	Used in firewall, IDP, and remote management
Interfaces (Ethernet, VLAN, ...)	Used in VPN, device HA, DDNS, policy routes, static routes, HTTP redirect, and virtual server
Physical Ports (1, 2, 3, 4, 5)	Used in port groups.

A physical port is the place to which you connect the cable. As shown above, you do not usually configure physical ports to use various features. You configure interfaces and zones. The ZyWALL supports 1:1, 1:M, M:1, and M:N relationships between physical ports and interfaces.

There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL.

Port groups create a hardware connection between physical ports at the layer-2 (MAC address) level.

Ethernet interfaces are the foundation for defining other interfaces and network policies. You also configure RIP and OSPF in these interfaces.

VLAN interfaces recognize tagged frames. The ZyWALL automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.

Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge.

PPPoE/PPTP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces.

Virtual interfaces increase the amount of routing information in the ZyWALL. There are three types: virtual Ethernet interfaces (also known as IP alias), virtual VLAN interfaces, and virtual bridge interfaces.

The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port.

Zones are used for security policies. A zone is simply a group of interfaces and/or VPN tunnels; by default, the ZyWALL has LAN, WAN and DMZ zones. Each interface and VPN tunnel can be assigned to one and only one zone. You can add, change, or remove the interfaces and VPN tunnels in each zone without affecting the settings that are based on zones.

Feature Configuration Overview

This section provides information about configuring the main features in the ZyWALL. The features are listed in the same sequence as the menu item(s) in the web configurator. Each feature is organized as shown below.

This provides a brief description. See the appropriate chapter(s) in this User's Guide for more information about any feature.


Menu Item(s)	This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the User's Guide for information about each screen.
Prerequisites	These are other features you should configure before you configure the main screen(s) for this feature. In most cases, if you forget to configure one of the prerequisites first, you can still save your changes in the main screen. Then, you can configure the prerequisite and return to the main screen to finish configuring the feature. The longer the list, the more likely you will only configure some of them, not all of them. For example, you do not have to create a schedule for a policy route unless time is one of the criterion.
Where Used	There are two uses for this. These are other features you should usually configure or check right after you configure the main screen(s) for this feature. For example, you should usually create a policy route for a VPN tunnel. You have to delete the references to this feature before you can delete any settings. For example, you have to delete (or modify) all the policy routes that refer to a VPN tunnel before you can delete the VPN tunnel. This is the list of features that might refer to this one.

Note: If there are no prerequisites or if there are no references in other features to this one, then the entry has been removed. For example, there are no references to DDNS entries, so there is no Where Used entry.

Note: You have to assign interfaces to zones manually after you create an interface.

Most of the features that use interfaces support Ethernet, VLAN, bridge, and PPPoE/PPTP interfaces. You can only use virtual interfaces in IPSec VPN and device HA.


Menu Item(s)	Network > Interface (except Network > Interface > Trunk)
Prerequisites	OSPF (Ethernet interfaces), ISP accounts (PPPoE/PPTP interfaces)
Where Used	Zones, trunks, IPSec VPN, device HA, DDNS, policy routes, static routes, HTTP redirect, virtual server

Use VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN.

Menu Item(s)	Network > Interface > Trunk
Prerequisites	Interfaces
Where Used	Policy routes


Menu Item(s)	Network > IPSec VPN; you can also use the VPN Setup Wizard, which handles most of the prerequisites for you.
Prerequisites	Interfaces, certificates (authentication), authentication methods (extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall
Where Used	Policy routes, zones

Zones are used in security policies, such as firewall rules, IDP profiles, and remote management. You should assign each interface and VPN connection to a zone.

When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for the new zone.

Use device HA to create redundant backup gateways. This is the ZyWALL's implementation of Virtual Router Redundancy Protocol (VRRP), defined in RFC 2338.

Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping.

Use policy routes to control the routing of packets through the ZyWALL's interfaces, trunks, and VPN connections. You also use policy routes for bandwidth management (out of the ZyWALL), port triggering, and general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings in other screens first, and you should make sure the firewall rules support NAT .

Menu Item(s)	Network > Zone
Prerequisites	Interfaces, IPSec VPN
Where Used	Firewall, IDP, remote management

Menu Item(s)	Network > Device HA
Prerequisites	Interfaces (with a static IP address), to-ZyWALL firewall

Menu Item(s)	Network > DDNS
Prerequisites	Interfaces


Menu Item(s)	Policy > Route > Policy Route
Prerequisites	Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups Next-hop: addresses (HOST gateway), IPSec VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering)

Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL.

The firewall allows you to control traffic between or within zones. You might also configure the firewall to control traffic for virtual server (port forwarding), HTTP redirect, and policy routes (NAT).

You can configure firewall rules based on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). Each of these must be configured in a different screen first.

Menu Item(s)	Policy > Route > Static Route
Prerequisites	Interfaces

Menu Item(s)	Policy > Firewall
Prerequisites	Zones, schedules, users, user groups, addresses (source, destination), address groups (source, destination), services, service groups

Note: The ZyWALL checks the firewall rules in order. Make sure this rule is in the correct place in the sequence.

Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so). You can also specify allowed amounts of bandwidth.

Use IDP to detect and take action on malicious or suspicious packets and traffic flows. You must subscribe to use IDP. You can subscribe using the menu item or using one of the wizards.

Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering. You can subscribe using the menu item or using one of the wizards.

Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding.

The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by virtual server. It does check regular (through-ZyWALL) firewall rules.

Configure this feature to have the ZyWALL transparently forward HTTP (web) traffic to a proxy server. This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next time one of your users needs to access that page.

The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by HTTP redirect. It does check regular (through-ZyWALL) firewall rules.

The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL.

Use these screens to configure the ZyWALL's administrator and user accounts. The ZyWALL provides the following user types.

Menu Item(s)	Policy > Application Patrol
Prerequisites	Schedules, users, user groups, addresses (source, destination), address groups (source, destination). These are only used as criteria in exceptions and conditions.

Menu Item(s)	Policy > IDP
Prerequisites	Registration, zones

Menu Item(s)	Policy > Content Filter
Prerequisites	Registration, addresses (source), schedules, users, user groups

Menu Item(s)	Policy > Virtual Server
Prerequisites	Interfaces, addresses (HOST)

Menu Item(s)	Policy > HTTP Redirect
Prerequisites	Interfaces

Menu Item(s)	Policy > VoIP PassThru


Type	Abilities
Admin	Change ZyWALL configuration (web, CLI)
Limited-Admin	Look at ZyWALL configuration (web), change ZyWALL configuration (CLI)
User	Access network services, browse user-mode commands (CLI)
Guest	Access network services, browse user-mode commands (CLI)
Ext-User	The same as a User or a Guest. The ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings.

If you want to force users to log in to the ZyWALL before the ZyWALL routes traffic for them, you might have to configure prerequisites first.

Objects

Objects are used to set up the features in the previous section. Objects store information and are referenced by other features. Later, when you need to update this information in response to changes, you can simply update the information in the object. The ZyWALL automatically propagates the change through the features that use the object.

Menu Item(s)	User/Group
Prerequisites	Addresses, address groups, schedules. The prerequisites are only used in policies to force user authentication

The following table introduces the objects. You can find most of these objects in the Object menu. There are a couple menu items from Network (ISP Account, Routing Protocol) and User/Group as well. You can also use this table when you want to delete an object because you have to delete references to the object first.


Object	Where Used
addresses	VPN connections (local / remote network, NAT), policy routes (criteria, next-hop [HOST], NAT), firewall, application patrol (source, destination), content filter, virtual server (HOST), user settings (force user authentication), address groups, remote management (System)
address groups	Policy routes (criteria), firewall, application patrol (source, destination), content filter, user settings (force user authentication), address groups, remote management (System)
services, service groups	Policy routes (criteria, port triggering), firewall, service groups, log (criteria)
schedules	Policy routes (criteria), firewall, application patrol, content filter, user settings (force user authentication)
AAA server	Authentication methods
authentication methods	VPN gateways (extended authentication), WWW (client authentication)
certificates	VPN gateways, WWW, SSH, FTP, SNMP
users, user groups	Policy routes, firewall, application patrol, content filter, user groups
ISP accounts	PPPoE/PPTP interfaces
OSPF	Ethernet interfaces

System Management

This section introduces some of the management and maintenance features in the ZyWALL.

Set up security policies to control access to the ZyWALL. By default, the firewall allows any computer from the LAN zone to access or manage the ZyWALL. The ZyWALL drops packets from the WAN or DMZ zone to the ZyWALL itself, except for Device HA and VPN traffic. You could configure policies for remote management.

Use these screens to set which services or protocols can be used to access the ZyWALL through which zone and from which addresses (address objects) the access can come.

Use these screens to upload, download, delete, or run scripts of CLI commands. You can manage

Menu Item(s)	Policy > Firewall
Prerequisites	Zones, schedules, users, user groups, addresses (source, destination), address groups (source, destination), services, service groups

Menu Item(s)	System > ICMP, DNS, WWW, SSH, TELNET, FTP, SNMP
Prerequisites	To-ZyWALL firewall, zones, addresses, address groups, certificates (WWW, SSH, FTP, SNMP), authentication methods (WWW)

Configuration files. Use configuration files to back up and restore the complete configuration of the ZyWALL. You can store multiple configuration files in the ZyWALL and switch between them without restarting.

Shell scripts. Use shell scripts to run a series of CLI commands. These are useful for large, repetitive configuration changes (for example, creating a lot of VPN tunnels) and for troubleshooting.

Use these screens to register your ZyWALL or to subscribe to the IDP or content filtering services. You must have Internet access to myZyXEL.com.

The ZyWALL provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It also provides three types of statistical reports to track user activity and web site hits.

Menu Item(s)	Registration
Prerequisites	Internet access to myZyXEL.com