ZyXEL Communications ZyWall ATP series - CHAPTER 40 Diagnostics; 40.2 The Diagnostics Screens

To Next Page

To Previous Page

777/782

www.zyxel.com

How to Use IP Reputation to Detect Threats

(This feature is only supported on ATP series)

As cyber threats such as scanners, botnets, phishing, etc. grow

increasingly, how to identify suspect IP addresses of threats efficiently

becomes a crucial task.

With regularly updated IP database, ATP prevents threats by blocking

connection to/from known IP addresses based on signature database. It

filters source and destination addresses in your network traffic to take the

proper risk prevention actions.

This example illustrates how to configure IP Reputation on ATP gateway

to detect cyber threats for both incoming and outgoing traffic.

Figure

Note: All network IP addresses and subnet masks are used as examples in this article.

Please replace them with your actual network IP addresses. This example was tested using

the ATP500 (Firmware Version: ZLD 4.35).

Main Page

Table of Contents2
How to Configure Site-To-Site Ipsec VPN with Amazon VPC20
Set up the Ipsec VPN Tunnel on the Amazon VPC21
Set up the Ipsec VPN Tunnel on the Zywall/Usg25
Test the Ipsec VPN Tunnel31
What Could Go Wrong32
How to Configure Site-To-Site Ipsec VPN with Microsoft (MS) Azure33
Set up the Ipsec VPN Tunnel on the Zywall/Usg34
Set up the Ipsec VPN Tunnel on the MS Azure39
Test the Ipsec VPN Tunnel46
What Could Go Wrong49
How to Configure GRE over Ipsec VPN Tunnel50
Set up the Zywall/Usg GRE over Ipsec VPN Tunnel of Corporate Network (HQ)51
Set up the Zywall/Usg GRE over Ipsec VPN Tunnel of Corporate Network (Branch)56
Test the GRE over Ipsec VPN Tunnel60
What Could Go Wrong61
How to Configure Site-To-Site Ipsec VPN Where the Peer Has a Static IP Address63
(Branch)68
Test the Ipsec VPN Tunnel72
What Could Go Wrong73
How to Configure Site-To-Site Ipsec VPN Where the Peer Has a Dynamic IP Address75
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (HQ)75
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (Branch Has a Dynamic IP Address)79
Test the Ipsec VPN Tunnel83
What Could Go Wrong85
How to Configure Ipsec Site to Site VPN While One Site Is Behind a NAT Router87
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (HQ)87
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (Branch)91
Set up the NAT Router (Using Zywall USG Device in this Example)95
Test the Ipsec VPN Tunnel97
What Could Go Wrong98
How to Configure Hub-And-Spoke Ipsec VPN99
Set up the Ipsec VPN Tunnel on the Zywall/Usg by Using VPN Concentrator Hub_Hq-To-Branch_A100
Hub_Hq-To-Branch_B104
Hub_Hq Concentrator108
Spoke_Branch_A109
Spoke_Branch_B114
Test the Ipsec VPN Tunnel119
What Could Go Wrong123
Set up the Ipsec VPN Tunnel of Zywall/Usg Without Using VPN Concentrator Hub_Hq-To-Branch_A125
Hub_Hq-To-Branch_B128
Spoke_Branch_A131
Spoke_Branch_B134
Test the Ipsec VPN Tunnel137
What Could Go Wrong140
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator142
Set up the Ipsec VPN Tunnel on the Zywall/Usg Hub_Hq-To143
Branch_A143
Hub_Hq-To-Branch_B146
Hub_Hq Concentrator149
Spoke_Branch_A150
Spoke_Branch_B153
Test the Ipsec VPN Tunnel157
What Could Go Wrong160
How to Configure Ipsec VPN with Zywall Ipsec VPN Client161
Set up the Zywall/Usg Ipsec VPN Tunnel162
Set up the Zywall Ipsec VPN Client166
Test the Ipsec VPN Tunnel169
What Can Go Wrong171
How to Configure Site-To-Site Ipsec VPN with Fortigate173
Set up the Ipsec VPN Tunnel on the Zywall/Usg174
Set up the Ipsec VPN Tunnel on the Fortigate177
Test the Ipsec VPN Tunnel182
What Could Go Wrong183
How to Configure Site-To-Site Ipsec VPN with Watchguard185
Set up the Ipsec VPN Tunnel on the Zywall/Usg186
Set up the Ipsec VPN Tunnel on the Watchguard189
Test the Ipsec VPN Tunnel195
What Could Go Wrong196
How to Configure Site-To-Site Ipsec VPN with Cisco198
Set up the Ipsec VPN Tunnel on the Zywall/Usg199
Set up the Ipsec VPN Tunnel on the Cisco204
Test the Ipsec VPN Tunnel209
What Could Go Wrong211
How to Configure Site-To-Site Ipsec VPN with a Sonicwall Router212
Set up the Ipsec VPN Tunnel on the Zywall/Usg213
Set up the Ipsec VPN Tunnel on the Sonicwall220
Test the Ipsec VPN Tunnel224
What Could Go Wrong226
How to Configure Ipsec VPN Failover229
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (HQ)230
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (Branch)233
Set up the WAN Trunk (Zywall/Usg_Hq)238
Set up the Failover Command Line (Zywall/Usg HQ)239
Test the Ipsec VPN Tunnel240
What Could Go Wrong242
How to Configure L2TP over Ipsec VPN While the Zywall/Usg Is Behind a NAT Router244
Set up the L2TP VPN Tunnel on the Zywall/Usg_Hq245
Set up the NAT Router (Using Zywall USG Device in this Example)249
Test the L2TP over Ipsec VPN Tunnel252
What Could Go Wrong255
How to Configure L2TP VPN with Android 5.0 Mobile Devices257
Set up the L2TP VPN Tunnel on the Zywall/Usg258
Set up the L2TP VPN Tunnel on the Android Device262
Test the L2TP over Ipsec VPN Tunnel265
What Could Go Wrong267
How to Configure L2TP VPN with Ios 8.4 Mobile Devices269
Set up the L2TP VPN Tunnel on the Zywall/Usg269
Set up the L2TP VPN Tunnel on the Ios Device275
Test the L2TP over Ipsec VPN Tunnel276
What Could Go Wrong279
How to Import Zywall/Usg Certificate for L2TP over Ipsec in Windows 10281
Set up the L2TP VPN Tunnel on the Zywall/Usg281
10 Operating System286
Set up the L2TP VPN Tunnel on the Windows 10291
Test the L2TP over Ipsec VPN Tunnel296
What Could Go Wrong298
How to Import Zywall/Usg Certificate for L2TP over Ipsec in IOS Mobile Phone300
Set up the L2TP VPN Tunnel on the Zywall/Usg300
Export a Certificate from Zywall/Usg and Import It to Ios Mobile Phone305
Set up the L2TP VPN Tunnel on the Ios Mobile Device305
Test the L2TP over Ipsec VPN Tunnel308
What Could Go Wrong310
How to Import Zywall/Usg Certificate for L2TP over Ipsec in Android Mobile Phone311
Set up the L2TP VPN Tunnel on the Zywall/Usg312
Export a Certificate from Zywall/Usg and Import It to Android Mobile Phone316
Set up the L2TP VPN Tunnel on the Android Mobile Device317
Test the L2TP over Ipsec VPN Tunnel320
What Could Go Wrong322
System324
Set up the L2TP VPN Tunnel on the Zywall/Usg324
Capitan Operating System329
Test the L2TP over Ipsec VPN Tunnel332
What Could Go Wrong334
How to Configure if I Want User Can Only See SSL VPN Login Button in Web Portal Login Page336
Set up the DNS Service337
Set up the Zywall/Usg SSL VPN Setting337
Set up the Zywall/Usg System Setting338
Test the SSL VPN339
How to Deploy SSL VPN with Apple Mac os X 10.10 Operating System343
Set up the SSL VPN Tunnel on the Zywall/Usg344
System347
Test the SSL VPN Tunnel351
What Could Go Wrong354
How to Configure SSL VPN for Remote Access Mobile Devices356
Set up the SSL VPN Tunnel on the Zywall/Usg357
Test the SSL VPN Tunnel360
What Could Go Wrong362
How to Configure an SSL VPN Tunnel (with Secuextender Version 4.0.0.1) on the Windows 10 Operating System363
Set up the SSL VPN Tunnel with Windows 10363
What Can Go Wrong367
How to Redirect Multiple LAN Interface Traffic to the VPN Tunnel369
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (HQ)370
Set up the Zywall/Usg Ipsec VPN Tunnel of Corporate Network (Branch)373
Set up the Policy Route (Zywall/Usg_Hq)377
Set up the Policy Route (Zywall/Usg_Branch)378
Test the Ipsec VPN Tunnel380
What Could Go Wrong381
How to Create VTI and Configure VPN Failover with VTI383
VTI Deployment Flow383
Set up the Zywall/Usg VTI of Corporate Network (HQ)384
Set up the Zywall/Usg VTI of Corporate Network (Branch)389
Test the Ipsec VPN Tunnel395
What Can Go Wrong397
How to Configure the USG When Using a Cloud Based SIP System399
Set up the SIP ALG400
Test Result400
What Could Go Wrong401
How to Block HTTPS Websites by Domain Filter Without Applying SSL Inspection401
Set up the Content Filter on the Zywall/Usg402
Set up the Security Policy on the Zywall/Usg405
Set up the System Policy on the Zywall/Usg405
Test the Result405
How to Configure Content Filter 2.0 with Geo IP Blocking408
Set up the Address Objet with Geo IP on the Zywall/Usg409
Set up the Security Policy on the Zywall/Usg409
Test the Result410
What Could Go Wrong411
How to Configure Content Filter 2.0 with Https Domain Filter412
Application Scenario412
Set up the Content Filter on the Zywall/Usg413
Set up the Security Policy on the Zywall/Usg415
Set up the System Policy on the Zywall/Usg416
Test the Result417
What Could Wrong417
How to Block the Client Accessing to Certain Country Using Geo IP and Content Filter418
Check Geo IP License Status on the Zywall/Usg419
Set up the Address Objet with Geo IP on the Zywall/Usg420
Set up the Security Policy on the Zywall/Usg421
Test the Result422
How to Restrict Web Portal Access from the Internet425
Set up the Zywall/Usg System Setting425
Test the Web Access426
How to Setup and Configure Daily Report429
Set up the Zywall/Usg Email Daily Report Setting430
Test the Daily Log Report431
What Could Go Wrong433
How to Setup and Configure Email Logs434
Set up the Zywall/Usg Email Logs Setting435
Test the Email Log436
What Could Go Wrong437
How to Setup and Send Logs to a Syslog Server438
Set up the Syslog Server (Use Papertrail Syslog in this Example)438
Set up the Zywall/Usg Remote Server Setting441
Test the Remote Server442
What Could Go Wrong443
How to Setup and Send Logs to a Vantage Reports Server444
Set up the VRPT Server445
Set up the Zywall/Usg Remote Server Setting448
Test the Remote Server449
What Could Go Wrong449
How to Setup and Send Logs to the USB Storage450
Set up the USB System Settings451
Set up the USB Log Storage452
Check the USG Log Files453
How to Setup Ipv6 Interfaces for Pure Ipv6 Routing454
Setting up the Ipv6 Interface455
Set up the Prefix Delegation and Router Advertisement457
Test461
What Can Go Wrong462
Test464
How to Perform and Use the Packet Capture Feature on the Zywall/Usg464
Set up the Packet Capture Feature465
Check the Capture Files468
How to Automatically Reboot the Zywall/Usg by Schedule469
Set up the Shell Script470
Set up the Schedule Run471
Check the Reboot Status473
How to Schedule Youtube Access475
Set up the Schedule on the Zywall/Usg475
Create the Application Objects on the Zywall/Usg476
Set up SSL Inspection on the Zywall/Usg476
Set up the Security Policy on the Zywall/Usg477
Export Certificate from Zywall/Usg and Import It to Windows 7478
Operation System478
Test the Result484
What Could Go Wrong484
How to Continuously Run a Zysh Script486
Set up the Shell Script486
Set up the Schedule Run488
Check the Result488
How to Register Your Device and Services at Myzyxel.com489
Account Creation490
Device Registration492
Service Registration (in the Case of Standard License)493
Device Management (in the Case of Registering Bundled Licenses)494
Refresh Service495
What Could Go Wrong495
How to Exempt Specific Users from Security Control497
Set up the Security Policy on the Zywall/Usg for Employees498
Set up the Security Policy on the Zywall/Usg for Executives500
Test the Result502
What Could Go Wrong503
How to Detect and Prevent TCP Port Scanning with ADP504
Set up the ADP Profile on the Zywall/Usg505
Test the Result508
What Could Go Wrong509
How to Block Facebook510
Set up the Content Filter on the Zywall/Usg511
Set up the SSL Inspection on the Zywall/Usg511
Set up the Security Policy on the Zywall/Usg513
Export Certificate from Zywall/Usg and Import It to Windows 7514
Operation System514
Test the Result519
What Could Go Wrong520
How to Exempt Specific Users from a Blocked Website521
Set up the Security Policy on the Zywall/Usg for Employees522
Set up the Security Policy on the Zywall/Usg for Executives524
Test the Result527
What Could Go Wrong528
How to Control Access to Google Drive529
Set up the SSL Inspection on the Zywall/Usg530
Set up the Security Policy on the Zywall/Usg531
Export Certificate from Zywall/Usg and Import It to Windows 7531
Operation System532
Test the Result537
What Could Go Wrong538
How to Block HTTPS Websites Using Content Filtering and SSL Inspection539
Set up the Content Filter on the Zywall/Usg540
Set up SSL Inspection on the Zywall/Usg541
Set up the Security Policy on the Zywall/Usg543
Export Certificate from Zywall/Usg and Import It to Windows 7544
Operation System544
Test the Result549
What Could Go Wrong550
How to Block the Spotify Music Streaming Service551
Set up IDP Profile on the Zywall/Usg552
Test the Result553
What Could Go Wrong554
How Does Anti-Malware Work555
Enable Anti-Malware Function to Protecting Your Traffic556
Test the Result557
Additional Configuration557
What Can Go Wrong558
Set up the Email Security on ATP Series559
Test the Result562
What Can Go Wrong563
How to Configure Botnet Filter on ATP Series564
Prerequisites before Setting up Botnet Filter Function565
License Activation565
Update Botnet Filter Signatures565
Set up the IP Blocking on the ATP Series567
Test the Result567
Set up the URL Blocking on the ATP Series568
Test the Result568
How to Use Sandboxing to Detect Unknown Malware570
Set up Sandboxing on ATP571
Test the Result573
What Can Go Wrong576
How to Configure Bandwidth Management for FTP and HTTP Traffic577
Set up the Bandwidth Management for FTP on the Zywall/Usg578
Set up the Bandwidth Management for HTTP on the Zywall/Usg579
Set up the Bandwidth Management Global Setting on the581
Zywall/Usg582
Test the Result582
What Could Go Wrong583
How to Limit Bittorrent or Other Peer-To-Peer Traffic584
Set up the Application Patrol Profile on the Zywall/Usg585
Set up the Bandwidth Management for Bittorrent on the586
Zywall/Usg586
Set up the Bandwidth Management Global Setting on the588
Zywall/Usg588
Test the Result588
What Could Go Wrong589
How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address590
Set up the Available Bandwidth on WAN1 Interfaces on the591
Zywall/Usg591
Set up the Available Bandwidth on WAN2 Interfaces on the592
Zywall/Usg592
Set up the WAN Trunk on the Zywall/Usg592
Test the Result593
What Could Go Wrong594
How to Configure DNS Inbound Load Balancing to Balance DNS Queries Among Interfaces595
Set up the DNS Inbound Load Balancing on the Zywall/Usg596
Set up the NAT Rule on the Zywall/Usg597
Test the Result598
What Could Go Wrong599
How to Manage Voice Traffic600
Set up the SIP ALG on the Zywall/Usg601
Set up the Bandwidth Management for SIP on the Zywall/Usg601
Set up the Bandwidth Management for P2P on the Zywall/Usg602
Set up the Bandwidth Management for FTP on the Zywall/Usg603
Test the Result605
What Could Go Wrong606
How to Manage Zywall/Usg Configuration Files607
Rename the Configuration Files from the Zywall/Usg608
Download the Configuration Files on the Zywall/Usg608
Copy the Configuration Files on the Zywall/Usg609
Apply the Configuration Files on the Zywall/Usg610
Upload the Configuration Files from the Zywall/Usg611
What Could Go Wrong611
How to Manage Zywall/Usg Firmware612
Download the Current Firmware Version from Zyxel.com613
Upload the Firmware on the Zywall/Usg614
What Could Go Wrong617
How to Get Started Using the Wizards618
Set up the Internet Access (Ethernet) Wizard on the Zywall/Usg618
Set up the Internet Access (Pppoe) Wizard on the Zywall/Usg622
Set up the Internet Access (PPTP) Wizard on the Zywall/Usg625
Set up the Wireless Settings Wizard on the Zywall/Usg629
Set up the Device Registration on the Zywall/Usg631
How to Configure the 3G/LTE Interface on the Zywall/Usg as a WAN Backup633
Set up the 3G/LTE Interface on the Zywall/Usg634
Set up the Trunk on the Zywall/Usg635
Test the Result636
What Could Go Wrong637
How to Configure Two Different WAN Interfaces with Different IP Addresses in the same VLAN638
Set up the Port Grouping on the Zywall/Usg639
Set up the VLAN on the Zywall/Usg639
Set up the Routing on the Zywall/Usg641
Test the Result641
What Could Go Wrong642
How to Let a Server Use the same Public IP Address as the WAN Interface Using the Bridge Interface642
Set up the Bridge Interface on the Zywall/Usg643
Test the Result645
What Could Go Wrong646
How to Allow Public Access to a Server Behind Zywall/Usg646
Set up the NAT on the Zywall/Usg647
Set up the Security Policy on the Zywall/Usg648
Test the Result649
What Could Go Wrong649
How to Set up a Wifi Network with Zyxel Aps651
Set up the AP Management on the Zywall/Usg652
Test the Result654
What Could Go Wrong655
How to Set up Guest Wifi Network Accounts656
Set up the Wifi Guest Account, Address Range and Service Rule on the Zywall/Usg657
Set up the Web Authentication on the Zywall/Usg659
Set up the Security Policy on the Zywall/Usg660
Test the Result661
What Could Go Wrong664
Guest Network666
Set up Wi-Fi VLAN Interfaces667
Test Result677
What Could Go Wrong679
How to Set up Wifi Networks with Microsoft Active Directory Authentication681
Set up the Wi-Fi Guest Account and Authentication Method on the Zywall/Usg682
Set up the Active Directory Server Account on the Zywall/Usg683
Set up the Security Policy on the Zywall/Usg684
Test the Result685
What Could Go Wrong687
How to Set up Ipv6 Interfaces for Pure Ipv6 Routing688
Enable the Ipv6 on the Zywall/Usg689
Set up the WAN Ipv6 Interface on the Zywall/Usg690
Set up the LAN Ipv6 Interface on the Zywall/Usg690
Test the Result691
What Could Go Wrong693
How to Set up an Ipv6 6To4 Tunnel693
Set up the LAN Ipv6 Interface on the Zywall/Usg694
Set up the 6To4 Tunnel on the Zywall/Usg696
Test the Result697
What Could Go Wrong698
How to Set up an Ipv6-In-Ipv4 Tunnel698
Set up the LAN Ipv6 Interface on the Zywall/Usg699
Set up the 6To4 Tunnel on the Zywall/Usg700
Set up the Policy Route on the Zywall/Usg701
Test the Result702
What Could Go Wrong703
How to Update Firmware Automatically from a USB Storage704
Automatic USB Firmware Upgrade Flow704
Enable the USB Firmware Upgrade Function by CLI Command705
Save the Firmware on the USB705
Plug the USB into the Device706
Firmware Version706
Check Firmware Status707
What Can Go Wrong708
How to Configure DHCP Option 60 - Vendor Class Identifier710
DHCP Option 60 Deployment Flow711
Setting up DHCP Option 60 on the Web GUI711
Setting up DHCP Option 60 on the CLI712
Test DHCP Option 60713
What Can Go Wrong713
How to Configure Device HA Pro714
Device HA Pro License715
Behavior of the Device HA Pro715
Device-HA Pro Setting Screen715
Suggestions717
How Do I Configure Device HA Pro in My Current Environment718
What Can Go Wrong722
How to Upgrade Firmware on HA Pro Synchronized Devices723
Firmware Upgrade Flow724
Running Firmware Version724
Running Firmware Partition724
Synchronization Status725
Upload the Firmware to the Active Device726
Test the Result727
How to Downgrade Firmware on HA Pro Synchronized Devices728
Firmware Downgrade Flow729
Configuration File Backup729
Switch Passive Device to Active Mode729
Ethernet Cable and Heartbeat Port Disconnection730
Firmware Downgrade on Device 1730
Backup Configuration Apply731
Connect All Ethernet Cables Back on Device 1732
Firmware Downgrade on Device 2732
Enable Device HA Pro on Device 2733
Test the Result733
Appendix. Edit the Configuration File734
How to Replace One Defect Device of HA Pro736
Scenario and Topology736
Before Redeploy the HA-Pro Environment737
After Received the New Device (Device 3)738
Configuration on Device 1739
Configuration on Device 3739
Verification741
How to Reboot the Active Device to the Standby Partition When Two Partitions Has Different Firmware Version743
Change Partition Flow744
Check Firmware Version on Active and Passive Devices744
Reboot Passive Device(Device 1) by Standby Partition745
Reboot Active Device(Device 1) by Standby Partition745
Make Sure Passive Device(Device 1) Sync Process Successfully746
Configuration Changed Scenario746
How to Restore Configuration File in Device HA Mode748
Configuration File Restore Flow749
Unplug All Active Device Network Link (Device 1), Let Network Service749
Runs on Passive Device749
Upload Configuration File to Active Device (Device 1)749
Apply Configuration File on Active Device (Device 1)750
Connect All Network Cables on Device 1751
Reset Passive Device to System Default751
Deploy Device HA751
Make Sure that Passive Device (Device 2) Sync Process Successfully752
How to Check HA Pro Synchronization Status753
Check the Sync Status on Web GUI753
Check the Sync Status on Console754
Check the Synchronization Status on Active Device754
Check the Synchronization Status on Passive Device755
Fail Cases757
Exception Case758
What Can Go Wrong759
How to Setup Two-Factor Authentication for Admin Login760
Setup SMTP Function on Your Device760
Create Admin Type User on Device761
Setup Two-Factor Authentication for Admin on Your Device762
Test the Result763
What Can Go Wrong765
How to Configure Email Security for Phishing Mail767
How It Works767
Set up Phishing on ATP768
Test the Result769
What Can Go Wrong769
How to Setup Email to SMS771
Setup SMTP Function on Your Device771
Setup Email to SMS Provider Configuration772
Create Admin Type User on Device773
Setup Two-Factor Authentication for Admin on Your Device773
Test the Result774
What Can Go Wrong776
How to Use IP Reputation to Detect Threats777
Activating Reputation Filter Service778
Enabling IP Blocking on ATP778
Selecting Specific Type of IP Addresses to Block779
Adding IP Addresses to White List and Black List779
Monitoring Statistics for IP Detection780
Test the Result780
What Can Go Wrong782

ZyXEL Communications ZyWall ATP series - CHAPTER 40 Diagnostics; 40.2 The Diagnostics Screens

Table of Contents

Other manuals for ZyXEL Communications ZyWall ATP series

Related product manuals