-
How to use CLI command line "extension-filter" to capture packets?
Question: Some users may notice that some command line for capturing packets are unavailable after upgrading to the latest firmware version, how can we use it now? Answer: For security concerns, we made some adjustments to the CLI command "extension-filter", some rules are not available now. Originally, "extension-filter"…
-
Why is the Virtual Server or 1:1 NAT configuration correct, but the NAT still cannot work?
Background and Scenario: We have noticed that some users encounter a situation where the Virtual Server or 1:1 NAT configuration is correct, but the NAT still does not work. What could be the possible reason for this issue? Answer: The possible reason is usually related to the security policy allowing the traffic from WAN…
-
Why do we encounter the "NET::ERR_CERT_AUTHORITY_INVALID" message when accessing certain websites?
Background and Scenario: When we browse certain specific websites or a device's local Web-GUI, the browser may display a “NET::ERR_CERT_AUTHORITY_INVALID” message. To access the URL or IP address, we need to click 'continue' and then we can browse it. Answer: The root cause is related to the browser not trusting the…
-
How to set a range of IP addresses on ATP/USG FLEX interface?
Question: The ISP provided me a range of public IP addresses (10 public IP addresses). I would like to set these IP addresses on ATP/USG FLEX but ATP/USG FLEX only supports up to 4 virtual interfaces. How can I set 10 public IP addresses on ATP/USG FLEX in order to publish 10 servers to the Internet? Answer: You can use…
-
How to configure DHCP broadcast packets with unicast frag?
Scenario My Internet Service Provider router does not accept DHCP broadcast packets with broadcast frag, so that USG is unable to get IP from ISP router. How to set up DHCP broadcast packets with unicast frag? Answer The CLI as below, it can change the DHCP broadcast packets frag from broadcast to unicast. Router(config) #…
-
How to check the strengthened cipher that used by USG FLEX/ATP
To check/adjust the ciphers that are used by USGFLEX/ATP, please create a console session with the device. Check the current available cipher suites Router# configure terminal Router(config)# show ip http server secure cipher-list Enable only stronger ciphers, this command will only activate strong cipher suites…
-
Why device insight does not display VPN clients
Device Insight feature allows the network administrator knowledge of the network including wired, wireless, BYOD, and IoT devices. And the administrator can add/remove the device to the block list to reduce the potential attack. However, some users may concern about what kind of host would be shown on the Device Insight…
-
How to find Firewall netstat table
Router# debug system netstat socket noresolve You can find if there are abnormal connection from Firewall.
-
Zyxel DHCP lease table designed
You found DHCP table still have data even the lease time had been expired. This is our designed, the GUI will still display unless you manually release the DHCP table. The next client will search for expired addresses in table and obtain one.
-
How to prioritize BWM bandwidth to maximum?
Background and Scenario: The user might want to prioritize some specific traffics in their environment for better efficiency. Answer: For example, the user wants to prioritize and maximize bandwidth the FTP related traffic for LAN1 hosts. STEP1. Please navigate to Configuration > BWM > To add a BWM profile. STEP2. Choosing…
-
What is the difference between Virtual Server and 1:1 NAT?
Question I would like to use NAT feature to publish an internal server for external users. On the NAT Add/Edit page, there are Virtual Server and 1:1 NAT. Which one should I choose? What is the difference between Virtual Server and 1:1 NAT? Answer Both Virtual Server and 1:1 NAT are able to publish internal servers to…
-
Implement Inbound Server Load Balance
Inbound Server Load
Balance For load Balance or redundant purpose, some enterprises might have more than one ISP or Web Server to handle
incoming service requests. This article will explain how to achieve the goal on
Zyxel Firewall. Before Begin Firewall uses Algorithm to respond to a DNS query with the IP address…
-
How to set a range of IP addresses on USG interface?
Scenario: My ISP provided me a range of public IP addresses. (10 public IP addresses)I would like to set these IP addresses on USG, but USG only supports up to 4 virtual interfaces. How can I set that on USG? I would like to publish 10 servers to the Internet. Configuration: If ISP provided a range of IP addresses, you can…
-
What is the procedure to configure SBG3300 for WOL (Wake on LAN)?
Scenario: The User A wants
to use WOL (Wake on LAN)
feature to awake the Target
PC from Port:
8080 at SBG3300 WAN side. To meet this requirement, SBG3300 should add NAT rule &
Static ARP for the target
PC. What is the procedure to configure SBG3300
for this purpose? Step-by-Step: Step 1: Go
to Network Setting > NAT > Port…
-
How to setup port forwarding to my internal RDP PC?
You can add the virtual server rule for your requirement: (1) Original IP: The IP address your ISP provided. (2) Mapped IP: The IP address your Server IP. (3)Original port: The port number which you would like to connected from outside. (4)Mapped port: The port number which your server is servicing. And make sure your…
-
How to Allow Public Access to a Server Behind ZyWALL/USG?
SCENARIO DESCRIPTION: This is an example of using ZyWALL/USG to configure a securely access to internal server behind ZyWALL/USG with network address translation (NAT). The Internet users can reach this server directly by its public IP address and a NAT mapping rule will forward the traffic from the Internet to the…
-
Why the USG trunk profile cannot work as expect, the traffic always went to wrong interface?
Please check policy route rule trunk profile status, dead or alive. The status depends on Interface “Connectivity Check”, what if you set up an improper host to perform connectivity Check, it always in dead status, that why the traffic always go to wan 2. Try to adjust a suitable one as “connectivity check” host and try it…
-
Why is it that the SIP voice does not pass through the SIP server?
Question I have a SIP server at the LAN site with three SIP phones, Phone#A and Phone#B in the LAN site, and Phone#C at the external site. The connection between Phone#A and Phone#B works fine. The connection between the internal Phone and Phone#C fails. What is the cuase of this problem? Answer This is because; currently,…
-
How can the inbound destination NAT be used to hide the server’s real IP via a VPN tunnel?
A customer requires that the server’s real IP is hidden when using site-to-site VPN. This can be done by using an inbound destination NAT to hide the server’s real IP when VPN is established. The inbound DNAT works as a virtual server. It can redirect the VPN traffic to the internal server. Steps: VPN connections: Policy…
-
When creating 1:1 NAT rules for local hosts, these local hosts become unreachable through VPN IPSec.
The virtual server function is a "port forwarding" function. The 1:1 NAT function is "forwarding all traffic" to the local server. When using "1:1NAT", the traffic can't pass through to the tunnel because all traffic passes through the WAN interface.In "packet flow explore", the priority of 1-1 SNAT is higher than site to…