-
Is it possible to configure and advertise a default route through OSPF?
Question: Is it possible to configure and advertise default route through OSPF (not only static routes)? Answer: "Advertise default route through OSPF" is not supported on ATP/USG FLEX series.
-
USG FLEX H Series - Routing Enhancements
USG FLEX H Series - Routing Enhancements With the release of firmware version 1.20, the USG FLEX H Series introduces several significant enhancements to routing capabilities, particularly focusing on routing auto-disable and auto-recovery features. These enhancements aim to improve network reliability and ensure seamless…
-
How to use a dedicated WAN interface to access a specific IP address by Policy Route?
Scenario : If a user has dual WAN settings with TRUNK, when the LAN client tries to access a specific IP address but fails due to not trusting one of the WAN IP addresses from the firewall, how can this be resolved? For example, the ATP500 has dual WAN (ge2 IP 10.214.48.42 for WAN1 and ge3 IP 10.214.48.52 for WAN2), and…
-
How to prioritize BWM bandwidth to maximum?
Background and Scenario: The user might want to prioritize some specific traffics in their environment for better efficiency. Answer: For example, the user wants to prioritize and maximize bandwidth the FTP related traffic for LAN1 hosts. STEP1. Please navigate to Configuration > BWM > To add a BWM profile. STEP2. Choosing…
-
[ATP/FLEX] How to add static route via device DHCP option
This
article provides configuration guide on how to set the DHCP option
33 on Nebula. Assume we would like to add static route on client OS
routing table, instead of adding on gateway, we can add DHCP option 33 for
clients. This example illustrates how to configure DHCP
option for static routing in client. Configurations…
-
How to access device WebGUI remotely via L2TP VPN tunnel
(1) Create VPN Gateway for L2TP (2) Create VPN connection for L2TP (3) Setup L2TP VPN setting (4) Create policy route for Intranet/Internet routing Since client already built L2TP VPN tunnel, so all of traffic will pass into VPN tunnel. So you can access device WebGUI by any activated interface IP address. You can check…
-
How to forward traffic to branch site server after client established VPN tunnel
Scenario: Site#A and SiteB are established site to site VPN tunnel. How to forward traffic to Site#B after client connected VPN tunnel to Site#A. VPN client can be L2TP/SSL VPN/ IPSec VPN. Client will get the IP address which assigned by Site#A router. In this scenario, VPN client got IP 10.10.10.1 after established L2TP…
-
GRE over IPSec VPN Tunnel –VPN Failover
Application scenario We want to use VPN tunnels to transfer important files between the branch Office and HQ. To prevent the network from getting disconnected , we configure four WAN interfaces to do redundancy. Now, we want to establish two VPN tunnels between the two USGs to perform failover, to ensure that the transfer…
-
How to Configure Route-based IPsec VPN to Azure (VTI over IKEv2/IPSec)
Azure Multi-Site
connection This type of
connection is a variation of the Site-to-Site connection. You create more than
one VPN connection from your virtual network gateway, typically connecting to
multiple on-premises sites. When working with multiple connections, you must
use a Route-based VPN type (known as
a dynamic…
-
How do I allow SecuExtender clients to access servers in the remote site/company through VPN tunnel?
Topology (lan:
192.168.1.0/24)USG60------IPSec VPN------USG210(lan:
192.168.11.0/24)----PC(192.168.11.33) SSL
VPN client is connected to USG60. SSL VPN pool is 192.168.99.0/24. Site
to site VPN tunnel is established between USG60 and USG210. On
USG60 Create
a policy route. Source:
SSL VPN pool. In this example, SSL VPN…
-
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator
This is an example of using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ). Traffic can also pass between spoke-and-spoke through the hub. If the primary WAN…
-
Does IKEv2 support for split tunnel?
QUESTION In my scenario, the clients establishes IKEv2 VPN tunnel to device for reaching internal servers. But in the same time, all of clinet's traffic will pass through to VPN tunnel. How to separate client’s Internet from VPN tunnel?(Internet traffic will not pass through to VPN tunnel) ANSWER In the current design,…
-
How can I configure IPSec site-to-site VPN by using VTI on the USG ?
SCENARIO DESCRIPTION: This example shows how to configure an IPSec site-to-site VPN using VTI. The following instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely Note: All network IP addresses and subnet masks are examples. Please replace them…
-
Why the USG trunk profile cannot work as expect, the traffic always went to wrong interface?
Please check policy route rule trunk profile status, dead or alive. The status depends on Interface “Connectivity Check”, what if you set up an improper host to perform connectivity Check, it always in dead status, that why the traffic always go to wan 2. Try to adjust a suitable one as “connectivity check” host and try it…
-
Why is it that the SIP voice does not pass through the SIP server?
Question I have a SIP server at the LAN site with three SIP phones, Phone#A and Phone#B in the LAN site, and Phone#C at the external site. The connection between Phone#A and Phone#B works fine. The connection between the internal Phone and Phone#C fails. What is the cuase of this problem? Answer This is because; currently,…
-
How can I use a policy route to control site-to-site IPsecVPN traffic?
A user has already established a VPN tunnel and wants to use a policy route to allow traffic from LAN 2 to be transmitted to the VPN tunnel. Scenario: Steps: The traffic can be transmitted between 192.168.99.0/24. and 192.168.100.0/24. Add a rule to forward USG2’s LAN2 (192.168.101.0/24) traffic to the VPN tunnel. In the…
-
When creating 1:1 NAT rules for local hosts, these local hosts become unreachable through VPN IPSec.
The virtual server function is a "port forwarding" function. The 1:1 NAT function is "forwarding all traffic" to the local server. When using "1:1NAT", the traffic can't pass through to the tunnel because all traffic passes through the WAN interface.In "packet flow explore", the priority of 1-1 SNAT is higher than site to…
-
WRR mechanism
WRR uses "session" for weighting, not traffic loading. If WRR is configured with WAN 1 weight 3 and WAN 2 weight 1, it doesn't mean that there should be 3 times of traffic loading coming in from WAN 1 compared to WAN 2.The value of session weight may not be equal to that of the traffic load. One session may consume more…
-
The procedure to indicate specific traffic go through specific wan interface
SCENARIO DESCRIPTION:On the USG, what is the procedure to configure WAN 1 for all traffic except VPN traffic, and WAN 2 for VPN traffic without failover? SETUP/STEP BY STEP PROCEDURE:1. Create a VPN gateway and VPN connection based on WAN 2. 2. Ensure that both WAN 1 and WAN 2 are in the WAN trunk. 3. Add rule 1 and rule 2…