Chapter 3 Protecting Your Network
ZyWALL USG 20-2000 User’s Guide
54
3.1.1 What Can Go Wrong
• The ZyWALL checks the firewall rules in order and applies the first firewall rule the traffic
matches. If traffic is unexpectedly blocked or allowed, make sure the firewall rule you want to
apply to the traffic comes before any other rules that the traffic would also match.
• Even if you have configured the firewall to allow access for a management service such as HTTP,
you must also enable the service in the service control rules.
• The ZyWALL is not applying your firewall rules for certain interfaces. The ZyWALL only apply’s a
zone’s rules to the interfaces that belong to the zone. Make sure you assign the interfaces to the
appropriate zones. When you create an interface, there is no security applied on it until you
assign it to a zone.
3.2 User-aware Access Control
You can configure many policies and security settings for specific users or groups of users. Users
can be authenticated locally by the ZyWALL or by an external (AD, RADIUS, or LDAP)
authentication server. Here is how to have the ZyWALL use a RADIUS server to authenticate users
before giving them access.
1
Set up user accounts in the RADIUS server.
2
Set up user accounts and groups on the ZyWALL (
Configuration > Object > User/Group
).
3
Configure an object for the RADIUS server. Click
Configuration > Object > AAA Server >
RADIUS
and double-click the
radius
entry.
4
Then, set up the authentication method, Click
Configuration > Object > Auth. Method
. Double-
click the
default
entry. Click the
Add
icon.
5
Configure the ZyWALL’s security settings. The ZyWALL can use the authentication method in
authenticating wireless clients, HTTP and HTTPS clients, IPSec gateways (extended authentication),
L2TP VPN, and authentication policy.
3.2.1 What Can Go Wrong
• The ZyWALL always authenticates the default
admin
account locally, regardless of the
authentication method setting. You cannot have the RADIUS server authenticate the ZyWALL‘s
default admin account.
• The authentication attempt will always fail if the ZyWALL tries to use the local database to
authenticate an
ext-user
. An external server such as AD, LDAP or RADIUS must authenticate the
ext-user accounts.
• Attempts to add the admin users to a user group with access users will fail. You cannot put
access users and admin users in the same user group.
• Attempts to add the default admin account to a user group will fail. You cannot put the default
admin
account into any user group.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
