Basic Configuration of Zyxel Firewall - Objects, Zones, NAT, VPN and more! (USG / FLEX / ATP)

This guide will explain the concept of Objects, Zones, Groups, interfaces, NAT, Firewall, and Routing.

 

Objects

It is important to understand how our firewalls work; at the core of the configuration are objects.

When you understand how the objects work, it makes it easy and efficient to manage our devices.

 

For example, when configuring NAT, it makes it convenient that you can use objects, so you won't have to specify an IP address multiple times, but rather you can reuse the object, which you only have to create once. In this scenario, we are going to create an address object for a host which will be used in NAT.

Let's navigate to:

Configuration > Object > Address > Add

When you have specified the host as an object, you can then use it when creating a NAT rule, instead of having to specify the IP manually, then when you need to allow traffic from the firewall to that specific host, you can reuse the object again. For more information on creating NAT, see below:

NAT-Rule-Configuration on a USG (Port Forwarding)

 

Zones

For easier management zones can become in handy. For example, a VLAN and a LAN can communicate with each other, if they are in the same zone, this eliminates the process for granting access separately.

This works backward as well, if you wish to separate the access of a LAN and VLAN, this can also be done.

Zones can be configured by navigating to:

Configuration > Object > Zone

Zones can be used as grouping, which can be utilized in firewall rules, security policies, and interfaces.

To summarize; Manage interfaces into different zones based on your needs. You can configure firewall rules for data passing between zones or even between interfaces and/or VPN tunnels in a zone

For more information regarding the example on separating VLAN and zones see below:

Separate VLANs on a ZyWALL/USG

 

Groups

Similar to zones, we can use groups to bundle together either users, addresses, hosts, or objects overall.

The best example would be the service group "Default allow WAN to Zywall", where we can configure which services are allowed to reach from WAN to the Zywall. 

Let's navigate to:

Configuration > Object > Service > Service Group

Select the appropriate group and click edit, desired changes can be made here to remove for example SSH or HTTPS access from WAN.

As mentioned, it is also possible to group users, addresses and schedules. 

For more information on groups, see the article below for service groups:

Zywall / USG - WAN Ping

 

Interfaces

This section can be used to configure port roles, VLANs, making core changes to the network by changing for example the LAN address and DHCP-related settings.

For example, changing a subnet can be done by going into the following path:

Configuration > Network > Interface > Ethernet

Select the appropriate LAN / WAN and click edit, do desired changes, and click apply.

For more information regarding this topic, please see the VLAN guide below:

How to configure VLAN on USG device

 

NAT

Network address translation (NAT), also sometimes referred to as port forwarding. This is used if you for example have a server, and want to grant access to it from the internet.

Configuring NAT can be done here:

Configuration > Network > NAT

For in detail instructions please see below more;

Virtual Server vs. 1:1 NAT

NAT-Rule-Configuration on a USG (Port Forwarding)

 

Firewall

This section is used to control the actual firewall of the device, also referred to as Security Policy - Policy Control in our devices. The security policy can be found with the following path:

Configuration > Security Policy > Policy Control

 In this section you can create, delete and modify firewall rules, please see below for more information:

Adding a simple firewall rule/security policy on your ATP/USG FLEX/USG/ZyWall-Gateway

 

Routing

In this section, you can create static routes, policy routes, and more for routing the actual traffic in your network. To access this section, navigate to:

Configuration > Network > Routing

Depending on the criteria the routes can be configured to route specific traffic, for more, please see here: Policy Routes ( USG/VPN/ATP) - Different scenario usages & configurations

 

VPN

With the Zyxel firewall, you have the option to create different types of VPNs, for example, SSL VPN, L2TP over IPsec, or for example site-to-site VPN. You can choose to create the VPN by our built-in wizard or by hand. To access this section, navigate to:

Configuration > VPN

For a guide on how to create L2TP over IPsec for remote access using the wizard, please see below:

How to use the VPN Setup Wizard to create a L2TP VPN on the ZyWALL/USG

 

Articles in this section

Was this article helpful?
5 out of 10 found this helpful
Share