1. Introduction

In an enterprise network, there are various types of traffic. But most of the company’s Internet bandwidth is limited. All traffic will contend for it and may result in some important traffic, such as traffic getting slow or even starved. Therefore, intelligent bandwidth management for improved productivity becomes a matter of high concern for network administrators. To protect our network security, I am now using a Zywall USG 300 Firewall because its price is good and its performance is acceptable. I summarize its configuration in this document for your reference.

A ZyWALL USG provides Bandwidth Management (BWM) function to effectively manage bandwidth according to different flexible criteria. During their daily productive work for the company, working crew needs to surf the Internet to search for information to conduct their jobs. Browsing websites that are irrelevant to work is a waste of human resources as well as a waste of company network resources. There are also some unsafe websites which may contain phishing or malicious programs. These unsafe websites should also be avoided. So the network administrator needs to make policies to prevent these undesirable types of browsing.

firewall-p1

  1. Application scenario

During office hours, the employees should dedicate their time to their jobs and be restricted from browsing websites irrelevant to their work. But the manager should be able to access all websites without restriction at all times with the exception of unsafe websites. At other times outside of office hours, the restrictions for employees can be removed. The employees may access all websites except ones that pose a security threat (unsafe).

  1. Goals to achieve:

1) The manager can access all websites at any time except security threats (unsafe).

2) During office hours, other employees should be restricted from accessing websites that are irrelevant to their work.

3) All employees may access any websites outside of office hours except sites that pose a security threat (unsafe). USG configuration

  1. Setup Instruction

Step 1: Click Configuration > Object > Address to add an address object for the manager’s IP.

firewall-p2

Step 2: Click Configuration > Object > Schedule to add a Recurring schedule for office hours.

firewall-p3

Step 3: Click Configuration > Anti-X > Content filter > Filter Profile to add a filtering profile.

firewall-p4

Step 4: Choose your licensed content filtering service and start its setup.

firewall-p5

firewall-p6 firewall-p7 firewall-p8

Step 5: Add a profile which allows users to visit all websites.

Enable Content Filter Category Service.

Set action for Security threat (Unsafe) to “Warn” and check “Log”.

Set action for Managed Web Pages  to “Pass” and check “Log”.

Set action for Unrated Web Pages to “Warn” and check “Log”.

Set action When Category Server is Unavailable to “Warn” and check “Log”

firewall-p9

Step 6: Add a profile for employees to surf only allowed websites.

Enable Content Filter Category Service

Set action for Security threat (Unsafe) to “Warn” and check “Log”.

Set action for Managed Web Pages  to “Block” and check “Log”.

Set action for Unrated Web Pages to “Warn” and check “Log”.

Set action When Category Server is Unavailable to “Warn” and check “Log”

firewall-p10

Step 7: Switch to Configuration > Anti-X > Content filter > General to Enable Content Filter. You can edit the Denied Access Message and Redirect URL if access blocked.

firewall-p11

Step 8: Add an access policy for all the staff outside of office hours.

Schedule: none.

Address: L87

Filter Profile: IP1-87

firewall-p12

Check the created policies. The USG will check them one by one, and when the manager tries to access a website, he will trigger the first policy.

 

Reference: http://wenku.baidu.com/view/9b00272bed630b1c59eeb5f4.html
Reference: ftp://ftp.zyxel.com/ZyWALL_USG_300/user_guide/ZyWALL%20USG%20300_2.20_ed2.pdf