The USG40 is a very capable VPN router, but its main selling point is network security. The USG40's firewall allows you to control traffic based on source and destination zone, source and destination IP addresses, services, users, and schedules. There are 106 pre-defined services and you can add more.
Traffic can also be controlled on the USG40 using security features that include Anomaly Detection and Prevention (ADP), Application Patrol, Content Filtering, Intrusion Detection and Prevention (IDP), Anti-Virus and Anti-Spam.
Anomaly protection, when enabled, will look for scans or flooding events, as well as incorrect TCP, UDP, and ICMP sequences.
The USG40's Application Control feature can filter or throttle traffic to and from over 3,000 social, gaming, productivity and other web applications. ZyXEL states that with this application control feature, bandwidth consumed by unproductive applications can be controlled.
As with other functionality on the USG40, application control is object based. ZyXEL has defined 20 application categories, such as Social Networking, Instant Messaging, Games, P2P, Business, etc. Within each category, there are dozens of specific applications that you can select.
In my test, I created an Application object, shown below, to match all of ZyXEL's 103 defined Social Network applications. I then created an App Patrol profile to reject all matched traffic in Application object. Finally, I applied the App Patrol profile as a security policy to the USG40's main outgoing security policy, which controls outgoing traffic from the LAN1 interface.
App Control Object
Validation of application control functionality on the USG40 was clear. Prior to applying these configurations, I could surf Facebook. Once the configurations were applied and I attempted to surf to Facebook, my browser showed "This webpage is not available" (Chrome) and "This page can't be displayed" (IE). Once the configurations were removed, I was again able to surf Facebook.
Content filtering on the USG40 can be controlled by security threat type including anonymizers, botnets, compromised, malware, network errors, parked domains, phishing and fraud, and spam sites. Content filtering can also be applied by category. There are 56 pre-defined website categories. ZyXEL claims they have over 140 billion URLs in their cloud-based database. Finally, content filtering can be applied by creating lists of trusted websites, forbidden web sites, and blocked URL keywords.
The content filter configuration has a useful tool to input a website and see what category it matches. I used the tool to determine that SmallNetBuilder.com is in the Computers & Technology category. I then created and applied a profile to block Computers & Technology websites. With my profile in place, I got the below message when surfing to smallnetbuilder.com. This message can be customized, or you can redirect users to a specific URL.
Intrusion Detection and Prevention (IDP)
IDP performs packet inspection by looking for specific data "signatures" indicative of malicious data. The USG40 has several base profiles (none, all, wan, lan, dmz) for applying IDP protection. These profiles define which service signatures will trigger an action (alert, log, drop, no action), plus you can create custom signature rules. Each profile is a set of packet inspection signatures. You create different profiles using one or more of the base profiles, then apply the profile(s) to a firewall policy.
In the screenshot below, you can see icons for UTM profiles I've applied to the default firewall rule that filters traffic involving the LAN interfaces.
Anti-Virus and Anti-Spam
Anti-virus signature files are from Kaspersky's anti-virus signature engine. The USG40 scans traffic using the common ports for SMTP, POP3, IMAP4, HTTP and FTP and compares them to the database of anti-virus signatures. Gateway anti-virus solutions, such as this solution on the USG40, provide a nice complement to software based anti-virus solutions, especially if end users bring their own devices (BYOD) and it isn't known what type of anti-virus software they're using.
Anti-spam filtering uses ZyXEL's cloud-based IP reputation system for identifying domains and IP addresses that are sources of spam. Spam scanning options include checking the IP reputation of email domains, comparing domains to a white list and/or black lists, checking mail content, checking for a virus outbreak, and checking DNS black lists (lists of IP addresses known for sending or forwarding spam).
There are a massive number of reporting options on the USG40. The Monitor menu has statistic screens for port, interface, traffic, session, IGMP, DDNS, IP/MAC, user, cellular, and UPnP statistics. UTM statistics can be collected for application controls, content filtering, IDP, anti-virus and anti-spam.
The USG40 can be configured to email a daily report showing CPU usage, memory usage, session and port usage, a threat report, and interface traffic statistics. Email alerts to two addresses are also supported. Below is a snippet of the daily report showing port usage on the WAN interface.