-
Why traffic did not blocked with IP/MAC Binding enabled?
Question: Why is it that a device not listed in the IP/MAC binding is still able to receive an IP and access the network?Answer: The IP/MAC Binding feature works as follows: - A client will be blocked if it uses a static IP address listed in the binding table but its MAC address is not listed. - A client will also be…
-
How to troubleshoot DHCP issue on ATP/FLEX series?
Question: Why the clients can't obtain IP address from DHCP Answer: 1)Please log in Firewall by SSH. 2)Check the dhcpd process is running. (You can verify the ethX mapping by CLI "Router> debug system ip addr") 3)Check the bootp process is well through packet-trace. Firewall 192.168.2.1 reply DHCP request in following…
-
Why is the last access time of the DHCP table the same?
Question: Why is the last access time of the DHCP table the same? As shown below, the Last Access time was 2025-02-07 09:32:11. Answer: The firewall checks the Last Access time of the DHCP client every 300 seconds. Once this procedure is completed, it generates the Last Access time records in the DHCP table. This is why…
-
What is the meaning of the Check Period value for the WAN Connectivity Check?
Question: What is the meaning of the Check Period value for the WAN Connectivity Check? Answer: It represents the time, in seconds, between each connectivity check performed by the firewall. For instance, the USG Flex 100 will perform the WAN connectivity check every 30 seconds. This means there will be ping checks…
-
What is the meaning of the Check Timeout value for the WAN Connectivity Check?
Question: What is the meaning of the Check Timeout value for the WAN Connectivity Check? Answer: It represents the time, in seconds, that the firewall will wait to determine whether the connectivity check is successful. If the connectivity check fails, the user should investigate why the WAN connectivity is not functioning…
-
When WAN1 comes back online, why does the traffic continue to stay on WAN2?
Question: I have setup WAN1 as Active mode and WAN2 as Passive mode in trunk setting. But why the traffic still keep on WAN2 interface even the WAN1 interface has faillback completely? Answer: If you would like to disconnect all of the exist sessions from WAN2 when WAN1 interface has fallback completely, then you can…
-
Why is the DHCP option not working?
Question: The user has configured the DHCP option with option code 132, but the DHCP option is not working. Why is the DHCP option not functioning? Answer: The possible reason is that when the client initiates the DHCP Discover, it doesn't include DHCP option 132. Please ensure that the DHCP Discover message includes DHCP…
-
Why is the firewall blocking broadcast traffic from LAN?
Question: How can I unlock broadcast traffic? Why is the firewall blocking broadcast traffic from LAN Answer: The firewall blocking broadcast traffic from LAN may be due to security policy settings, you can modify the firewall rules. Steps to Allow Broadcast Traffic: * Log in to your ZyWALL firewall management interface. *…
-
Why can't the SFP LAN interface assign a DHCP IP normally?
Question: The user may face an issue where the SFP interface is set as an internal LAN zone port, but it fails to assign a DHCP IP to the host client. What could be the possible reason, and how can this problem be resolved? Answer: The possible reason why the SFP interface fails to assign a DHCP IP to the host client is…
-
A Complete Configuration Guide to IP/MAC Binding
Introduction IP/MAC binding is a powerful tool in network security, allowing only authorised devices to access the network. This feature, configurable through a firewall, provides network administrators with better control and visibility over connected devices, helping to safeguard the network from unauthorised access.…
-
Is it possible to configure and advertise a default route through OSPF?
Question: Is it possible to configure and advertise default route through OSPF (not only static routes)? Answer: "Advertise default route through OSPF" is not supported on ATP/USG FLEX series.
-
How can I configure DHCP option 242 on my firewall?
I have IP phones requires to get SIP information from remote HTTP server, so it requires to get HTTP server information by DHCP option 242. How can I setup it in DHCP Extended Options? (1) Navigate to the DHCP server configuration section. (2) Create an extended option with the following details: - Code: 242 - Type: TEXT -…
-
How to use the Geo-IP feature?
Background In today's increasingly interconnected world, ensuring network security is paramount. One effective method is to block internet traffic from specific geographic locations known for high levels of malicious activity. Zyxel’s Geo-IP feature, introduced from firmware version 4.20, allows administrators to restrict…
-
What's TCP Flag detect ?
By default, ZyWALL will check the following invalid TCP Flags and drop the packets: -FIN,SYN,RST,PSH,ACK,URG are set at the same time -FIN,SYN are set at the same time -SYN,RST are set at the same time -FIN,RST are set at the same time -ONLY FIN is set. -ONLY PSH is set -ONLY URG is set
-
Why can't my device on vlan interface with its own zone ping gateway IP?
Question: I create a vlan interface with base port lan2 and assign it to a customized zone as follows. Why can't my device on this vlan interface ping gateway IP? Answer: If you have configured a device on VLAN interface with lan2 as the base port with its own zone but the device cannot ping or connect to gateway IPs, it…
-
Is it possible to restrict Remote Access VPN by single user
Question: Can I restrict access to a single user for a Remote Access VPN on Nebula? Answer: Currently, it is not possible to restrict access by single user. You can only implement security policies using External User Groups. This configuration cannot be applied to individual users directly. To implement this security…
-
How to check the vlan interface status via the CLI on ATP and USG Flex models?
Question : The user may need to use CLI commands to check vlan interface information for troubleshooting or maintenance purposes. This article will guide you on how to execute it. Answer : The user can use the CLI command "show interface all" to list the current firewall's interfaces first, as shown below: If the user…
-
How to check the firewall's DNS cache via the CLI?
Question: The user may wish to check the firewall's DNS cache via the CLI for troubleshooting purposes. This FAQ article will guide you on this. Answer : Please issue the CLI command "show ip dns server cache" to check it, as shown below:
-
How to Resolve HA Pro Sync Issue on ATP/USG FLEX?
Question: Why is the HA Pro synchronization failing on ATP/USG FLEX? Answer: Synchronization issues between active and passive devices in HA Pro setups can often be resolved by checking configuration settings. Please follow the steps below: * Make sure the passive device is reset to its default configuration. * Disable any…
-
Why can't I execute the FTP transmission successfully? How to avoid this?
Scenario : The customer may encounter a situation where they cannot execute the FTP transmission successfully. What are the possible causes and how can they avoid it? Answer : The possible reason is caused by "ICMP Unreachable", as shown in below : The user can issue CLI commands to disable icmp-destroy-session to avoid…