-
How to use CLIs to filter ICMP protocol from loging entries?
Scenario: The user usually relies on Monitor > Log to check the historical log messages to troubleshoot the network issue. Except for the Monitor > Log, the user also can use CLI "show logging entries" to dump recent historical logs. This article will guide you on how to filter ICMP protocol from this CLI. Answer : The…
-
How to use a dedicated WAN interface to access a specific IP address by Policy Route?
Scenario : If a user has dual WAN settings with TRUNK, when the LAN client tries to access a specific IP address but fails due to not trusting one of the WAN IP addresses from the firewall, how can this be resolved? For example, the ATP500 has dual WAN (ge2 IP 10.214.48.42 for WAN1 and ge3 IP 10.214.48.52 for WAN2), and…
-
Why ping 8.8.8.8 continuously successfully but there is only one log can be observed?
Scenario : Why does pinging 8.8.8.8 continuously succeed, but only one log entry can be observed, and not all ping session entries are shown? Answer : The security policy log is generated on a session-based basis. This means that a log is generated once a session is detected by the security policy. Only when the session…
-
Why the security policy cannot block the same LAN subnet client?
Scenario : The user may encounter a situation when creating a security policy to block the same LAN subnet (or LAN interface groups such as ge4 and ge5 that belong to the same LAN group) for clients, but it's not working. Answer : This is by design. For example, if the user designates ge4 and ge5 as part of the same LAN…
-
Captive portal not work as expected if you have reCAPTCHA
Scenario: You add reCAPTCHA element for your external captive portal. Issue: The portal not work expected. Reason: Since reCAPTCHA need to load by external site, so the request will be blocked before pass the authentication. Workaround: Please find the external site which reCAPTCHA used and add to WallGarden.
-
Why I can't receive DNS responses from Firewall?
Question I have created an address record on firewall such as "host.domain.com, IP address=x.x.x.x". However, I can't receive any response from Firewall when I query yahoo.com. Answer This is a design limitation on current ZLD design. For example, host is a part of the hostname, and domain.com is a part of the domain name.…
-
Why I cannot remove the default interface?
Question: Why I cannot remove the default interface? Answer: For on-premises mode devices, only the model above 500 can remove the default interface, such as USGFLEX 500/700, ATP 500/700/800. Please note that you must remove the reference settings to the default interface first. For the Nebula mode firewall, all the models…
-
How to monitor and configure the DHCP clients of the USG FLEX/ATP?
Question: How to monitor and configure the DHCP clients of the USG FLEX/ATP? Go to Monitor > Network Status > DHCP table Select the interface you would like to configure, and click Search Tick the DHCP client you would like to operate, and click the operation you want. Release: It allows you to remove a DHCP device from…
-
Why cannot get an IP address when there are many users?
Question: Why I cannot get an IP address successfully even though I perform IP renewal multiple times? Answer: It could be DHCP process time out due to so many ARP checks being performed. To get an IP address, the client will send ARP check to ensure if the IP address has already been used. So when more DHCP clients…
-
Why Device Insight does not show any entries on USGFLEX?
Question: Why Device Insight does not show any entries? Answer: It could be Fast Forwarding is enabled. It stops the service of Device Insight. Enabling Fast Forwarding is to improve the NAT/Routing/firewall performance, but the sessions will bypass scan & control for some features, Device Insight included. Please disable…
-
How to use CLI command line "extension-filter" to capture packets?
Question: Some users may notice that some command line for capturing packets are unavailable after upgrading to the latest firmware version, how can we use it now? Answer: For security concerns, we made some adjustments to the CLI command "extension-filter", some rules are not available now. Originally, "extension-filter"…
-
Why is the Virtual Server or 1:1 NAT configuration correct, but the NAT still cannot work?
Background and Scenario: We have noticed that some users encounter a situation where the Virtual Server or 1:1 NAT configuration is correct, but the NAT still does not work. What could be the possible reason for this issue? Answer: The possible reason is usually related to the security policy allowing the traffic from WAN…
-
Why do we encounter the "NET::ERR_CERT_AUTHORITY_INVALID" message when accessing certain websites?
Background and Scenario: When we browse certain specific websites or a device's local Web-GUI, the browser may display a “NET::ERR_CERT_AUTHORITY_INVALID” message. To access the URL or IP address, we need to click 'continue' and then we can browse it. Answer: The root cause is related to the browser not trusting the…
-
How to set a range of IP addresses on ATP/USG FLEX interface?
Question: The ISP provided me a range of public IP addresses (10 public IP addresses). I would like to set these IP addresses on ATP/USG FLEX but ATP/USG FLEX only supports up to 4 virtual interfaces. How can I set 10 public IP addresses on ATP/USG FLEX in order to publish 10 servers to the Internet? Answer: You can use…
-
How to configure DHCP broadcast packets with unicast frag?
Scenario My Internet Service Provider router does not accept DHCP broadcast packets with broadcast frag, so that USG is unable to get IP from ISP router. How to set up DHCP broadcast packets with unicast frag? Answer The CLI as below, it can change the DHCP broadcast packets frag from broadcast to unicast. Router(config) #…
-
How to check the strengthened cipher that used by USG FLEX/ATP
To check/adjust the ciphers that are used by USGFLEX/ATP, please create a console session with the device. Check the current available cipher suites Router# configure terminal Router(config)# show ip http server secure cipher-list Enable only stronger ciphers, this command will only activate strong cipher suites…
-
Why device insight does not display VPN clients
Device Insight feature allows the network administrator knowledge of the network including wired, wireless, BYOD, and IoT devices. And the administrator can add/remove the device to the block list to reduce the potential attack. However, some users may concern about what kind of host would be shown on the Device Insight…
-
How to find Firewall netstat table
Router# debug system netstat socket noresolve You can find if there are abnormal connection from Firewall.
-
Zyxel DHCP lease table designed
You found DHCP table still have data even the lease time had been expired. This is our designed, the GUI will still display unless you manually release the DHCP table. The next client will search for expired addresses in table and obtain one.
-
How to prioritize BWM bandwidth to maximum?
Background and Scenario: The user might want to prioritize some specific traffics in their environment for better efficiency. Answer: For example, the user wants to prioritize and maximize bandwidth the FTP related traffic for LAN1 hosts. STEP1. Please navigate to Configuration > BWM > To add a BWM profile. STEP2. Choosing…