ATP800 - deny default control policy ignored !

noc_aba
noc_aba Posts: 16  Freshman Member
Today we have found out that on a ATP800 (4.60) the default deny policy rule didn't work anymore !  everybody was allowed from LAN to WAN, and from WAN to LAN, because the final default deny rule was ignored.
We have not been able  to make it effective again (editing and saving, changing deny with allow and back). The only workaround has been to insert a new any-any deny rule just before the default deny rule.
We have verified that since the rule stopped working a huge number of attempts to access the NATted internal servers had taken place.
While one can appreciate all the efforts made to enhance the various security services in the ATP models, I can't help to feel terrified by the fact that a basic protection, although of capital importance,  fails.
Hope an explanation and so a solution will be quickly found.
regards
Paolo

All Replies

  • PeterUK
    PeterUK Posts: 914  Guru Member
    Does it do this on V4.62 ?
  • Zyxel_Can
    Zyxel_Can Posts: 239  Zyxel Employee

    Hi @noc_aba,

    Can you please share some information with us;

     

    1- Can you draw your topology for this setup?

    2- When did this issue started? What did you change in ATP800's configuration for last time before this issue occur?

    3- Can you send your startup-config.conf file to me by private message? I would like to test that symptom for you.

    4- A similar symptom was fixed In the current release. Can you upgrade it from the following link and see if that issue still exist;
    https://fwstore-zsdn-cloud-zyxel-com.s3.us-east-1.amazonaws.com/Forum/ATP/V4.62_WK08/462ABIQ0ITS-WK08-r98489.zip
  • noc_aba
    noc_aba Posts: 16  Freshman Member
    We are planning to uograde to 4.62 soon.
  • noc_aba
    noc_aba Posts: 16  Freshman Member
    PeterUK said:
    Does it do this on V4.62 ?
    we have not yet tried

  • noc_aba
    noc_aba Posts: 16  Freshman Member
    Hello
    we did the upgrade to 4.62. After a couple days the same problem has occurred again and it's still open!
    Probably after a new security policy rule has been added. So we have activated again the deny-all rule created by us as the last rule before the not-working default deny rule
    The whole picture is: two ATP800 in HA, two wan interface in active/passive mode.
    It's worth noting that there are a loto of security policy rules (162), mostly based on the ssl vpn user to differentiate the access rights to the internal servers.

  • noc_aba
    noc_aba Posts: 16  Freshman Member
    As far as the installation of debug firmware is concerned, we are not at liberty to do that since we are in a full scale deployment and can't do experiment.

  • Zyxel_Can
    Zyxel_Can Posts: 239  Zyxel Employee

    Hi @noc_aba,

    Can you send me your startup-config.conf file to me by private message?

  • Zyxel_Can
    Zyxel_Can Posts: 239  Zyxel Employee

    Hi @noc_aba,

     

    Can you try disable your extra rule and choose “alert log” for Default rule;



    For instance in this case I allocated ge8 interface to OPT zone.

    There’s no rule for OPT zone in Security Policy;


    It still can block traffic from OPT zone to any.

    Also, we can see if an IP address’s traffic flow under Maintenance > Diagnostics > Routing Traces menu:


    In this case 192.168.177.5 IP address is trying to send request over the internet but it’s reply didn’t forwarded because it matched the default Security Policy rule.

     

    Whereas, other client’s request will be forwarded because it didn’t match the default Security Policy rule.

    As in this example, can you also choose alert log for Default rule and see if any matching log in the Monitor > Log menu?
Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!