Firewall logs - Default Rule

2»

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    mm_bret now make a rule from WAN to Zywall with source hackers-block and deny
  • dmc_nyc
    dmc_nyc Posts: 5
    First Comment Friend Collector First Anniversary
    PeterUK said:
    dmc_nyc if you set appllcation patrol to none does the rule work?

    @PeterUK I have disabled App Patrol on this rule and it did not help.  The unwanted traffic is still making it through the Rule, ignoring the Source IP filter of 'All Approved WANs'. 

    For clarity, we always set 1:1 NAT to each server as Any Source, Any Service to allow that traffic to flow to the Security Policies.  At the Security Policy we would further refine the WAN IP Source and Service ports.  This has always worked in the past, only recently with a new USGFlex200 v5.30 did I notice bleed-thru of unwanted traffic.  The rule I noted above is very high in the priority list so it should be stopping unwanted traffic.  There are only GEO IP DENY rules above it which are working.




  • mm_bret
    mm_bret Posts: 63  Ally Member
    First Comment Fourth Anniversary
    PeterUK,
    You have given me an answer to this problem. At this point the logs are littered with red log alert
    rejections. Excellent work!!

    It has been my understanding that firewall rules TO Zywall was to control access to the USG for configuration; gui interface etc. for specific ip addresses and services like https etc. While any (excluding Zywall) rules were for trapping traffic headed behind our USG1000.


    Is there any way you can describe the difference between Zywall and (any (excluding Zywall)?
    ..pointing me to another post or document would be helpful as well.

    I am thanking you for this resolution,
    Bret

    PS.

    With regard to the age of the USG 1000, these are solid firewalls. We haven't thought of upgrading until we added several fiber connections exceeding the 350mb max of the USG 1000.

    Best,
    Bret Stern













  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2022

    Also Zyxel_James pointed you in the direction too

    If you don't have a subnet of WAN IP's on LAN your only WAN IP is the Zywall to which you SNAT and NAT from/to your LAN as your WAN IP is on the USG all traffic from WAN goes to the Zywall until you NAT to a LAN IP then your going from WAN to LAN or any


  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2022

    dmc_nyc you should make your own post about your problem

    try V5.30 WK20 Firmware release

    ZLD V5.30 WK20 Firmware release — Zyxel Community

    what happens if you set destination to any?

  • dmc_nyc
    dmc_nyc Posts: 5
    First Comment Friend Collector First Anniversary
    Was able to figure this out with Zxyel Support. In my Approved WAN IP Group I had an open ended SUBNET Object instead of a RANGE Object.  Which meant any IP with the range of from the low (.47) to high (.255) was coming through.  My fault for overlooking this.

    Once I switched it to a Static or Range, the Source IP filter 'All Approved WANs' was working as expected on all Rules.

    Hope this might help others who experienced a similar issue.  
  • dmc_nyc
    dmc_nyc Posts: 5
    First Comment Friend Collector First Anniversary
    PeterUK said:
    dmc_nyc if you set appllcation patrol to none does the rule work?

    @PeterUK I have disabled App Patrol on this rule and it did not help.  The unwanted traffic is still making it through the Rule, ignoring the Source IP filter of 'All Approved WANs'. 

    For clarity, we always set 1:1 NAT to each server as Any Source, Any Service to allow that traffic to flow to the Security Policies.  At the Security Policy we would further refine the WAN IP Source and Service ports.  This has always worked in the past, only recently with a new USGFlex200 v5.30 did I notice bleed-thru of unwanted traffic.  The rule I noted above is very high in the priority list so it should be stopping unwanted traffic.  There are only GEO IP DENY rules above it which are working.




Security Highlight