Zyxel USG 1000 - TLS 1.2
Accepted Solution
All Replies
-
-
mm_bret said:Our USG 1000 firewalls are no longer accessible using Firefox. Complains therouter does not support TLS 1.2Before we get rid of the routers, is there an update to solve this?
AFAIK no. In any case, you can force disabling of weak cyphers via a SSH command. Dig into KB, currently i don't have at hand the URL. Commands should be the same that the one for USG20, USG50, USG100 and so on.mm_bret said:We have several, and they work fine.Bret
I'm glad that you have satisfaction using them. But AFAIK, they are out of support since a long time. Latest firmware is seven years old (January 2015). If they are publicly exposed in any way, IMVHO your safety is considerably lower than an updated device. Moreover, I think that configuration cannot be migrated without intermediated steps to latest 5.x firmware version. Also, maybe a newer device can be as a lower tier if you're not using all the capabilities of USG 10000 -
Not sure I understand. PeterUK, are you saying there is a firmware update?..seems as though you are..mMontanaWe use advanced features and high numbers of vpns, l2tp vpns as allowed by this device.Unfortunate, since a new TLS protocol update is probably a small detail for a firmware update.We'll see...we have a new pfSense device we're playing with, but Zyxel has been rock solid.0
-
..mMontanaWe use advanced features and high numbers of vpns, l2tp vpns as allowed by this device.Unfortunate, since a new TLS protocol update is probably a small detail for a firmware update.Consider that if your VPNs are using weak cyphers (according to the change of setup) might encounter some issues. Currently i don't trust at all DES/3DES/MD5 tunnels.The current enforcing on TLS 1.2 and 1.3 is for cut the rope with older and insecure security layers like SSL v1,2,3 and madness.We'll see...we have a new pfSense device we're playing with, but Zyxel has been rock solid.I can't say anything different for the first USG group (20, 20W, 100 are the ones i played with... 20W really sucks as wireless performances), they were rock solid and until lightnings or dead PSUs did not kill them, worked like a charm and without a lot of the issues and vulnerabilities found on newer devices (4.x most of all). And I'm still using one, with a lab firmware and with Firefox 101.0.1.Lab Firmware is two year younger than latest USG1000 official, but both USG 20 and USG 20W were supported longer than USG100, 200, 300, 1000 and 2000, which arrived before on the market compared with 20 and 50. In some environments is still safe to use them as VPN endpoints because they call the other endpoint behind a Carrier-grade NAT or a router.Anyway.IMVHO you're using great but old machines. IMVHO you should also take a look into USG Flex 700 (and not USG 1900 which are going to be EOL at the end of the year), at least for having something with more updated vulnerability patches.Few specs compared:
Specific USG 1000 USG Flex 700 throughput SPI 400 mbps 5.400 mbps throughput VPN AES 180 mbps 1.100 mbps Max Sessions 500.000 1.600.000 Conc. IPSec 1000 500 Power draw 200W 46W
I can see the drawback of VPN tunnels. I don't know if you're using full capacity of this on your USG 1000 but...0 -
mMontana,Great comments and info.These USG 1000 devices are all over our infrastructure. We recently added a gb fiberconnection, and I soon found out the old girl may not keep up. We can only get about 350mbout of ours.I'll probably run the update on a backup USG 1000 to see how it effects any services. Funny, I still have a few new in boxes. Time indeed flies.I'll investigate the Flex 700 as well.Many thanks for all the comments,BS0
-
If you choose a replacement, I'd like to know.
0 -
-
Update.I updated the firmware on one of my backup USG 1000 devices to: 330AQV7ITS-WK48-r74988.binThe device behaved great, and allowed me to connect to it from my Firefox browser without and TLSversion issues.HOWEVER the following problem presents itselfafter updating I see the attached error dialog when saving (TrustedLan1) (P3)configuration.This message did not appear under the previous firmware: 330AQV7C0.binWhat can I do to configure p3 and p4 to be part of a single TrustedLan?This message did not appear under the previous firmware: 330AQV7C0.bincli show interface all displays1 Comcast 1000M/Full 0.0.0.0 255.255.255.248 Static
2 wan2 Down 0.0.0.0 0.0.0.0 DHCP client
3 TrustedLan1 Port Group Up 192.168.40.1 255.255.255.0 Static
4 TrustedLan2 Port Group Inactive 192.168.40.243 255.255.255.0 Static
5 dmz 100M/Full 192.168.46.1 255.255.255.0 Static
6 aux Inactive 0.0.0.0 0.0.0.0 DynamicCan I ask this question here, or start a new thread?Regards,Bret
0 -
mm_bret said:Update.HOWEVER the following problem presents itselfafter updating I see the attached error dialog when saving (TrustedLan1) (P3)configuration.This message did not appear under the previous firmware: 330AQV7C0.binWhat can I do to configure p3 and p4 to be part of a single TrustedLan?This message did not appear under the previous firmware: 330AQV7C0.bin
Anyway, test thoroughly before making any changes.
Problem is: you have TrustedLan1 (P3,P4) and TrustedLan2 (Unknown) with the same subnet. Why? What are you trying to achieve?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight