My experience on 5.32 firmware starting from scratch (on premises)

mMontana
mMontana Posts: 1,091
1000 Comments 25 Answers Friend Collector Third Anniversary
 Guru Member
edited November 2022 in Security
As 2022 is... quite few years that i use Zyxel firewalls. My first experience was Zywall 5, and now on a USG Flex 50 maybe is the 50/60th device I use/configure/manage.
Latest experience was USG Flex 100 starting from scratch at the beginning of the year, but starting "as new" give me some more insights about the "new default" (by my perspective) proposed by zyxel.
Take your time, something nice to sip, a bit of ease.
I loved the automatic update at latest released firmware at second login.
At the first one I had to change the password (pro tip: write down some notes, as first the definitive password), but at the second login the device looked for and updated the firmware. It's so gamechanger to avoid vulnerabilities. On the other hand, this approach make really difficult the "bootup" of a new instance without internet access. IMHO this can lead to some hiccups in specific environments (like mac-locked ISP access: i cannot use the connection unless the MAC Address of my adapter is not the one allowed by the next hop).
I am not a Nebula fan, so i found naggy to specify twice that I wanted to take "on premises" route. At reboot with new login, the default password has already been changed and Nebula was already refused: why keep nagging the tech guy? If the path were Nebula, it could be chosen at step 1 or at reset ;)
I still find coercive pretend the registration of the device to allow the configuration: this forced path lead to help request on this forum or through Zyxel representatives for moving, if necessary, the device from one account to another, Nebula or myZyxel. For myZyxel portal... meh. For Nebula, maybe a "tech access" for the major "firm account" might be helpful: tech access can login, add devices, create or retrieve configuration, then test it, then deliver it to the premises, without messing around with other devices/templates for the firm.
After registration, the wizards are strict. A lot. For a non experienced tech it's quite tough to create unwise remote access to the device and the configuration, and that's really good, because leaving open doors it's way, way difficult and "tricky" to do. It's a longer job for me allowing the access that i need (L2TP, IKE/NATT, SSLVPN, Remote admin).
So... Update done. Registration done, remote access sealed up. What's next?Objects.
Especially if you are replacing an old device (zyxel or other firewalls doesn't matter), creating all needed objects as first task will be really useful for being a fast deployer. CLI commands are really useful, you can script the creation of all bells an whistles needed for have your "stuff" ready to kick in any other part of the device:IPSec tunnels, L2TP access, SSLVPN, services (default and custom) users. It will take, at the beginning, 30 to 40% of the time, but after it will save you more than 50%. Of course: if you already know what you will need.
The only thing that will be a bit trickier is the creation of VPN gateways/IKE Phase 1, because most of that is not object-enabled.
But for:
VPN connections/IKE phase 2
SSL VPN
L2TP
security policies
routing
AP profiles
and something more
having all the "gizmos" ready to deploy will boost substancially your setup. If you're scared about "too many useless objects", don't worry: after the deployment, the test and eventual adjustments of the setup, you can still have report about where and how many times objects are used into the configuration; in few clics the cleanup is done.
I did not enjoy that much the DHCP from CSV import. I can understand why the wiping of present table, but I don't agree: should be an option or a button/command to clear the reservation list. I find the option useful but needs refinement.
The option for check for updated firmware: I may not want an automatic upgrade, but the automatic check should be enabled by default, after the mandatory connection to a Zyxel Portal account.
Hints for beginners: design your firewall "on paper". Managing firewalls can be done like jamsession, following the flow and the groove, but you need at least how to pinch the strings or make the reed sing. If you're a newbie or you're installing in a new kind of environment, create something "working on paper" will save you time and headaches for solving issue. When in doubt, keep the port shut, check the log, make your brain work. ;-)
Don't forget some TCP/IP notes close, and keep looking at two wonderful tools/charts:
Routing Flow
Snat Flow
they will tell you all the steps packages take from inside to outside (and the other way around)

Security Highlight