FLEX100 Remote mgmt issue

Options
dpipro
dpipro Posts: 64  ZCNE Certified
First Anniversary ZCNE Switch Level 1 Certification - 2020 ZCNE Nebula Level 1 Certification - 2020 ZCNE Security Level 1 Certification - 2019
Hello,

we have installed a new FLEX100 in an enterprise internet connection with fixed public IP configured on the wan port.
The ZyWALL is connected and the LAN has internet access.
The problem is that the ZyWALL doesn't allow the remote management via https. only via SSH or SSL. But it allow https via LAN.
All security features are disabled including the Security policy control.
We tried also via SSL, the SSL is connected correctly, we can ping the ZyWALL's LAN address but, again, we can't get the GUI.

Any ideas?

F/W rev 5.32(ABUH.0)

Thank you.
Best regards
Best regards

All Replies

  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023
    Options

    You just need a policy rule From WAN to Zywall HTTPS


  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @dpipro
    Please check on the Policy Control "WAN_to_Device", and check if HTTPS is in the Service Group.


    If not, please go to Configuration > Object > Service > Service Group, edit "Default_Allow_WAN_To_ZyWALL" and put HTTPS to Member.



    James

  • dpipro
    dpipro Posts: 64  ZCNE Certified
    First Anniversary ZCNE Switch Level 1 Certification - 2020 ZCNE Nebula Level 1 Certification - 2020 ZCNE Security Level 1 Certification - 2019
    edited January 2023
    Options
    @PeterUK @Zyxel_James

    Thank you for your answers but All security features are disabled including the Security policy control.
    It seems to be an internal web service problem...
    Best regards
  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @dpipro if via LAN works and via WAN won't, i highly doubt that's an internal web server problem.
    Since the revamp of the approach for security rules, now it's quite tough to reach HTTPS via WAN unless you're instructing the firewall to allow it.

    Due to your certification and the information currently available... triple check settings and logic.

    If the WAN port is configured with a private and not a public ip address, try also to put yourself in the same subnet of the WAN and try to reach HTTPS.
    Also... don't forget that at wizard, the device ask you to change your default HTTPS port for management. I don't assume that the redirection will work from both sides (LAN and WAN) after change the port.
  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023
    Options
    In WWW uncheck "Redirect HTTP to HTTPS" allow WAN to zywall login by port 80 HTTP

    scan for port 80
    GRC | Port Authority, for Internet Port 80

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hello @dpipro,
    Is there any log while accessing the USG FLEX 100 from WAN interface? Please collect the console logs by connecting to the console port too.
    And you may provide the configuration via private message, I would like to check the settings, thank you.

    James
  • dpipro
    dpipro Posts: 64  ZCNE Certified
    First Anniversary ZCNE Switch Level 1 Certification - 2020 ZCNE Nebula Level 1 Certification - 2020 ZCNE Security Level 1 Certification - 2019
    Options
    mMontana said:
    @dpipro if via LAN works and via WAN won't, i highly doubt that's an internal web server problem.
    Since the revamp of the approach for security rules, now it's quite tough to reach HTTPS via WAN unless you're instructing the firewall to allow it.

    Due to your certification and the information currently available... triple check settings and logic.

    If the WAN port is configured with a private and not a public ip address, try also to put yourself in the same subnet of the WAN and try to reach HTTPS.
    Also... don't forget that at wizard, the device ask you to change your default HTTPS port for management. I don't assume that the redirection will work from both sides (LAN and WAN) after change the port.
    Thank you for your answer, the wan port has a public ip address. I've already configured different ports for https management but the issue remains

    Best regards
  • dpipro
    dpipro Posts: 64  ZCNE Certified
    First Anniversary ZCNE Switch Level 1 Certification - 2020 ZCNE Nebula Level 1 Certification - 2020 ZCNE Security Level 1 Certification - 2019
    Options
    PeterUK said:
    In WWW uncheck "Redirect HTTP to HTTPS" allow WAN to zywall login by port 80 HTTP

    scan for port 80
    GRC | Port Authority, for Internet Port 80

    Dear PeterUK, thank you. I've already do it too. No luck... I've tried everything
    Best regards
  • dpipro
    dpipro Posts: 64  ZCNE Certified
    First Anniversary ZCNE Switch Level 1 Certification - 2020 ZCNE Nebula Level 1 Certification - 2020 ZCNE Security Level 1 Certification - 2019
    Options
    Hello @dpipro,
    Is there any log while accessing the USG FLEX 100 from WAN interface? Please collect the console logs by connecting to the console port too.
    And you may provide the configuration via private message, I would like to check the settings, thank you.

    James
    Dear Zyxel_James, the appliance is installed on the customer premises at 300Km from here, I'm not sure if it's possible to have it connected by the console port... I'll send you the conf file. Thank you
    Best regards
  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hello @dpipro,
    Thanks for the config file, I uploaded your config and found out you didn't add the service HTTP or HTTPS to the service group "Default_Allow_WAN_To_ZyWALL". Please refer to my previous response.


    - Add HTTPS to the service group "Default_Allow_WAN_To_ZyWALL"
    - Enable Policy Control
    - Change to WAN interface IP address for lab test
    >> I can access by WAN IP address successfully.
    @dpipro
    Please check on the Policy Control "WAN_to_Device", and check if HTTPS is in the Service Group.


    If not, please go to Configuration > Object > Service > Service Group, edit "Default_Allow_WAN_To_ZyWALL" and put HTTPS to Member.



    James



    James

Security Highlight