FLEX100 Remote mgmt issue

dpipro
dpipro Posts: 69  ZCNE Certified
First Comment Friend Collector Fifth Anniversary ZCNE Switch Level 1 Certification - 2020
Hello,

we have installed a new FLEX100 in an enterprise internet connection with fixed public IP configured on the wan port.
The ZyWALL is connected and the LAN has internet access.
The problem is that the ZyWALL doesn't allow the remote management via https. only via SSH or SSL. But it allow https via LAN.
All security features are disabled including the Security policy control.
We tried also via SSL, the SSL is connected correctly, we can ping the ZyWALL's LAN address but, again, we can't get the GUI.

Any ideas?

F/W rev 5.32(ABUH.0)

Thank you.
Best regards
Best regards

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2023

    You just need a policy rule From WAN to Zywall HTTPS


  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    @dpipro
    Please check on the Policy Control "WAN_to_Device", and check if HTTPS is in the Service Group.


    If not, please go to Configuration > Object > Service > Service Group, edit "Default_Allow_WAN_To_ZyWALL" and put HTTPS to Member.



    James

  • dpipro
    dpipro Posts: 69  ZCNE Certified
    First Comment Friend Collector Fifth Anniversary ZCNE Switch Level 1 Certification - 2020
    edited January 2023
    @PeterUK @Zyxel_James

    Thank you for your answers but All security features are disabled including the Security policy control.
    It seems to be an internal web service problem...
    Best regards
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    @dpipro if via LAN works and via WAN won't, i highly doubt that's an internal web server problem.
    Since the revamp of the approach for security rules, now it's quite tough to reach HTTPS via WAN unless you're instructing the firewall to allow it.

    Due to your certification and the information currently available... triple check settings and logic.

    If the WAN port is configured with a private and not a public ip address, try also to put yourself in the same subnet of the WAN and try to reach HTTPS.
    Also... don't forget that at wizard, the device ask you to change your default HTTPS port for management. I don't assume that the redirection will work from both sides (LAN and WAN) after change the port.
  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2023
    In WWW uncheck "Redirect HTTP to HTTPS" allow WAN to zywall login by port 80 HTTP

    scan for port 80
    GRC | Port Authority, for Internet Port 80

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @dpipro,
    Is there any log while accessing the USG FLEX 100 from WAN interface? Please collect the console logs by connecting to the console port too.
    And you may provide the configuration via private message, I would like to check the settings, thank you.

    James
  • dpipro
    dpipro Posts: 69  ZCNE Certified
    First Comment Friend Collector Fifth Anniversary ZCNE Switch Level 1 Certification - 2020
    mMontana said:
    @dpipro if via LAN works and via WAN won't, i highly doubt that's an internal web server problem.
    Since the revamp of the approach for security rules, now it's quite tough to reach HTTPS via WAN unless you're instructing the firewall to allow it.

    Due to your certification and the information currently available... triple check settings and logic.

    If the WAN port is configured with a private and not a public ip address, try also to put yourself in the same subnet of the WAN and try to reach HTTPS.
    Also... don't forget that at wizard, the device ask you to change your default HTTPS port for management. I don't assume that the redirection will work from both sides (LAN and WAN) after change the port.
    Thank you for your answer, the wan port has a public ip address. I've already configured different ports for https management but the issue remains

    Best regards
  • dpipro
    dpipro Posts: 69  ZCNE Certified
    First Comment Friend Collector Fifth Anniversary ZCNE Switch Level 1 Certification - 2020
    PeterUK said:
    In WWW uncheck "Redirect HTTP to HTTPS" allow WAN to zywall login by port 80 HTTP

    scan for port 80
    GRC | Port Authority, for Internet Port 80

    Dear PeterUK, thank you. I've already do it too. No luck... I've tried everything
    Best regards
  • dpipro
    dpipro Posts: 69  ZCNE Certified
    First Comment Friend Collector Fifth Anniversary ZCNE Switch Level 1 Certification - 2020
    Hello @dpipro,
    Is there any log while accessing the USG FLEX 100 from WAN interface? Please collect the console logs by connecting to the console port too.
    And you may provide the configuration via private message, I would like to check the settings, thank you.

    James
    Dear Zyxel_James, the appliance is installed on the customer premises at 300Km from here, I'm not sure if it's possible to have it connected by the console port... I'll send you the conf file. Thank you
    Best regards
  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @dpipro,
    Thanks for the config file, I uploaded your config and found out you didn't add the service HTTP or HTTPS to the service group "Default_Allow_WAN_To_ZyWALL". Please refer to my previous response.


    - Add HTTPS to the service group "Default_Allow_WAN_To_ZyWALL"
    - Enable Policy Control
    - Change to WAN interface IP address for lab test
    >> I can access by WAN IP address successfully.
    @dpipro
    Please check on the Policy Control "WAN_to_Device", and check if HTTPS is in the Service Group.


    If not, please go to Configuration > Object > Service > Service Group, edit "Default_Allow_WAN_To_ZyWALL" and put HTTPS to Member.



    James



    James

Security Highlight