ZYWALL USG placed between intranet and DMZ

ChrisGer
ChrisGer Posts: 205  Ally Member
Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
edited April 2021 in Security
Hello Community,
i've moved my ZYWALL from the ISP connected to a intranet<->dmz firewall.
Firwmare 4.32 is running. After a lot of changes, to bring the USG in production a reboot toled me "bad-firmware" and the USG rolled back to my inital configuration (all changes are lost) :(

Anyone here, who have experiance and issues, if the USG is running as intranet<->dmz firewall in a two-stage-secureity area ?

thx forward
Christian

Accepted Solution

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓
    HI @Zyxel_Emily
    thr USG is moved, SNAT is turned off and content filter is based on the "as is" configuration.
    USG WAN Link is connected to the ISP frewall righ now, where the DMZ vLAN's are configures and in operation. If it's ok from your side, I send you the new topology in a PM.

    Regards
    Christian

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @ChristianG

    I do not agree on changing the role of any network device could cause what you suffered.

    I would focus the analysis on the "bad firmware" messages.

    It looks a file (or even a file system) corruption during the configuration, or other hw failure or software bug.

    Review all configuration logs, trying to identify other warning or error logs.

    I hope you could rebuild your configuration.

    Good luck 
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @ChristianG,

     

    To analyze why the USG reboot with message "bad-firmware", please go to MAINTENANCE > Diagnostics >  Diagnostics > Collect and click "Collect Now" to collect diagnostic file and send the file to us.

    There may be some clues to the issue.

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    the move from ISP to DMZ position is not only based on a bad config/backup after a lot of changes.
    The reported "side effect" called (bad firmware / configuration with an rollback) is obe of the new effects with firmware 4.30.

    I've done the changes step-by-step again with backup (download the config) and reboot tests (one reboot take about 12-15 minutes). before the crash, i copied the startup-config on the USG to have a way back. 

    Can you trust a device that is sporadically (3-7 day cycle) unavailable from the extranet and telephony is also offline until a power-cycle bring the device up again ? That was a good three to four months, a "russian roll." (online/offline) ? 
    This statusin my case it takes a lot of investigation / analyse topics to servce the required information to the RD. Firmware 4.25-P1 was the last good version. With 4.30 the "rocky-horror-zyxel-show" was placed  ;) and it can't be a solution to reconfigure the whole device with about 170 rules and all the configured layer7 parts new.
     
    I got a lot of ITS versions 4.30/4.31 and 4.32 that do not fix the issue :/ 
    With the first debug version from ZYXEL the device was completly offline (soft endless reboot cycle by the ZYXEL firmware).
     
    I currently have the debug firmware
    V4.32(AAKZ.0)ITS-WK35-2018-10-02-180500318D / 2018-10-02 16:39:59
    installed and hope that the changes of this version will be placed in the upcoming release.

    The FW 4.3x issues are stored in my capture "lost changes" is stored in the book "v 4.30 known collateral damage@USG". :s

    Can you serve the "best practice" to configure the USG at the intranet<-->dmz zone and what can be deleted after the move from the ISP to the DMZ zone, please ?

    Thx and best regards
    Christian
     
     

    Note ;)
    My first ZyXEL device was a U1496 ;)
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @ChristianG,

     

    If you move USG to DMZ zone in another firewall, you can configure UTM/firewall rule/NAT/ADP/Controller based on your requirement.

    If the firewall placed ahead of USG has the same function such as UTM/Controller, turn the functions off on USG.

    Maybe you can share the topology or scenario with us and we will advise you what functions can be disabled on USG.

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓
    HI @Zyxel_Emily
    thr USG is moved, SNAT is turned off and content filter is based on the "as is" configuration.
    USG WAN Link is connected to the ISP frewall righ now, where the DMZ vLAN's are configures and in operation. If it's ok from your side, I send you the new topology in a PM.

    Regards
    Christian
  • Zyxel_Chris_H
    Zyxel_Chris_H Posts: 28  Freshman Member
    First Answer First Comment Friend Collector
    Hi @ChristianG

    Since you have ISP Firewall, ADP and IDP is not necessary.

    You can use Firewall to manage traffic (ex: From LAN Vlan to WAN)

    In your topology, USG60W WAN interface is with Vlan45, and if you want to disable SNAT, you can refer to following step.

    (Configuration -> Network -> Interface -> Trunk -> Show Advanced Settings -> Enable Default SNAT -> Uncheck)


  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    @Zyxel_Chris_H
    SNAT is disabled to route all required RFC1918 IPs by routeing sets on both devices
    I would avoid "double-SNAT" in the infrastructure :/

    VLAN45 is attached/configures at the ISP firewall and routeing setup on the firewalls to get connected from the intranet to the dmz zone.

    Thanks for the reminder, to disable IDP on the USG - this is a open topic B)

    Regards
    Christian

Security Highlight