ZYWALL USG placed between intranet and DMZ
Anyone here, who have experiance and issues, if the USG is running as intranet<->dmz firewall in a two-stage-secureity area ?
thx forward
Accepted Solution
-
HI @Zyxel_Emily
thr USG is moved, SNAT is turned off and content filter is based on the "as is" configuration.
USG WAN Link is connected to the ISP frewall righ now, where the DMZ vLAN's are configures and in operation. If it's ok from your side, I send you the new topology in a PM.
Regards
Christian
0
All Replies
-
Hi @ChristianG
I do not agree on changing the role of any network device could cause what you suffered.
I would focus the analysis on the "bad firmware" messages.
It looks a file (or even a file system) corruption during the configuration, or other hw failure or software bug.
Review all configuration logs, trying to identify other warning or error logs.
I hope you could rebuild your configuration.
Good luck0 -
Hi @ChristianG,
To analyze why the USG reboot with message "bad-firmware", please go to MAINTENANCE > Diagnostics > Diagnostics > Collect and click "Collect Now" to collect diagnostic file and send the file to us.
There may be some clues to the issue.
0 -
Hi @Alfonso and @Zyxel_Emily ,the move from ISP to DMZ position is not only based on a bad config/backup after a lot of changes.The reported "side effect" called (bad firmware / configuration with an rollback) is obe of the new effects with firmware 4.30.I've done the changes step-by-step again with backup (download the config) and reboot tests (one reboot take about 12-15 minutes). before the crash, i copied the startup-config on the USG to have a way back.Can you trust a device that is sporadically (3-7 day cycle) unavailable from the extranet and telephony is also offline until a power-cycle bring the device up again ? That was a good three to four months, a "russian roll." (online/offline) ?
This statusin my case it takes a lot of investigation / analyse topics to servce the required information to the RD. Firmware 4.25-P1 was the last good version. With 4.30 the "rocky-horror-zyxel-show" was placed and it can't be a solution to reconfigure the whole device with about 170 rules and all the configured layer7 parts new.
I got a lot of ITS versions 4.30/4.31 and 4.32 that do not fix the issue
With the first debug version from ZYXEL the device was completly offline (soft endless reboot cycle by the ZYXEL firmware).I currently have the debug firmware
V4.32(AAKZ.0)ITS-WK35-2018-10-02-180500318D / 2018-10-02 16:39:59
installed and hope that the changes of this version will be placed in the upcoming release.The FW 4.3x issues are stored in my capture "lost changes" is stored in the book "v 4.30 known collateral damage@USG".Can you serve the "best practice" to configure the USG at the intranet<-->dmz zone and what can be deleted after the move from the ISP to the DMZ zone, please ?
Thx and best regards
ChristianNote
My first ZyXEL device was a U1496
0 -
Hi @ChristianG,
If you move USG to DMZ zone in another firewall, you can configure UTM/firewall rule/NAT/ADP/Controller based on your requirement.
If the firewall placed ahead of USG has the same function such as UTM/Controller, turn the functions off on USG.
Maybe you can share the topology or scenario with us and we will advise you what functions can be disabled on USG.
0 -
HI @Zyxel_Emily
thr USG is moved, SNAT is turned off and content filter is based on the "as is" configuration.
USG WAN Link is connected to the ISP frewall righ now, where the DMZ vLAN's are configures and in operation. If it's ok from your side, I send you the new topology in a PM.
Regards
Christian
0 -
Hi @ChristianG
Since you have ISP Firewall, ADP and IDP is not necessary.
You can use Firewall to manage traffic (ex: From LAN Vlan to WAN)
In your topology, USG60W WAN interface is with Vlan45, and if you want to disable SNAT, you can refer to following step.
(Configuration -> Network -> Interface -> Trunk -> Show Advanced Settings -> Enable Default SNAT -> Uncheck)
0 -
@Zyxel_Chris_HSNAT is disabled to route all required RFC1918 IPs by routeing sets on both devicesI would avoid "double-SNAT" in the infrastructure
VLAN45 is attached/configures at the ISP firewall and routeing setup on the firewalls to get connected from the intranet to the dmz zone.
Thanks for the reminder, to disable IDP on the USG - this is a open topic
Regards
Christian
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight