On boot up bridge traffic being allowed without control policy
USG FLEX 200HV1.21(ABWV.0)ITS-24WK35-0813-240800592
So on boot up bridge traffic is fully allowed before control policy gets applied some seconds later about 1 minute and 40 seconds later…
Accepted Solution
-
Hi @PeterUK ,
We have identified the issue and will address it in the next official firmware release.
Judy
See how you've made an impact in Zyxel Community this year!
0
All Replies
-
HI @PeterUK ,
Are you referring to the bridge interface br0, with members ge1 and DMZ?
To assist you more effectively, could you please provide a screenshot of the control policy you believe is responsible for monitoring the bridge traffic?
Judy
See how you've made an impact in Zyxel Community this year!
0 -
Yes ge1 and DMZ the rules don't apply on bootup and incoming traffic from internet comes through the bridge until the rule apply themselves .
note TESTALLOWOUT and TESTALLOWIN are disabled on boot they are there for troubleshooting
0 -
HI @PeterUK ,
We'd like to clarify the issue, so please share with us:
- Please provide a screenshot or name of the control policy you believe is responsible for monitoring the bridge traffic
- Do you expect that the traffic from ge1 to DMZ should be blocked in the beginning of booting up, then becomes allowed after the security policy being applied?
- How did you test and observe this problem?
Judy
See how you've made an impact in Zyxel Community this year!
0 -
Hi Judy
Maybe you misunderstood I'm not sure what 1 is about as for 2 yes expect that the traffic from ge1 to DMZ should be blocked in the beginning of booting up as in its not on the FLEX200H its not blocked on bootup like there are no rules from Ge1 (WAN1) to DMZ for TCP yet I have someone doing a DoS of SYN flood and on boot up this flows through then about 1 minute and 40 seconds later the FLEX200H blocks the traffic.
Note the PC on the DMZ is connected by a switch to the FLEX200H so that the link does not go down and the IP of the PC stays up when FLEX200H boots up
0 -
Note this is without DoS Prevention enabled
After a reboot in testing if the DoS flood is constant from a given fixed source and destination the FLEX200H still long after boot up is still allowing traffic even when logs show as blocked.
Workaround go to traffic statistic > session monitor click clear all sessions
0 -
Hi @PeterUK ,
Regarding point 1, we'd like to know if you have any specific policy configured for the Bridge interface (GE1 + DMZ).
doing a DoS of SYN flood and on boot up this flows through then about 1 minute and 40 seconds later the FLEX200H blocks the traffic.
Do you expect traffic from GE1 to DMZ to be blocked in the beginning of booting, and after 1 minute and 40 seconds, the FLEX200H will allow traffic between GE1 and DMZ?
To assist you better, please share detailed information and any screenshots you believe would be helpful for our investigation.
Judy
See how you've made an impact in Zyxel Community this year!
0 -
Their are no rules to allow incoming TCP from ge1 to DMZ on the FLEX200H
You should be able to test this your end by a SYN TCP flood to the FLEX200H
on reboot traffic is blocked because its getting ready then interfaces go up and a load of TCP SYN go out DMZ even when there are no rules to allow as the system is still booting then most of the time the system then applies the default block rule.
1 -
Hi @PeterUK ,
We have identified the issue and will address it in the next official firmware release.
Judy
See how you've made an impact in Zyxel Community this year!
0 -
@PeterUK, on behalf of us customers, thanks for all your help on improving the FLEX H series. I am monitoring this forum and we hope that we can transition to these devices in the near future. Thanks to your effort in finding all bugs for ZyXEL to (hopefully) fix and thus making it a reliable device.
0 -
Thanks Yes I do look forward to the next firewall models with 10Gb ports in the future with this uOS sadly real DMZ type 1 may never work but type 2.1 with the right switch setup works just like type 1 did.
Still lots of stuff to look out for in upcoming testing.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight