On boot up bridge traffic being allowed without control policy

PeterUK

USG FLEX 200HV1.21(ABWV.0)ITS-24WK35-0813-240800592

So on boot up bridge traffic is fully allowed before control policy gets applied some seconds later about 1 minute and 40 seconds later…

Zyxel_Judy

HI @PeterUK ,

Are you referring to the bridge interface br0, with members ge1 and DMZ?

To assist you more effectively, could you please provide a screenshot of the control policy you believe is responsible for monitoring the bridge traffic?

PeterUK

Yes ge1 and DMZ the rules don't apply on bootup and incoming traffic from internet comes through the bridge until the rule apply themselves .

note TESTALLOWOUT and TESTALLOWIN are disabled on boot they are there for troubleshooting

Zyxel_Judy

HI @PeterUK ,

We'd like to clarify the issue, so please share with us:

1. Please provide a screenshot or name of the control policy you believe is responsible for monitoring the bridge traffic
2. Do you expect that the traffic from ge1 to DMZ should be blocked in the beginning of booting up, then becomes allowed after the security policy being applied?
3. How did you test and observe this problem?

PeterUK

Hi Judy

Maybe you misunderstood I'm not sure what 1 is about as for 2 yes expect that the traffic from ge1 to DMZ should be blocked in the beginning of booting up as in its not on the FLEX200H its not blocked on bootup like there are no rules from Ge1 (WAN1) to DMZ for TCP yet I have someone doing a DoS of SYN flood and on boot up this flows through then about 1 minute and 40 seconds later the FLEX200H blocks the traffic.

Note the PC on the DMZ is connected by a switch to the FLEX200H so that the link does not go down and the IP of the PC stays up when FLEX200H boots up

PeterUK

Note this is without DoS Prevention enabled

After a reboot in testing if the DoS flood is constant from a given fixed source and destination the FLEX200H still long after boot up is still allowing traffic even when logs show as blocked.

Workaround go to traffic statistic > session monitor click clear all sessions

Zyxel_Judy

Hi @PeterUK ,

Regarding point 1, we'd like to know if you have any specific policy configured for the Bridge interface (GE1 + DMZ).

doing a DoS of SYN flood and on boot up this flows through then about 1 minute and 40 seconds later the FLEX200H blocks the traffic.

Do you expect traffic from GE1 to DMZ to be blocked in the beginning of booting, and after 1 minute and 40 seconds, the FLEX200H will allow traffic between GE1 and DMZ?

To assist you better, please share detailed information and any screenshots you believe would be helpful for our investigation.

PeterUK

Their are no rules to allow incoming TCP from ge1 to DMZ on the FLEX200H

You should be able to test this your end by a SYN TCP flood to the FLEX200H

on reboot traffic is blocked because its getting ready then interfaces go up and a load of TCP SYN go out DMZ even when there are no rules to allow as the system is still booting then most of the time the system then applies the default block rule.

Zyxel_Judy

Hi @PeterUK ,

We have identified the issue and will address it in the next official firmware release.

MarkoD

https://community.zyxel.com/en/discussion/comment/69879#Comment_69879

@PeterUK, on behalf of us customers, thanks for all your help on improving the FLEX H series. I am monitoring this forum and we hope that we can transition to these devices in the near future. Thanks to your effort in finding all bugs for ZyXEL to (hopefully) fix and thus making it a reliable device.

PeterUK

https://community.zyxel.com/en/discussion/comment/70542#Comment_70542

Thanks Yes I do look forward to the next firewall models with 10Gb ports in the future with this uOS sadly real DMZ type 1 may never work but type 2.1 with the right switch setup works just like type 1 did.

Still lots of stuff to look out for in upcoming testing.