On boot up bridge traffic being allowed without control policy

PeterUK
PeterUK Posts: 3,326  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited September 15 in USG FLEX H Series

USG FLEX 200HV1.21(ABWV.0)ITS-24WK35-0813-240800592

So on boot up bridge traffic is fully allowed before control policy gets applied some seconds later about 1 minute and 40 seconds later…

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,497  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    HI @PeterUK ,

    Are you referring to the bridge interface br0, with members ge1 and DMZ?

    To assist you more effectively, could you please provide a screenshot of the control policy you believe is responsible for monitoring the bridge traffic?

    Engage in the Community, become an MVP, and win exclusive prizes!

    https://bit.ly/Community_MVP

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Yes ge1 and DMZ the rules don't apply on bootup and incoming traffic from internet comes through the bridge until the rule apply themselves .

    note TESTALLOWOUT and TESTALLOWIN are disabled on boot they are there for troubleshooting

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,497  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    HI @PeterUK ,

    We'd like to clarify the issue, so please share with us:

    1. Please provide a screenshot or name of the control policy you believe is responsible for monitoring the bridge traffic
    2. Do you expect that the traffic from ge1 to DMZ should be blocked in the beginning of booting up, then becomes allowed after the security policy being applied?
    3. How did you test and observe this problem?

    Engage in the Community, become an MVP, and win exclusive prizes!

    https://bit.ly/Community_MVP

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 23

    Hi Judy

    Maybe you misunderstood I'm not sure what 1 is about as for 2 yes expect that the traffic from ge1 to DMZ should be blocked in the beginning of booting up as in its not on the FLEX200H its not blocked on bootup like there are no rules from Ge1 (WAN1) to DMZ for TCP yet I have someone doing a DoS of SYN flood and on boot up this flows through then about 1 minute and 40 seconds later the FLEX200H blocks the traffic.

    Note the PC on the DMZ is connected by a switch to the FLEX200H so that the link does not go down and the IP of the PC stays up when FLEX200H boots up

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 23

    Note this is without DoS Prevention enabled

    After a reboot in testing if the DoS flood is constant from a given fixed source and destination the FLEX200H still long after boot up is still allowing traffic even when logs show as blocked.

    Workaround go to traffic statistic > session monitor click clear all sessions

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,497  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @PeterUK ,

    Regarding point 1, we'd like to know if you have any specific policy configured for the Bridge interface (GE1 + DMZ).

    doing a DoS of SYN flood and on boot up this flows through then about 1 minute and 40 seconds later the FLEX200H blocks the traffic.

    Do you expect traffic from GE1 to DMZ to be blocked in the beginning of booting, and after 1 minute and 40 seconds, the FLEX200H will allow traffic between GE1 and DMZ?

    To assist you better, please share detailed information and any screenshots you believe would be helpful for our investigation.

    Engage in the Community, become an MVP, and win exclusive prizes!

    https://bit.ly/Community_MVP

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Their are no rules to allow incoming TCP from ge1 to DMZ on the FLEX200H

    You should be able to test this your end by a SYN TCP flood to the FLEX200H

    on reboot traffic is blocked because its getting ready then interfaces go up and a load of TCP SYN go out DMZ even when there are no rules to allow as the system is still booting then most of the time the system then applies the default block rule.

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,497  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @PeterUK ,

    We have identified the issue and will address it in the next official firmware release.

    Engage in the Community, become an MVP, and win exclusive prizes!

    https://bit.ly/Community_MVP

  • MarkoD
    MarkoD Posts: 56  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary
    edited October 14

    @PeterUK, on behalf of us customers, thanks for all your help on improving the FLEX H series. I am monitoring this forum and we hope that we can transition to these devices in the near future. Thanks to your effort in finding all bugs for ZyXEL to (hopefully) fix and thus making it a reliable device.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Thanks Yes I do look forward to the next firewall models with 10Gb ports in the future with this uOS sadly real DMZ type 1 may never work but type 2.1 with the right switch setup works just like type 1 did.

    Still lots of stuff to look out for in upcoming testing.