USG FLEX 200HP - FTP open and exposed on WAN by default, it's a bug?

Sandro_ACP

Yesterday I received a lot of warnings from my 200HP:

Model Name:	USG FLEX 200HP
Host Name:	usgflex200hp
Event:	Admin Login Fail
Date/Time:	2025-09-21 18:29:16 +02:00
Account:	admin
Source:	5.56.9.84
Location:	Italy
Destioation:	xxx.xxx.xxx.xxx
Message:	Failed login attempt to Device from ftp (incorrect password or inexistent username)Account: admin

I did search if there was a rule for the FTP service of the 200HP, nothing, I tested the 21 TCP port on WAN side…answer, not good

Now there is a security rule that is a deny on the 21 TCP port from WAN, but if a port is not allowed by default why it is open? Bug? My firewall has the latest firmware and was born almost a year ago…

PeterUK

I tested port 21 on GRC the SYN looks blocked here to USG when taking my FTP server offline to test to USG.

Is this over PPPoE?

I don't use any of the default rules but LAN to ZyWALL so maybe test disabling rules.

Their was one case back in beta that a rule allowed DNS to Zyxel that should not I think be allowed by a given odd rule to do with content filtering I think? so test to see if DNS to USG is allowed too.

Found my old post it was a WAN to WAN rule

Zyxel_Tina

Hi @Sandro_ACP,

We have performed a test on our side, and by default the WAN_to_Device policy does not allow FTP. On our device (FLEX 100H), FTP traffic from WAN was successfully blocked.

In your case, we suggest reviewing the security policy rules on your firewall. Please check if there is any rule allowing FTP service from WAN to ZyWall/Device, especially if such a rule is placed before the default WAN_to_ZyWall/Device policy. If the traffic matches an earlier “allow” rule for FTP, it could explain why you are seeing warnings like “Failed login attempt to Device from ftp (incorrect password or inexistent username)”.