SSH Public key in ZyXEL FLEX Series

nielsscheldeman

I want some users to be able to temporarily disable firewall rules through cli commands, sent by Putty. This works with batchfile where I send password in plaintext with. This is not safe enough, so I want to put public SSH key in firewall, so they don't need the password. With switches it is possible, but I don't see it in the firewalls?

SSH Public Key Authentication — Zyxel Community

Zyxel_Barry

Hi @nielsscheldeman,

To address your requirement for securely disabling firewall rules via CLI commands using SSH public key authentication on your Zyxel FLEX series firewall, please consider the following:

Initial Solution:

While Zyxel switches, particularly the NebulaFlex Switch GS1350 Series with firmware V4.90 and later, support SSH public key authentication, information regarding this feature for Zyxel FLEX series firewalls is not explicitly available in the search results.

However, you can still send CLI commands to your USG FLEX series device via SSH using PuTTY, as confirmed by Zyxel community discussions. This typically involves using a text file with your CLI commands and running PuTTY Link (plink) with your password.

To ensure a higher level of security while using password-based authentication for temporary firewall rule changes, we recommend the following best practices:

• Restrict SSH Access: Limit SSH access to trusted hosts or geolocations only.
• Use Two-Factor Authentication (2FA): Zyxel firewalls support 2FA for administrative access, which can be configured for SSH logins. This adds an extra layer of security by requiring a verification code in addition to the password.
• Change Default Passwords: Ensure that default passwords are changed for all administrative accounts.
• Monitor User Accounts: Continuously monitor user accounts for suspicious activity and remove unused or unauthorized accounts.
• Consider Schedule Objects for Rules: Instead of manually disabling/enabling rules with scripts, you might be able to use schedule objects within the firewall's security policy to automate the enabling and disabling of internet access at specific times, if that meets your requirements.

To disable a security policy rule via CLI, you would typically:
1. Log in to your firewall via SSH/Console.
2. Use the command "show running-config" to identify the security policy.
3. Enter "configure terminal" to enter configuration mode.
4. Enter the security policy to enter editor mode.
5. Use the command "no activate" to disable the policy.
6. Exit configuration mode and use "write" to save changes.

Information Collection Guide:

To assist you further, please provide the following details:

• Device Model: The specific model of your Zyxel FLEX series firewall (e.g., USG FLEX 100, USG FLEX 200).
• Firmware Version: The current firmware version running on your FLEX series firewall.
• Screenshot of Error/Attempt: If you have attempted to configure SSH public key authentication and encountered any messages or issues, please provide screenshots.
• Network Topology: A brief description or diagram of your network setup.

nielsscheldeman

Hello Thank you.

Since it is not possible I will indeed restrict SSH Access from certain IP-Addresses.

Monitoring User Accounts seems also fair, but can I automatically get an email for that when an admin user logs in like in Nebula?

Zyxel_Melen

Hi @nielsscheldeman

Yes, this feature is currently supported only by the switch. For a workaround, you can have a shared admin for the operators to create their admin account/password. And disable this shared admin after the account created.