USG60: FQDN-based rules stop working and can't reboot via WebIF (need to unplug power)
Hi to all,
In my USG60, runni V4.35(AAKY.3), I've defined a set of IMAP FQDN objects (e.g. imap.tim.it), grouped together, and associated to IMAP TCP services in an inbound Security Policy. Same goes for SMTP outbound.
It's been some time now (several months and a few fw releases I think) that I'm experiencing an annoying problem. Every now and then (today it's 16 days uptime) I notice my email client's connections stop working. No way to unblock them unless I reboot the router. So I connect to the web if and reboot from there. Unfortunately, the boot sequence gets stuck somewhere, forcing me to physically reach the firewall and unplug/replug the power, in which case it then boots fine. The problem is the firewall is not close, it's 4 storeys below from my work desk. It's getting annoying. And moreover I don't like unplug the power by the way.
So I have two apparently unrelated problems but that join together to mess things up.
Is there any procedure I can carry out to find out what's the origin of at least one of the two problems ? E.g. is there something I can do to unblock my FQDN IMAP/SMTP connections without rebooting the firewall ?
Thanks in advance
Peppe
All Replies
-
Hi @sirivanhoe
Can you collect diagnose info file when the email client's connections stop working and send us the file via private message?
Here is the step to collect diagnose info
Go to Maintenance > Diagnostic > Diagnostics > Collect > click Collect now
It will take 5~10 minutes to collect
After done the the collection
Go to Maintenance > Diagnostic > Diagnostics > Files to download the files and private message for us.
Can you connect USG60 with cable console to the PC, and collect the console log before you try to reboot from web console?
1 -
After you have done the collect diagnose if you can access the USG60 you could try selecting the rule of your FQDN and Inactivate it and activate it.
You could also check in monitor >system status> FQDN object to see if the IP's are mapped.
do you have any FQDN like "*.google.com" ?
1 -
Thanks Jerry,
I keep a note for the next (unpredicatable) time it happens. It'd be complex to connect to the console as the firewall is strictly fit within a small rack in my basement, I usually have to disassemble the rack to access the rear of the appliance. Anyway, if circumstances allow for it, I'll give it a look, I'm curious myself.
0 -
Hi Peter,
thanks for your attention as well. I've not tried to inactivate/re-activate the rules indeed (surely I'll do it next time). But I did check the FQDN were translated and they did. As for your other question, I don't have 1st level FQDNs, I rather have imap.google.com and smtp.google.com
0 -
Do you have a group with FQDN's or do you firewall one FQDN at a time?
1 -
Yes I have groups of FQDNs. Legitimate IMAP FQDNs ed SMTP FQDNs for my different email accounts are grouped, with related dedicated TCP services, in two respective groups and two respective security policies (e.g. I don't want anything in my LAN to connect outside to spam the world via an obscure SMTP server).
0 -
How many FQDN in one group do you have as maybe too many might be a issue?
1 -
10 each. I have no idea whether they are too many or an acceptable number. Is there somewhere I can look at for a guideline ?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight