USG60: FQDN-based rules stop working and can't reboot via WebIF (need to unplug power)

sirivanhoe

Hi to all,

In my USG60, runni V4.35(AAKY.3), I've defined a set of IMAP FQDN objects (e.g. imap.tim.it), grouped together, and associated to IMAP TCP services in an inbound Security Policy. Same goes for SMTP outbound.

It's been some time now (several months and a few fw releases I think) that I'm experiencing an annoying problem. Every now and then (today it's 16 days uptime) I notice my email client's connections stop working. No way to unblock them unless I reboot the router. So I connect to the web if and reboot from there. Unfortunately, the boot sequence gets stuck somewhere, forcing me to physically reach the firewall and unplug/replug the power, in which case it then boots fine. The problem is the firewall is not close, it's 4 storeys below from my work desk. It's getting annoying. And moreover I don't like unplug the power by the way.

So I have two apparently unrelated problems but that join together to mess things up.

Is there any procedure I can carry out to find out what's the origin of at least one of the two problems ? E.g. is there something I can do to unblock my FQDN IMAP/SMTP connections without rebooting the firewall ?

Thanks in advance

Peppe

Zyxel_Jerry

Hi @sirivanhoe

Can you collect diagnose info file when the email client's connections stop working and send us the file via private message?

Here is the step to collect diagnose info

Go to Maintenance > Diagnostic > Diagnostics > Collect > click Collect now 

 It will take 5~10 minutes to collect

After done the the collection 

Go to Maintenance > Diagnostic > Diagnostics > Files to download the files and private message for us.

Can you connect USG60 with cable console to the PC, and collect the console log before you try to reboot from web console?

PeterUK

After you have done the collect diagnose if you can access the USG60 you could try selecting the rule of your FQDN and Inactivate it and activate it.

You could also check in monitor >system status> FQDN object to see if the IP's are mapped.

do you have any FQDN like "*.google.com" ?

sirivanhoe

https://businessforum.zyxel.com/discussion/comment/12803#Comment_12803

Thanks Jerry,

I keep a note for the next (unpredicatable) time it happens. It'd be complex to connect to the console as the firewall is strictly fit within a small rack in my basement, I usually have to disassemble the rack to access the rear of the appliance. Anyway, if circumstances allow for it, I'll give it a look, I'm curious myself.

sirivanhoe

https://businessforum.zyxel.com/discussion/comment/12820#Comment_12820

Hi Peter,

thanks for your attention as well. I've not tried to inactivate/re-activate the rules indeed (surely I'll do it next time). But I did check the FQDN were translated and they did. As for your other question, I don't have 1st level FQDNs, I rather have imap.google.com and smtp.google.com

PeterUK

Do you have a group with FQDN's or do you firewall one FQDN at a time?

sirivanhoe

Yes I have groups of FQDNs. Legitimate IMAP FQDNs ed SMTP FQDNs for my different email accounts are grouped, with related dedicated TCP services, in two respective groups and two respective security policies (e.g. I don't want anything in my LAN to connect outside to spam the world via an obscure SMTP server).

PeterUK

How many FQDN in one group do you have as maybe too many might be a issue?

sirivanhoe

10 each. I have no idea whether they are too many or an acceptable number. Is there somewhere I can look at for a guideline ?