USG60: FQDN-based rules stop working and can't reboot via WebIF (need to unplug power)

Options
sirivanhoe
sirivanhoe Posts: 18  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security

Hi to all,

In my USG60, runni V4.35(AAKY.3), I've defined a set of IMAP FQDN objects (e.g. imap.tim.it), grouped together, and associated to IMAP TCP services in an inbound Security Policy. Same goes for SMTP outbound.

It's been some time now (several months and a few fw releases I think) that I'm experiencing an annoying problem. Every now and then (today it's 16 days uptime) I notice my email client's connections stop working. No way to unblock them unless I reboot the router. So I connect to the web if and reboot from there. Unfortunately, the boot sequence gets stuck somewhere, forcing me to physically reach the firewall and unplug/replug the power, in which case it then boots fine. The problem is the firewall is not close, it's 4 storeys below from my work desk. It's getting annoying. And moreover I don't like unplug the power by the way.

So I have two apparently unrelated problems but that join together to mess things up.

Is there any procedure I can carry out to find out what's the origin of at least one of the two problems ? E.g. is there something I can do to unblock my FQDN IMAP/SMTP connections without rebooting the firewall ?

Thanks in advance

Peppe

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,060  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @sirivanhoe

    Can you collect diagnose info file when the email client's connections stop working and send us the file via private message?

    Here is the step to collect diagnose info

    Go to Maintenance > Diagnostic > Diagnostics > Collect > click Collect now 

     It will take 5~10 minutes to collect

    After done the the collection 

    Go to Maintenance > Diagnostic > Diagnostics > Files to download the files and private message for us.

    Can you connect USG60 with cable console to the PC, and collect the console log before you try to reboot from web console?

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    After you have done the collect diagnose if you can access the USG60 you could try selecting the rule of your FQDN and Inactivate it and activate it.

    You could also check in monitor >system status> FQDN object to see if the IP's are mapped.

    do you have any FQDN like "*.google.com" ?

  • sirivanhoe
    sirivanhoe Posts: 18  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    Thanks Jerry,

    I keep a note for the next (unpredicatable) time it happens. It'd be complex to connect to the console as the firewall is strictly fit within a small rack in my basement, I usually have to disassemble the rack to access the rear of the appliance. Anyway, if circumstances allow for it, I'll give it a look, I'm curious myself.

  • sirivanhoe
    sirivanhoe Posts: 18  Freshman Member
    First Anniversary Friend Collector First Comment
    edited March 2020
    Options

    Hi Peter,


    thanks for your attention as well. I've not tried to inactivate/re-activate the rules indeed (surely I'll do it next time). But I did check the FQDN were translated and they did. As for your other question, I don't have 1st level FQDNs, I rather have imap.google.com and smtp.google.com

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Do you have a group with FQDN's or do you firewall one FQDN at a time?

  • sirivanhoe
    sirivanhoe Posts: 18  Freshman Member
    First Anniversary Friend Collector First Comment
    edited March 2020
    Options

    Yes I have groups of FQDNs. Legitimate IMAP FQDNs ed SMTP FQDNs for my different email accounts are grouped, with related dedicated TCP services, in two respective groups and two respective security policies (e.g. I don't want anything in my LAN to connect outside to spam the world via an obscure SMTP server).

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    How many FQDN in one group do you have as maybe too many might be a issue?

  • sirivanhoe
    sirivanhoe Posts: 18  Freshman Member
    First Anniversary Friend Collector First Comment
    edited March 2020
    Options

    10 each. I have no idea whether they are too many or an acceptable number. Is there somewhere I can look at for a guideline ?

Security Highlight