Signature Update not going out trunk order

PeterUK
PeterUK Posts: 3,331  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited April 2021 in Security

So testing the USG 40 with IDP/AppPatrol Signature Service with uptime of over a day when you click update now for IDP/AppPatrol I can see it trying to get updates by OPT which will fail my trunk order is vlan443 1st then opt the Registration Status refresh works fine and goes out vlan443 just not the IDP/AppPatrol update when the USG40 has been up for over a day.


Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK  

    You can try to create a customize trunk interface first. 


    And apply the customized interface as default WAN trunk. 


    Then system outgoing traffic will through VLAN443 which you configured.

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 2020
    But I need it to be VLAN443 and OPT

    How about when if fails to get update by one gateway it tries the next?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK

    You still can add multiple trunk object on system.

    For signature update, you can select “VLAN443” as system trunk.


    For traffic forwarding routing, you can add additional policy route and set next-hop as the other trunk object.


  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Ok guess thats good still it would be good idea to tell the USG what interface it should connect out of currently my VLAN443 and OPT trunk is working and updates are going over vlan443 it just seems to fail randomly and only trys to get updates by OPT.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK  

    It’s good to know it is helped for your environment. :) 

    Device signature update will use “User configured trunk” in default trunk selection.

    So if OPT interface is one of member, then it will have chance leads fail. Since your OPT interface without internet connection.

    The best setting is only setup “VLAN443” in “User configuration trunk”.


  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 2020

    So if OPT interface is one of member, then it will have chance leads fail. Since your OPT interface without internet connection.


    OPT does have internet it just the way its setup the USG for its self sends traffic and is expecting traffic only on the OPT where as a PC say 192.168.255.193 SNAT out OPT and expect traffic on OPT and or from the bridge WAN DMZ.

    Thanks   
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Just thought I update this problem as there is a fix that this problem happened too for updating Geo IP and that is make a routing rule for ZyWALL to go out the give next hop.



  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector
    Hi @PeterUK,

    Thank you for sharing that solution.
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    update change source to any

Security Highlight