Default firewall rules

TTpD
TTpD Posts: 6  Freshman Member
First Comment
edited April 2021 in Security
We own a USG20-VPN, firmware version v4.33_ABAQ.0, running as our gateway-firewall-vpn so the wan-nic is directly connected to the "Wild Internet", are the default firewall rules safe enough?

The default firewall ruleset should be reasonably secure out of the box accordingly to: https://www.zyxel.com/tr/tr/guidemo/zyw70/h_Fire_Default_Rule-router.html and accordingly to the list I see: last fw rule is: "from any to any deny and log" which should be "a catch-all" that acts as "WAN to LAN block and log packets". I think we could:
  • add more logging, for monitoring;
  • remove ipsec-vpn-rules since we don't use ipsec, they are present by default;

Do you suggest some additional setup?






All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @TTpD  

    The default rules are for “allow” traffic except the last one.

    It is including:

    (1) From Intranet to Internet traffic

    (2) From Intranet to ZyWALL

    (3) VPN traffic to ZyWALL and Intranet.

    If doesn’t match them, then traffic will deny by the last rule. 

    Of cause you can add From WAN to LAN rule for monitor your network usage.

    But this rule may not catch any traffic if there is no any Port-Forwarding(NAT) rule to forwards traffic from Internet to Intranet.


    If VPN traffic is unnecessary for your network environment, you can disable rule#10.

    It is allowing default ports for VPN traffic from Internet to ZyWALL.


  • TTpD
    TTpD Posts: 6  Freshman Member
    First Comment
    At the moment we are using SSL-VPN, but not L2TP/Ipsec and I was thinking about those unused rules only.

    We are not using Port Forwarding, so this is not a problem while logging everything for wan-to-lan which, by default, is already blocked (except for vpn ports) but only logging dropped packets, deny + log.

    In addition I think logging lan-to-wan could be useful, sometimes, but I don't know how consuming it could be on this device with average-joe-traffic-level: I'd prefer avoid stressing the fw too much or setting up a log server wherever possible.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @TTpD

    If you would like to monitor interface usage, you can go to Monitor > Port statistics > switch to graphic view.

    It has recorded last 24 hours port usage per physical port.


    And also if you would like to check traffic by IP address, or service port. You can Go to Monitor > Traffic Statistics.

    After enabled “collect” function, it will start to collecting traffic those forwarded by USG.

    You can filter the data by Interface/ Client IP address / Service port.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @TTpD  

    You can also consider SecuReporter.

    The server can help to analyzing all of the traffic forwarded by USG, and filter network usage by WebSites/Applications/Users/Countries….etc.

    All of traffic data are saved on cloud server, then there without any security concern.


Security Highlight