If firmware upgrading is impossible at this moment, what else I can do to avoid this vulnerability?

Zyxel_Emily
Zyxel_Emily Posts: 741  Zyxel Employee
edited April 8 in FAQ

1. If it is not absolutely necessary to manage devices from the WAN side, you can turn off the FTP/TELNET/SSH/HTTPS/HTTP/SNMPv3 service on WAN. These services are disabled by default, so you won’t have to do so unless you have enabled it in the past.

Go to CONFIGURATION > Security Policy > Policy Control and check the service of the rule "WAN_to_Device".


Go to CONFIGURATION > Object > Service > Service group > Default_Allow_WAN_To_ZyWALL. If the service group "Default_Allow_WAN_To_ZyWALL" contains any service of FTP/TELNET/SSH/HTTPS/HTTP/SNMPv3, remove them from Member list.



2. If you still need to manage devices from the WAN side, please enable Policy Control and add rules to only allow accesses from those trusted source IP addresses. If you cannot gather a list of fixed source IP addresses, you can still conduct remote management through VPN then access from LAN directly.

Go to CONFIGURATION > Object > Address/Geo IP > Address and click "Add" to create trusted IP manually. You can add multiple trusted IP addresses as you need.


Go to CONFIGURATION > Object > Address/Geo IP > Address Group and click "Add" to create an address group for trusted IP group. Move trusted address IPs to Member list.


Go to CONFIGURATION > Security Policy > Policy Control and edit the rule "WAN_to_Device".


The original setting of Source is any. Select the new created address group “Trusted_IPs” as Source.



Go to CONFIGURATION > Security Policy > Policy Control and make sure "Enable Policy Control" is enabled.


3. Enable Policy Control on the LAN side and add rules to only allow trusted IP addresses for better protection.

Go to CONFIGURATION > Object > Address/Geo IP > Address and click "Add" to create trusted LAN IP manually. You can add multiple trusted LAN IP addresses as you need.


Go to CONFIGURATION > Object > Address/Geo IP > Address Group and click "Add" to create an address group for trusted LAN IP group. Move trusted address IPs to Member list.


Go to CONFIGURATION > Security Policy > Policy Control and edit the rule "LAN1_to_Device".

The original setting of Source is any. Select the new created address group “Trusted_LAN_Group” as Source.



Follow the same steps to edit the rule "LAN2_to_Device".

Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!