If I can’t upgrade my firmware temporarily, what else I can do to avoid this vulnerability?
![Zyxel_Dick](https://us.v-cdn.net/6029482/uploads/defaultavatar/nN4PAQRO7TCNP.jpg)
![](https://us.v-cdn.net/6029482/uploads/userpics/FN0BI9T10CTX/n6O940IZ5DEW6.png)
![First Anniversary](https://us.v-cdn.net/6029482/uploads/badges/SJKCAIG91R5S.png)
![Friend Collector](https://us.v-cdn.net/6029482/uploads/badges/HNJASEUSC535.png)
![First Comment](https://us.v-cdn.net/6029482/uploads/badges/MBNFIRD87YVH.png)
1. If you don’t need to deliver automatic firmware upgrade for APs through FTP, please disable the FTP service on the controller. The AP controllers use the CAPWAP protocol as the default design to deliver such updates.
Step 1. Go to CONFIGURATION > Wireless > AP Management > AP Policy > Firmware Updating. Choose the "Updating Method" as "CAPWAP", and click "Apply".
Step 2. Go to CONFIGURATION > System > FTP. Un-check the "Enable", and click "Apply" to disable FTP service.
![](https://us.v-cdn.net/6029482/uploads/editor/3z/89hzscdvdccw.png)
2. If it is still necessary to enable FTP service, please enable the Service Control or Firewall features for better protection.
Method 1. Restrict the FTP service authority via FTP service control
Step 1. Add the address objects for APs and users who needs to login NXC via FTP service. Go to CONFIGURATION > Object > Address > Address. Click "Add", and add the address rule for APs and users.
![](https://us.v-cdn.net/6029482/uploads/editor/s2/0ms4uw0jivl9.png)
Note. the address type can be a host, a range or a subnet.
![](https://us.v-cdn.net/6029482/uploads/editor/xi/enpj6chnalj5.png)
Step 2. Go to CONFIGURATION > Object > Address > Address Group. Click "Add", and choose the AP address object and User address object.
![](https://us.v-cdn.net/6029482/uploads/editor/7c/g06nnfu9yts5.png)
Step 3. Go to CONFIGURATION > System > FTP. Add a service control rule for all as "Deny".
![](https://us.v-cdn.net/6029482/uploads/editor/xe/cq6x6gb33gqa.png)
Step 4. Go to CONFIGURATION > System > FTP. Add a service control rule for FTP_service as "Accept".
![](https://us.v-cdn.net/6029482/uploads/editor/yq/is376xbdg3jt.png)
Step 5. Ensure the Accept rule priority is higher than Deny rule. If it is not, use "Move" to change the priority higher.
![](https://us.v-cdn.net/6029482/uploads/editor/s1/s9c92nbfkolz.png)
Method 2. Restrict the FTP service authority via Firewall
Step 1. Add the address objects for APs and users who needs to login NXC via FTP service. Go to CONFIGURATION > Object > Address > Address. Click "Add", and add the address rule for APs and users.
![](https://us.v-cdn.net/6029482/uploads/editor/cx/c6nkgxvrxi2z.png)
![](https://us.v-cdn.net/6029482/uploads/editor/41/koqbouby3i1t.png)
Note. the address type can be a host, a range or a subnet.
![](https://us.v-cdn.net/6029482/uploads/editor/7x/d4b9rrq8g3oc.png)
Step 2. Go to CONFIGURATION > Object > Address > Address Group. Click "Add", and choose the AP address object and User address object.
![](https://us.v-cdn.net/6029482/uploads/editor/3l/uxsvumfx2p1z.png)
Step 3. Go to CONFIGURATION > Firewall > Firewall. Add a firewall rule: from any to NXC with FTP service as deny.
![](https://us.v-cdn.net/6029482/uploads/editor/sc/frzp9u4y9t25.png)
Step 4. Go to CONFIGURATION > Firewall > Firewall. Add a firewall rule: from any to NXC with FTP_service address object as allow for the APs and users.
![](https://us.v-cdn.net/6029482/uploads/editor/9o/cbdhdaold0g2.png)
Step 5. Ensure the Accept rule priority is higher than Deny rule. If it is not, use "Move" to change the higher priority.
![](https://us.v-cdn.net/6029482/uploads/editor/u8/qluni0dfltvv.png)
Categories
- All Categories
- 413 Beta Program
- 2.3K Nebula
- 192 Nebula Ideas
- 87 Nebula Status and Incidents
- 5.3K Security
- 142 USG FLEX H Series
- 253 Security Ideas
- 1.3K Switch
- 75 Switch Ideas
- 993 Wireless
- 51 Wireless Ideas
- 6.1K Consumer Product
- 231 Service & License
- 362 News and Release
- 74 Security Advisories
- 23 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 101 About Community
- 67 Security Highlight