ATP800 - deny default control policy ignored !
Today we have found out that on a ATP800 (4.60) the default deny policy rule didn't work anymore ! everybody was allowed from LAN to WAN, and from WAN to LAN, because the final default deny rule was ignored.
We have not been able to make it effective again (editing and saving, changing deny with allow and back). The only workaround has been to insert a new any-any deny rule just before the default deny rule.
We have verified that since the rule stopped working a huge number of attempts to access the NATted internal servers had taken place.
While one can appreciate all the efforts made to enhance the various security services in the ATP models, I can't help to feel terrified by the fact that a basic protection, although of capital importance, fails.
Hope an explanation and so a solution will be quickly found.
regards
Paolo
We have not been able to make it effective again (editing and saving, changing deny with allow and back). The only workaround has been to insert a new any-any deny rule just before the default deny rule.
We have verified that since the rule stopped working a huge number of attempts to access the NATted internal servers had taken place.
While one can appreciate all the efforts made to enhance the various security services in the ATP models, I can't help to feel terrified by the fact that a basic protection, although of capital importance, fails.
Hope an explanation and so a solution will be quickly found.
regards
Paolo
0
All Replies
-
Does it do this on V4.62 ?0
-
Hi @noc_aba,
Can you please share some information with us;1- Can you draw your topology for this setup?
2- When did this issue started? What did you change in ATP800's configuration for last time before this issue occur?
3- Can you send your startup-config.conf file to me by private message? I would like to test that symptom for you.
4- A similar symptom was fixed In the current release. Can you upgrade it from the following link and see if that issue still exist;
https://fwstore-zsdn-cloud-zyxel-com.s3.us-east-1.amazonaws.com/Forum/ATP/V4.62_WK08/462ABIQ0ITS-WK08-r98489.zip
0 -
We are planning to uograde to 4.62 soon.0
-
Hello
we did the upgrade to 4.62. After a couple days the same problem has occurred again and it's still open!
Probably after a new security policy rule has been added. So we have activated again the deny-all rule created by us as the last rule before the not-working default deny rule
The whole picture is: two ATP800 in HA, two wan interface in active/passive mode.
It's worth noting that there are a loto of security policy rules (162), mostly based on the ssl vpn user to differentiate the access rights to the internal servers.
0 -
As far as the installation of debug firmware is concerned, we are not at liberty to do that since we are in a full scale deployment and can't do experiment.
0 -
Hi @noc_aba,
Can you try disable your extra rule and choose “alert log” for Default rule;
For instance in this case I allocated ge8 interface to OPT zone.There’s no rule for OPT zone in Security Policy;
It still can block traffic from OPT zone to any.Also, we can see if an IP address’s traffic flow under Maintenance > Diagnostics > Routing Traces menu:
In this case 192.168.177.5 IP address is trying to send request over the internet but it’s reply didn’t forwarded because it matched the default Security Policy rule.
As in this example, can you also choose alert log for Default rule and see if any matching log in the Monitor > Log menu?
0 -
We have received and installed a new firmware version, that should have fixed the problem.
But it didn't.
The problem has worsened. Now also the rule we have inserted, just before the default deny rule, is ignored. We had to insert deny rules just after the allow rules. For example after 4 WANtoDMZ allow rules we have inserted a WANtoDMZ any-any deny rule (number 37). The same after the WANtoLAN rules (number 107). It seems that there is a mishandling of the rules table, especially of the last ones (in our case the last one is number 178 (ignored), before the default deny rule (ignored as well) .
Of course that is not a solution and we are losing confidence on the rules reliability, so far an unshakable pillar of our security beliefs.0 -
To be precise, the deny default rule works only if the destination IP address refers to the atp800 itself. The rule is ignored if the destination IP address (and port) is defined in the NAT section or if is an external IP (ie when internal PC try to access Internet resources)0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight