ATP800 - deny default control policy ignored !

noc_aba
noc_aba Posts: 31  Freshman Member
First Comment Fourth Anniversary
Today we have found out that on a ATP800 (4.60) the default deny policy rule didn't work anymore !  everybody was allowed from LAN to WAN, and from WAN to LAN, because the final default deny rule was ignored.
We have not been able  to make it effective again (editing and saving, changing deny with allow and back). The only workaround has been to insert a new any-any deny rule just before the default deny rule.
We have verified that since the rule stopped working a huge number of attempts to access the NATted internal servers had taken place.
While one can appreciate all the efforts made to enhance the various security services in the ATP models, I can't help to feel terrified by the fact that a basic protection, although of capital importance,  fails.
Hope an explanation and so a solution will be quickly found.
regards
Paolo
«1

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Does it do this on V4.62 ?
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @noc_aba,

    Can you please share some information with us;

     

    1- Can you draw your topology for this setup?

    2- When did this issue started? What did you change in ATP800's configuration for last time before this issue occur?

    3- Can you send your startup-config.conf file to me by private message? I would like to test that symptom for you.

    4- A similar symptom was fixed In the current release. Can you upgrade it from the following link and see if that issue still exist;
    https://fwstore-zsdn-cloud-zyxel-com.s3.us-east-1.amazonaws.com/Forum/ATP/V4.62_WK08/462ABIQ0ITS-WK08-r98489.zip
  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary
    We are planning to uograde to 4.62 soon.
  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary
    PeterUK said:
    Does it do this on V4.62 ?
    we have not yet tried

  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary
    Hello
    we did the upgrade to 4.62. After a couple days the same problem has occurred again and it's still open!
    Probably after a new security policy rule has been added. So we have activated again the deny-all rule created by us as the last rule before the not-working default deny rule
    The whole picture is: two ATP800 in HA, two wan interface in active/passive mode.
    It's worth noting that there are a loto of security policy rules (162), mostly based on the ssl vpn user to differentiate the access rights to the internal servers.

  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary
    As far as the installation of debug firmware is concerned, we are not at liberty to do that since we are in a full scale deployment and can't do experiment.

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @noc_aba,

    Can you send me your startup-config.conf file to me by private message?

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @noc_aba,

     

    Can you try disable your extra rule and choose “alert log” for Default rule;



    For instance in this case I allocated ge8 interface to OPT zone.

    There’s no rule for OPT zone in Security Policy;


    It still can block traffic from OPT zone to any.

    Also, we can see if an IP address’s traffic flow under Maintenance > Diagnostics > Routing Traces menu:


    In this case 192.168.177.5 IP address is trying to send request over the internet but it’s reply didn’t forwarded because it matched the default Security Policy rule.

     

    Whereas, other client’s request will be forwarded because it didn’t match the default Security Policy rule.

    As in this example, can you also choose alert log for Default rule and see if any matching log in the Monitor > Log menu?
  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary
    We have received and installed a new firmware version, that should have fixed the problem.
    But it didn't.
    The problem has  worsened. Now also the rule we have inserted, just before the default deny rule, is ignored. We had to insert deny rules just after the allow rules. For example after 4 WANtoDMZ allow rules we have inserted a  WANtoDMZ  any-any deny rule (number 37). The same after the WANtoLAN rules (number 107). It seems that there is a mishandling of the rules table, especially of the last ones (in our case the last one is number 178 (ignored), before the default deny rule (ignored as well) .
    Of course that is not a solution and we are losing confidence on the rules reliability, so far an unshakable pillar of our security beliefs.
  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary
    To be precise, the deny default rule works only if the destination IP address refers to the atp800 itself. The rule is ignored if the destination IP address (and port) is defined in the NAT section or if is an external IP (ie when internal PC try to access Internet resources)

Security Highlight