ZLD4.65 & 5.02 Firmware release

2»

Comments

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    There are a lot of updates released recently where we are not able to follow instantly since the production time must not be interupted again and again.
    Do I have to observe a special update order or could I jump e.g. from 4.62 directly to 4.65?
  • CHS
    CHS Posts: 177  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    @USG_User, In my test result there is no problem to upgrade firmware from 4.62 to 4.65.
    You can upload firmware to Standby firmware folder. If success, it will boot up success and running on 4.65, if not it will boot up in 4.62 again.

  • Flagname
    Flagname Posts: 1
    The change of the 2FA page is very welcome. This allows now to block the welcome page while keeping the 2FA-page (on seperate port) which was not possible prior to this release (to my knowledge). 

    There is one problem now. For the 2FA page you cannot chose which certificate the USG does identify itself to the client. So now everytime a user enters the 2FA page they get an error message for a bad certificate because the USG uses the default one. Is there a way to change it or do we have to wait for a future release?

    PS: Found the solution, it's a bug in the current version.


  • kelmi
    kelmi Posts: 29  Freshman Member
    First Anniversary 10 Comments Friend Collector
    From my own experience, while tracing the logs, I cannot help myself making a conclusion that at some point of time during the last months, the evil side has get to their knowledge, I’m having Zyxel USG installed. The amount of attempts was heavily increasing suddenly. From specific countries. Do you confirm, the database of IP addresses, which are running USG- series has not been compromized as well?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @kelmi

    The attack is come from Internet. You can follow the Mitigation Steps to prevent attack from Internet.
    You can follow Security Check Wizard, it will only allow trusted IP addresses you configured.
    But we strongly recommend to double check your policy control rules if it allows un-trusted IP address traffic to your Intranet or ZyWALL.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Just installed v4.65 (coming directly from 4.62)
    Two (small) bugs for your attention:

    1. At 4.62 the www Admin config port and SSLVPN port were the same. After the update the former port number has been taken over for both, www admin access AND new SSLVPN access. So far so good. But after changing the admin access port, the port for SSLVPN at SSLVPN Global Settings was changed, too! Then we've changed the port for SSLVPN access again to the new port. And now the USG has saved it - hopefully.

    2. We are using SSLVPN for VPN access of our streetworkers. Necessary security policies are in place since months and working. But after installing the v4.65 all access attempts have been refused. All security policies were still in place and USG v4.65 hasn't added any additional policies to prevent the SSLVPN access via WAN (as announced in SSLVPN global settings). Finally we had to disable the entire policy control followed by enabling it again. After that the SSL VPN access was running again.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @USG_User

    (1) After changing the admin access port, the port for SSLVPN at SSLVPN Global Settings was changed, too!
    ---->We have addressed it and will fix it in next FCS version.

    (2) All security policies were still in place and USG v4.65 hasn't added any additional policies to prevent the SSLVPN access via WAN.Finally we had to disable the entire policy control followed by enabling it again. After that the SSL VPN access was running again.
    ---->Does the symptom is reproducible after reboot device? If yes, you can send your configuration by private message to me for further check.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi Stan,
    Regarding (2): We are not able to permanently reboot our production system. I'm able to test it not before next Friday.
  • TAPTech
    TAPTech Posts: 165  Master Member
    First Anniversary 10 Comments Nebula Gratitude Friend Collector
    Using a TOTP app for 2FA would be great!
  • Asgatlat
    Asgatlat Posts: 81  Ally Member
    First Anniversary 10 Comments Friend Collector
    FYI a new version of 4.65 is released since 23/08, changelog : https://download.zyxel.com/ZyWALL_110/firmware/ZyWALL 110_4.65(AAAA.1)C0_2.pdf