ATP 800 screen freezes, while configuring application patrol policy

Hi there,
Recently we are undergoing implementation of ZyXEL firewall ATP800 along with multiple switches in an enterprise customer.
The ATP800 has Firmware version V5.20 (ABIQ.0), which was updated on 04 Jan 2022

Background: Customer has asked us to block all categories and its applications within application patrol. They will allow specific ones, at a later time. 

Path: Click configuration ->Security settings -> App Patrol

Steps followed:
  • Create a new policy "Block all" in App patrol
  • Select specific category eg. Work (This has around 2500+ appl signatures)
  • Click on "Add to the application" option below.
  • After it is added, select all the signatures and select the action "Reject"
Problem faced:
  • In smaller categories, firewall does shown signs of fatigue. It works smoothly.
  • But in large categories, the screen freezes and firewall hangs. 
  • Eventually after waiting for a long time, we have to get the firewall hard-booted by removing the power cable.  
Unable to find the issue, why should this happen? Any help will be appreciated.

Thanks.

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,183
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member
    Hi @Kinshuk_Tech
    It looks device still configuring the setting in the background, because there are around 4,000 signatures required to apply to system, so WebUGI doesn't reply to you before configuration is ready. It means you need longer time for it.

    In the usual, we suggest block known services one by one. If block all of applications, it may also block the application(service ports) which you would like to allowed in the future.

  • you are right. @zyxel_stanley
    After searching all around zyxel.com, I found the CLI manual. Interestingly, there are limited commands around application patrol and exhaustive commands around content filtering.
    Then, I spent high amount of time, to rework the customer requirement and finally got content filtering options enabled. 

    Surprisingly, customer has accepted our config, which used content filtering options.

    Hi @Kinshuk_Tech
    It looks device still configuring the setting in the background, because there are around 4,000 signatures required to apply to system, so WebUGI doesn't reply to you before configuration is ready. It means you need longer time for it.

    In the usual, we suggest block known services one by one. If block all of applications, it may also block the application(service ports) which you would like to allowed in the future.

Security Highlight