Auto disable VPN service
Hello,
while configutating an ATP100 in premise mode (fw 5.37) i found that in
configuration → VPN → IPSec VPN → VPN Connection
there is a (new?) value: "Auto disable VPN service
"
Even if the words by themselves seem self-explanatory I would like to understand deeper:
- When the auto disabling takes effect?
- What do you mean exaclty with "VPN service" (is this extended to L2TP and SSL for example)?
- Which is the advantage of auto disabling?
- When an auto disabling takes effect will the VPN service be auto re-enabled and when?
- In which scenarios do you suggest / not suggest to use such a feature?
Thank you very much
Accepted Solution
-
@QuiteSmart This option means disabling UDP ports 500 and 4500 from WAN to ZyWall when no IPSec VPN rules are configured on your device. This option helps to prevent hackers from attacking your device through UDP 500 and 4500 when you're not using IPsec VPN.
1
All Replies
-
From what I can tell by default USG allows VPN service to zywall even if you have no VPN rule so the option blocks traffic but if you do have VPN rule enabled then it allows VPN traffic
1 -
Hello @PeterUK and thank you for your reply.
Do you refer to the security policy "default allow WAN to Zywall" which by default allows AH, ESP, NATT, IKE and 2FA?
In other words if there is no VPN configured it blocks that rule?
By the way I use to edit that rule for better security (geo restriction and deleting VPN services if not needed).
0 -
Yes I think so the default are just to get you up and running
0 -
thank you again @PeterUK your theory is wise, let's see if someone of the staff has something to add ;-)
0 -
@QuiteSmart This option means disabling UDP ports 500 and 4500 from WAN to ZyWall when no IPSec VPN rules are configured on your device. This option helps to prevent hackers from attacking your device through UDP 500 and 4500 when you're not using IPsec VPN.
1 -
Thank you @Zyxel_James so if the following scenario happens:
- the option is V
- there is no configured IPSec gateway/connection
- the default WAN to Default ports rule still exists in the firewalling rules
The option do something like creating a hidden higher rule that closes 500 and 4500, am i right?
It is an useful option for security even if, i would even delete the WAN to default ports from factory default configuration and eventually create a reminder to open those ports when one creates a new VPN (something like the windows that reminds you to associate the profile to a firewalling rule when you create a Content Filtering profile).
0 -
@QuiteSmart your understanding is correct. So you don't need to remove UDP500, 4500 from the rule WAN_to_Device when the option is enabled once you don't have any IPsec configuration.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight