Auto disable VPN service

QuiteSmart
QuiteSmart Posts: 48  Freshman Member
Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

Hello,

while configutating an ATP100 in premise mode (fw 5.37) i found that in

configuration → VPN → IPSec VPN → VPN Connection

there is a (new?) value: "Auto disable VPN service"

Even if the words by themselves seem self-explanatory I would like to understand deeper:

  1. When the auto disabling takes effect?
  2. What do you mean exaclty with "VPN service" (is this extended to L2TP and SSL for example)?
  3. Which is the advantage of auto disabling?
  4. When an auto disabling takes effect will the VPN service be auto re-enabled and when?
  5. In which scenarios do you suggest / not suggest to use such a feature?

Thank you very much

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    @QuiteSmart This option means disabling UDP ports 500 and 4500 from WAN to ZyWall when no IPSec VPN rules are configured on your device. This option helps to prevent hackers from attacking your device through UDP 500 and 4500 when you're not using IPsec VPN.

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2023

    From what I can tell by default USG allows VPN service to zywall even if you have no VPN rule so the option blocks traffic but if you do have VPN rule enabled then it allows VPN traffic

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Hello @PeterUK and thank you for your reply.

    Do you refer to the security policy "default allow WAN to Zywall" which by default allows AH, ESP, NATT, IKE and 2FA?

    In other words if there is no VPN configured it blocks that rule?

    By the way I use to edit that rule for better security (geo restriction and deleting VPN services if not needed).

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Yes I think so the default are just to get you up and running

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    thank you again @PeterUK your theory is wise, let's see if someone of the staff has something to add ;-)

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    @QuiteSmart This option means disabling UDP ports 500 and 4500 from WAN to ZyWall when no IPSec VPN rules are configured on your device. This option helps to prevent hackers from attacking your device through UDP 500 and 4500 when you're not using IPsec VPN.

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Thank you @Zyxel_James so if the following scenario happens:

    • the option is V
    • there is no configured IPSec gateway/connection
    • the default WAN to Default ports rule still exists in the firewalling rules

    The option do something like creating a hidden higher rule that closes 500 and 4500, am i right?

    It is an useful option for security even if, i would even delete the WAN to default ports from factory default configuration and eventually create a reminder to open those ports when one creates a new VPN (something like the windows that reminds you to associate the profile to a firewalling rule when you create a Content Filtering profile).

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    @QuiteSmart your understanding is correct. So you don't need to remove UDP500, 4500 from the rule WAN_to_Device when the option is enabled once you don't have any IPsec configuration.

Security Highlight