ZyXEL → USG50 VS USG200 default firewall rule

I haven't dug into this much, but I noticed something odd in the firewall....

The default rule in the USG50 is to DENY any traffic that doesn't match preceeding rules.

The default rule in the USG200 is to ALLOW any traffic that doesn't match preceeding rules.

Is this a firmware difference, or hardware? I have a USG200 that I need to update the firmware on, but I don't want to get yelled at for the 5 minute downtime it will take.

The REAL reason I bring this up, is I am about to try putting a wireless on "LAN2". I want to make sure the wireless can access the internet, and any internal servers that are set up via port forwarding on LAN1, but want to make sure that other than the internal servers, that LAN2 has no other access to LAN1 and vice versa. I *think* I can figure it out though.

-Alan

All kinds of fun funky stuff. All to say my experience is do not touch default rules in the router you WILL PHOQUE up the router.
Instead, put a deny rule in front of the default allow rule. Not sure but it may have changed back to deny with latest software release, hard to keep up.

I know what you mean. When I first noticed the default rule on the USG200, I changed it to "Deny" and locked myself out of the thing!

Only way I could get back in was through the serial port to "undo" what I screwed up!

I know its all just logic, but I find the USG50's "allow these things and deny everything else" logic easier than the 200's "allow everything unless I deny it" logic.

I just thought the two different rules were strange.

I finally got the old watchguard up on the ext-wlan interface. What a piece of crap. I could not figure out how to throw it in bridge mode [I don't think it can], so I am effectively double-NATing, which I really don't like to do. Oh well.

-Alan

HEY, Watchguard is NOT let me repeat NOT a piece of crap. Their UTMs are blazing fast --- let me repeat that --- BLAZING FAST. But I will admit that their old stuff is not nearly as good as their new stuff.

Dont get too excited about new there Mozerd. Thankfully our spouses are not so quick to drop the old models for the new models.

Okay, guess I have to admit, I lack the experience with many different boxes to really give an educated opinion of them. Just about all of my router setup experience has been with "consumer" grade routers, or BellSouth provided DSL routers. We had a Cisco at work that was setup by an outside company back when we had a T1 that I might have made a few very minor config changes on, but I found it very difficult. The watchguard was probably the first "small business" grade unit I ever set up, and I never did really like it, but it got the job done.

The USG200 replaced the Watchguard [an X50W], which went EOL in 2009, so its pretty darn old. The Watchguard was relagated to wireless only duties on its own public IP. Today, I tried to put it in bridged mode, so I could put it behind the ZyXel to monitor the wireless internet activity. I could NOT for the life of me get it to work. First, there is no bridge mode setting that I could find. Ended up just hooking the WAN connection of the WG to the ext-wlan connection of the USG, so its double natting now, but c'est la vie.

I know its not a fair comparison, but I just have fallen in love with the USG line. Prior to the USG200 I picked out for work based on price and positive reviews, I had never even HEARD of Zyxel. Now, I'm a fan!

-Alan

The Default rule, should be ALLOW or DENY, based on which ruleset you are talking about. Ie LAN to WAN, WAN to LAN etc etc

I was actually referring to the "any" to "any" rule at the very bottom-the only one you CANNOT delete. It is different between the 50 and 200, or at least the ones I have (firmware?).

-Alan

JP lives in a perfect world. In the real world, yes it used to be different for different USG routers in the lineuip and it has changed over successive firmwares as well. You should also check out the settings for admin control in Configuration - System, under WWW, FTP, TELNET etc..

It is somewhere in release notes that ZyXel changed the default rule from allow to deny at certain FW update. It is a good thing especially for WAN-to-ANY rules and it's often referred as "fail-close" or "fail-safe" stance, google it or read more here »docstore.mik.ua/orelly/n ··· 3_05.htm

As already mentioned, fail-open is perhaps good for LAN-to-ANY but I'd definitely recommend fail-close for WAN-to-ANY.

Keep in mind, FW rules are evaluated from top to bottom of the list, if matching rule is found it is applied and no more rules are evaluated. If matching rule is not found then your default rule comes into play. Having fail-open from untrusted zone to secure zone is dangerous and defeats the purpose of having the firewall in place.
Some more tips on securing USG here »Secure your USG - quick how-to

As someone who works with Enterprise Class firewalls, FortiGate 3950s, Juniper SSG550s, Checkpoint, etc. I can tell you all those have the default rule set to deny all.

So I expected my USG50 to be deny all and it was. For it to not be is just not right, IMHO anyway.

My company has settled on FortiGate for now, 3950s for datacenter, 310bs for plants and 80c for other stuff. My avatar might indicate the company. FortiGates are nice but not without their oddities, believe me.