dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
17212
share rss forum feed


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

2 edits

3 recommendations

USG Firmware 3.30 is out!



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2

Thanks Brano - Uploaded and testing now. Saw a couple strange entries in the log after uploading. I may have to reconfigure from scratch.


hardstyler

join:2013-02-17
italy

1 edit
reply to Brano

could you update the idp signatures????

mine now are version 3.0.3.041 with 2322 signatures but cannot update them to 3.0.3.048 that, as said in the idp signature update e-mail that I received yesterday, the signatures are 15000!!!

mine 3.0.3.041 signatures are dated 14 august 2013, but the new one ...048 are 12 september 2013....

fantastic list of bug fixes and many for vpn!

I'll hope it will be a temporary problem cause the new firmware was released only 16 hours ago.

here the error when I try to update manually:

"IDP signature update has failed:Invalid or not supported signature version. (failed)"

UPDATE: rebooted and finally it gets latest signatures 3.0.3.048 and the number of signatures are 2280, not 15000 as said in the e-mail... but now if I try a manual update I receive the same error.


lorennerol
Premium
join:2003-10-29
Seattle, WA
reply to Brano

Patiently waiting on the sideline for others to install first...


hardstyler

join:2013-02-17
italy
reply to Brano

finally I suggest anyone to save old config for reference only.

reset the appliance by hardware button
update the firmware
upload and apply the config file provided with the fw package from zyxel.com
insert your account details and let pass 1 minute max
go to update manually, if get errors don't worry
finally reboot the device
then go there to update the signatures and if get errors don't worry, they updated al servers from too low hours....

then go to check the idp service rules, adp and application patrol, is incredible!!! if the idp I must browse it, the adp has less settings renamed I think or for sure deleted many of them, cause I think they were too old....and go to the application patrol, you get impressed by the number of categories and applications supported, p2p for example has 48 voices, 30 more then the old fw and idp service....voice over ip has 18 applications, the old fw had only 2....these are only 2 examples....ah, the idp service finally has the support for mobile OSes: really happy cause with the enormouse bug fixes in particular for the vpn service, will be really great to browse the internet with your mobile device trough the USG appliance!!! great!!!

Now I continue to reconfigure all manually, I taked screenshots of my previous firmware configuration cause this time I don't want to simply overwrite with new fw, but I want to configure it from the basics and then save the config file.....mmmh, config files, when restarted the appliance had startup config, lastgood, default config, another startup config with the date (but it si the same of the startup config so...boh...) and another file with .htm extension that I stupidly deleted without checking what it was but for sure it is not mandatory for the appliance....

at this moment I'm happy with the upgrade! If Zyxel will expand idp signatures I think if they'll sell next year new HIGH THROUGHPUT appliances I will buy one!

Finally I was surprised, really, when watching the application patrol list, it competes with Sonicwall, don't know for quality but for number of programs surely!!!


hardstyler

join:2013-02-17
italy
reply to Brano

wow! application patrol, separate settings for facebook!!! about ten settings and yes you can block at the origin games and applications in facebook, but if you want you can block also posting but not comments and viceversa and really more, wow, really great!!!


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Brano

Will try USG50 later today using the supplied instructions instead of hardstyler's more elaborate (and perhaps lower overall risk) suggested approach. Probably should copy relevant GUIs in advance though just to be safe. But there are so many ....

kirby



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano

Yeah did mine 100 and 300 no probs.
Interesting throughput test on 100 have improved will post results later on that thread



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to Brano

What new features are in this update?



damn
Premium
join:2002-10-23
nyc
reply to Brano

I'm running 2.2 aqe.4 right now, can I upgrade straight to 3.2 or have to upgrade to each update sequentially?
--
The best thing about piracy is the music in the keygens.



lacibaci

join:2000-04-10
Export, PA
reply to Brano

The new firmware is using more memory ~69% vs. 3.00 that was always under 50%. Anyone else noticed higher memory usage?

Lac



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2

Yes, about 7 or 8 percent here.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

My USG100 throughput has increased just not sure if due to firmware or getting experience testing LOL.



Gork
Ou812ic

join:2001-10-06
Bountiful, UT

1 edit
reply to Brano

Thanks Brano See Profile. I installed the new firmware on my 20W and it went off without a hitch. I've not checked into any of the changes yet but had no problems with the upgrade process. I didn't do anything special (besides taking a before and after backup of the settings naturally); just uploaded the new firmware bin file.

I'm sad not to see much about IPV6 given the problems users have had setting it up properly on their routers with Comcast. Unfortunately I'm not a position to test IPV6 yet.

I see they also, yet again, said nothing (unless I missed it) about fixing DDNS so it updates monthly when the IP address doesn't change.

There was one other thing which bugged me... Oh yeah, WoL from WAN to LAN. I didn't see that addressed in the notes either. (Whether it should/shouldn't work this way, other routers do, Zynos used to have an option for it as well and I haven't heard anything from ZyXEL about their stance on the matter either.)


polarisdb

join:2004-07-12
USA
reply to Brano

Thanks for the info everyone. BTW, does anyone know if 3.30 is the terminal software version for the existing USG product lineup?



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

No, its not the terminal firmware. They state in the notes that there are a number of issues they are already planning to fix in the next update.


Kirby Smith

join:2001-01-26
Derry, NH
reply to Brano

USG 50 firmware upgrade using the standard upgrade process completed as expected (hoped); no changes are apparent in general functionality using my existing startup configuration file.

kirby


FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast
reply to Brano

Upgrade complete on a pair of 50s and a 200.

I notice that it kept a copy of the previous startup-config. It has the date the upgrade is processed appended to the filename.

For my own clarification-if you wanted to "revert" back to a previous firmware, surely you don't just apply a previous startup-config do you? I don't see how a 31K config file can "roll back" a 50meg firmware bin file.

-Alan


hardstyler

join:2013-02-17
italy

if you want to roll back to a old fw you must save your config file, then upload and load the old fw then try to apply the config generated with the latest firmware, if it fails then load the basic config file provided with the old fw then set all settings manually but, of course, if you have in the new config file a list of services, addresses etc.... you can save the base file of old fw to your pc the edit and add that lines of addresses and services to the config file simply with notepad then save and upload and load it in the appliance and you are ok.

Same thing when you update to a new fw. This time I deleted all and setup the firewall from zero, but services, schedules, addresses and more I have simply copied into the config file and loaded, so this night I'll can sleep ;D

also for me an upgrade in throughput, is it real that now I deleted some doubled firewall rules or something else but now when I transfer a large file from a nas in the dmz to the lan with the idp control dmz - lan I get now from 4 to 6 MB/s, with previous firmware never more 2.4 MB/s so I'm happy and I have ALL utm services active.

but in idp, adp, app patrol there are too many changes and in particular in app I deactivated many programs that I really don't use and never use but must test with internet traffic, various type of traffic to ensure all work fine as before.


FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast

1 edit

Thanks hardstyler! I figured it would take more than just applying the old config, but I seen a lot of references to it, so thought I'd better ask.

So far so good. Had some weird anomalys with the ipad this morning, but hopefully it was just a fluke. With versions 3.00 I used to get occasional "abnormal TCP flag" entries int he log during DNS lookups on the ipad, but it never actually posed an issue that I know of. This morning, not only did I get quite a few of those, but it also hung for about two minutes loading a web page during the same time as those tcp flag entries. Also "possible ARP spoofing attack" entries on the ipad as well. Never seen that one before, but I *think* it may have been because after the router reboot, according to the dashboard the DHCP client list was 0, yet the ipad [along with other devices] were still hanging on to their old firmware DHCP leases. Rebooted various network devices and all appears to be well.

-Alan


hardstyler

join:2013-02-17
italy

1 edit
reply to Brano

hey there, what about your MAXIMUM SESSION LIMIT? I let it as default, at 1000 but now I receive too many allerts, never happened before....but I don't remember the old value....could help someone?

also don't know why when in google, while typing to search, google preloads search results, then when I clic in the result I receive the access denied by the content filter....but no rule to "key word blocking" as said in the log....inserting google to the trusted sites, no problem....same thing for a site, a shop but this can be loaded in the browser but logs say key word blocking. at the moment only for this two sites, I opened hundred of pages of my Firefox today for testing and no problem...really strange...but same thing happened with old firmware while updating Checkpoint/zonealarm antivirus + firewall free suite...


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Brano

How to revert to an older firmware version is given on the last or penultimate page of the release notes pdf that is in the firmware zip file.

In my USG50 release notes, there are CLI instructions for setting the session limit. In the new GUI, the default session rule is "anything goes." Release notes say (page 17/41):

System default setting change, enable IPv4/IPv6 firewall session limit per host and set limit to 1000. Add the following configuration in the system-default.conf:
session-limit activate
session-limit limit 1000
session-limit6 activate
session-limit6 limit 1000

If you run bit torrent I recommend setting this value higher than 1000 if you want to activate per host session limiting. I would suggest a minimum of 100x the number of active connections you had for all torrents (as shown by the bit torrent client GUI) before the firmware change. The required number will be a lot lower if you lowered the values for TCP and UDP timeouts. (My ratio as I write is about 5x, but I have severely limited the timeouts).

Note that the USG50 has an upper bound of 10k sessions, though, so letting it get out of hand will just keep you from viewing the dashboard while the router is gagging (as I have observed in the past). I believe this session limit is a choice of ZyXEL's because the amount of memory required to handle each session is small. My old Xincom was rated for 100k sessions.

If the only problematic application is bit torrent, some clients provide means to set limits on connections per torrent. This won't help get rid of hanging unclosed connections, though, so setting the timeouts is important.

kirby


FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast

1 edit
reply to Brano

I just noticed the vast majority of ADP entries have been removed. Wonder why?

Most of it was over my head, but I did set a few things to block which I saw ALL THE TIME in my log, such as "backslash evasion attack". Or "ascii encoding attack" [but had to leave that one alone becasue I noticed if I set that to drop, any file with a space in it on my web server was inaccessible.]

-Alan

-EDIT- Grrr. Now my BWM rules don't right work anymore.


FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast

1 edit
reply to Brano

Looks like I may be rolling back. BWM is seriously broken now.

I may not have a firm grasp of getting it set up exactly right, but I have disabled ALL my bwm rules, and created one simple rule. Anytime the interface is set to ANYTHING other than "any", it just doesn't work. This is for incoming interface or outgoing. So the only BWM rule I can get to work is from any to any.

EDIT-Also, removing ALL rules, and just enabling BWM (with no BWM rules at all other than default) seems to be limiting my throughput to some odd value. Have no idea why, or where its getting its limits from. Only other setting BW related, is the egress BW on the WAN1 interface is set to 10200.

Damn strange behavior.

-Alan


FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast

1 edit
reply to Brano

Firmware rolled back successfully. BWM is broken with this (3.30) version. Thank goodness it automatically backed up my previous startup-config file, as I didn't!

Anyway, with the new FW, I even tried applying the default config, setting the appropriate egress BW on the WAN connection, then setting only a single BWM rule, and it just did not work. Everything else was at defaults.

-Alan


hardstyler

join:2013-02-17
italy
reply to Brano

can't help with bwm but i'm with you about adp! they deleted too many rules of course to add enormous quantity in application patrol, expecially to the network protocols list: they are over 650!!!

the question is always the same and valid for all appliances provided by all security appliance companies: every appliance can manage a limited amount of rules but if you check the lowest models with the biggest and powered you can see all have the same amount of rules (!) and of course every company delete old rules and add new....but my dubt every time is if my network is still secured, I don't think so, then every time a new fw is provided I do tests: tests with flooders, tests provided by nexpose and gfi languard and some metasploit. all programs updated and launch tests: yesterday I found that with new fw zyxel has less vulnerabilities then previoused fw and if some remain they are covered by idp rules. also after tests I read the logs so it really blocks bad traffic! today I'll check with nexpose. I use the main security testers...think exist others out there but I'm ok with them. ah, nexpose and metasploit community edition...no way to spend 3000-5000 dollars for auditing!. gfi languard costs 32 and every annual renewal costs 24 so gfi languard is ok for me and is constantly updated, more frequently of nexpose and metasploit community edition.



Hermes99

join:2013-08-22
Moreno Valley, CA
reply to FirebirdTN

said by FirebirdTN:

Looks like I may be rolling back. BWM is seriously broken now.

I may not have a firm grasp of getting it set up exactly right, but I have disabled ALL my bwm rules, and created one simple rule. Anytime the interface is set to ANYTHING other than "any", it just doesn't work. This is for incoming interface or outgoing. So the only BWM rule I can get to work is from any to any.

EDIT-Also, removing ALL rules, and just enabling BWM (with no BWM rules at all other than default) seems to be limiting my throughput to some odd value. Have no idea why, or where its getting its limits from. Only other setting BW related, is the egress BW on the WAN1 interface is set to 10200.

Damn strange behavior.

-Alan

BWM will only work if you have App Patrol enabled regardless if you have the license or not. Even if your license or trial has expired, it needs to be enabled.

FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast

1 edit

said by Hermes99:

BWM will only work if you have App Patrol enabled regardless if you have the license or not. Even if your license or trial has expired, it needs to be enabled.

Are you sure about that? My BWM was working perfectly, until the firmware update. I don't subscribe to any services, so way back when I first set it up and created my first rule, it did warn me that App Patrol wasn't available, but it still allowed me to create rules based on services. Again, the only thing that changed was the firmware. Prior to that it worked perfectly.

Brano also noticed some odd BWM behavior [he commented on it in the 'usg 100 speed' thread].

-Alan


Hermes99

join:2013-08-22
Moreno Valley, CA

Enable your trial license for AppPatrol and then enable the service and test your BWM rules again. In my test, I saw that the BWM didn't work without AppPatrol enabled:

Test #1
BWM rule 3000 ingress/egress
AppPatrol Disabled
10 Mbps down 8 Mbps Up

Test #2
BWM rule unchanged
AppPatrol Enabled with expired Trial
3 Mbps down 3 Mbps Up


FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast

said by Hermes99:

Enable your trial license for AppPatrol and then enable the service and test your BWM rules again. In my test, I saw that the BWM didn't work without AppPatrol enabled:

I guess its possible they made a change to this firmware that requires App Patrol to be enabled for BWM to work properly, but I am just not so sure about that because of the other strange BWM behavior I noticed after the upgrade.

For example: Since I never enabled App Patrol before, all these tests were done with it disabled. After the firmware upgrade, I noticed my BWM rules weren't working. Doing some experimentation I reset the unit to factory defaults, and created one simple rule "from any to any service any 5000/5000" to globally limit by BW. That worked. BUT, when I tried to set either the incoming or outgoing interface to anything other than "any" it didn't work at all. For example, a real rule of mine (to limit guest wireless to 10/2) is "LAN2 to WAN1 service ANY 10000/2000). That worked perfectly before.

Also, I set the unit to factory defaults, and just enabled BWM, but had no rules (other than the default rule). I found my download was being limited to 47Megs. Where in the world it got that figure from I have no idea. I am on a 50/10 Comcast blast package with powerboost enabled, so I always get DL speeds of 66megs, with peaks in the 80s. Just by turning on BWM and no rules, all of a sudden I was limited to 47. This is similar behavior that Brano saw when he was testing [wish he would check back in this thread!].

Anyway, just due to the squirly BWM behavior ever since the upgrade, I think I am going to sit this one out. I normally like to stay on top of the latest firmware for security and bug fixes, but I think this one is a case of "if it ain't broke, don't fix it". 3.00 wasn't broke for me.

-Alan