[ZLD] Security Appliances Best Practices

The following are best practice steps to securing the network for ZyWALL/USG/ATP/VPN series gateways.

1. Change WebUI management port.
   Note: By default the device uses port 80 and 443.
   To change the management port go to menu, Configuration → System → WWW, on your devices WebUI.
2. Change the admin password often.
   The Zyxel security gateway has an option to schedule a password change after a certain time period.
   To enable and configure the option go to menu, Configuration → Object → User/Group and click on the Setting tab.  Under the "Login Security" enable the password change feature and set your desired change period.
3. Change the SSH management port.
   Note: By default the device uses port 22.
   To change the management port go to menu, Configuration → System → SSH, on your devices WebUI.
   Additionally, you can disable the feature if you do not plan on using it.
4. Disable SNMP.
   This is an option enabled by default but not always used by customers.  Disabling the feature will release resources on the CPU which may be used by other services on the Zyxel gateway.
   To change the SNMP setting go to menu, Configuration → System → SNMP, on your devices WebUI.
5. Limit the users with access to the WebUI/SSH/Telnet/etc.
   Note:  By default the Zyxel appliance will allow any LAN IP access to its management interfaces.
   The gateway can limit the IP addresses which can access the WebUI/SSH/Telnet and other management interfaces.  This will require you to manually/statically assign an IP address on your computer or set up DHCP reservation on the DHCP server so your computer always receives the same IP. Once this is done go to menu, Configuration → Object → Address/Geo IP and on the "Address" tab create a host entry for your computer's IP address.
   Once the address object(s) for the computer(s) IP address is created go to, Configuration → System and select the desired management menu (WWW, Telnet, SSH, FTP, etc.) and create a "Service Control" rule to Deny all IP addresses from all zones.  Follow this by creating a rule to Allow your computer IP Address on the LAN zone.
6. Sync the system time with NTP server.
   Note:  This is needed to log traffic correctly (timestamp) and communicate with myZyxel.com server.
   To configure the NTP time settings on the Zyxel gateway go to menu, Configuration → System → Date/Time. Select the option to "Get from Time Server" and provide your favorite, or most reliable, time server entry.  Set the correct time zone for your region and daylight savings (if applicable).
7. Set up firmware/software "Auto Update" feature.
   Configure the firmware/software auto update feature to make sure the Zyxel gateway is always running the latest firmware/software release.  This option can be configured to run during off hours which will limit the need for IT personnel to be around after work hours to update the appliance.
   To configure the cloud firmware auto update feature go to menu, Maintenance → File Manager and click on the "Firmware Management" tab.  Check the box to enable the Auto Update feature and set the time period when the Zyxel appliance should check for updates and upgrade.  Additionally, enable the "Auto Reboot" feature so the gateway will reboot after the firmware upgrade is completed and load the new firmware bank.  Without this option the Zyxel gateway will not run on the new software until it is rebooted.
8. Change the default IP scheme.
   Note:  By default Zyxel gateways use the 192.168.1.x IP scheme and utilize 192.168.1.1 to host management services.  This is the IP address used by most networking appliances manufacturers.
   It would be a good idea to change the default IP scheme to limit IP conflicts with other devices/networks (such as modems with router capabilities, VPN users, etc.).  To change the IP scheme on the Zyxel gateway go to menu, Configuration → Network → Interface and click on the "Ethernet" tab.  Edit the network interface you wish to make changes on.
9. Use connectivity check when using multiple WAN/Internet connections.
   When using more than one internet connection with the Zyxel gateway it is important to enable the "Connectivity Check" feature on each of the WAN ports.  This feature allows the gateway appliance to test the connection to make sure it is active and working so it can route traffic through it.
   Note:  By default the Zyxel gateway will attempt to ping the internet connections default gateway for the connectivity check, this is not always reliable for a few reasons:
   • The gateway address is not always programmed to respond to ICMP.
   • The gateway address only tests the connection to the ISPCO (Internet Service Provider Central Office) in your area.
   For best results it is recommended that the connectivity check be ran against a reliable source (such as Google [8.8.8.8] or Cloudflare [1.1.1.1] DNS servers).