Q: Branch Office Zywall USG Remote Server Logging (TCP 514) to Head Office remote host over VTI

warwickt
warwickt Posts: 111  Ally Member
First Anniversary Friend Collector First Answer First Comment
edited April 2021 in Security

Hi Zyxel and fellow USG forum lads, I would like to solicit your expertise/advice.

Help Topic: Branch Office Zywall USG Remote Server Logging to Head Office remote host over VTI

Goal: Centralise an instance of all Branch Office Zyxel USG Zyxel appliance logs on main a Head Office Server for audit and archive.


Method Attepted: Specify Logging Remote Server (1-4): logger_host.branch.office

Result: packets are always sent through WAN port of Branch Office Zyxel USG appliances and are sent into the abyss of internet space


Question/ Help: Any clues on how to apply a specific Policy Route or procedure to coerce Branch Office Zyxel USG initiated packets (from the Remote Logger) to send any Head Office over the production VTIx???

THE Remote Server Loggers on the Branch Office USGs simply prepare and send USG log messages over default TCP 514 to the names host - works fine always on the local lans on Branch Office USG appliances.


Existing Production Policy Routes: existing Policy Routes in place for ages for all Branch Office LANx'x , L2TP etc to Head Office LANx's and L2TP and ZYwall via VTI work 100% always !


Diagnostics/ Tools from a Branch Office Zyxel USG:

Zyxel USG router cli to Head Office LAN(s) from USG cli :

nslookup: NS resolves all host names due to Domain Forwarding

ping: times out 

traceroute: goes out to WAN and gets lost, times out

packet trace: (parsed by wiresharK):

- source address is always Branch Office Zyxel WAN IP (???) 

- destination is Head Office IPV4 of logger_host.branch.office (correct)

Any clues or advice most welcome.

Warwick

Hong Kong

Best Answers

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Answer ✓

    OSPF:

    Hi @Line2 and @Zyxel_Cooldia , this post by @Ian31 , from 2019-April-13 "OSPF Configuration", OSPF with VTI - his article on these forums was most helpful..


    https://businessforum.zyxel.com/discussion/comment/7528#Comment_7528

    .. and some healthy R.T.F.M.

    Method: Using OSPF to coerce a route from Branch Office Zyxel USG Remote logger n to Head Office USG LANx host - works well.


    The detail is using the zyxel USG CLI - refer to ZyWALL USG/VPN/ATP Series CLI Reference Guide - Section 14.2.7 - very good


    The USG WEBUI seems deficient in configuring the subtle details of OSPF. The informative post from @Ian31 utilises the USG's CLI.


    Highlights:

    NO static routes nor any additional Policy Routes required - nice.

    Just tetsing with simple OSPF Area 0.0.0.0 between these two and works great.

    Will move other routers in subsequent OSPF areas and confgure accoringly when stable.


    Results:


    Head Office ZYXEL USG:

    router# show ospf interfaces all area

    Router(config)# show ospf interface all area 

    Interface      Area       

    ===============================================================================

    wan1        0.0.0.0      

    wan2        none        

    lan1        0.0.0.0      

    lan2        0.0.0.0      

    lan3        none        

    guest        none        

    vlan95       0.0.0.0      

    vti1        0.0.0.0      

    vti2        none        

    vti3        none        

    Router#  



    Branch Office ZYXEL USG:

    Router# show ospf interface all area 

    Interface      Area       

    ===============================================================================

    wan1        0.0.0.0      

    lan1        0.0.0.0      

    lan2        none        

    lan3        none        

    opt         none        

    vti1        0.0.0.0      

    vti2        none        

    Router#


    Steps to Do this with OSPF using the USG CLI (ssh (-p <port>) admin-account@your-router.internal.domain ) :

    1) map the routers into an OSPF backbone (Area 0.0.0.0) and subsequent satellite OSPF areas 

    2) add some IPV4 style OSPF identifier to each router... 


    3) on each router, configure the the particulare OSPF AREA number and associate it with the INTERFACE(s) that are associated wi that OSPF.


    e.g.

    Router(config-router)# network WAN1 area 0.0.0.0

    Router(config-router)# network VTI2 area 0.0.0.3 etc etc 


    refer to the current flavour of ' ZyWALL USG/VPN/ATP Series CLI Reference Guide - Section 14.2.7'


    Thanks for the assistance to this point.


    Regards

    Warwick

    Hong Kong

All Replies

  • Line2
    Line2 Posts: 40  Freshman Member
    First Anniversary Friend Collector First Answer First Comment

    Hi

    We use central logging for a lot of sites (over VTI/IPSec) with no problems yet. How does your policy routes on the branch USGs look like? We use OSPF for routing not policy routing. Maybe try a static route on the branch USGs to the Head office.

    Line2

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi @Line2 and @Zyxel_Cooldia, thankyu both for your most appreciated prompt replies.


    Zyxel_Cooldia: Use of a static route from Branch Office to Head Office.


    Result: Some progress! I just tried this and indeed it routes this traffic over the intended VTIx (packet capture at Branch Office ISG :514 syslog) 


    Affect: However the SRC address of the Branch Office ZYxel USG is not the B.O. LANx nor VTI gateway/address but is the WAN address of the Branch Office USG.


    Thus (sadly) the Head Office USG Security Policies default will reject it.


    ( in this configuration, The B.O. offices are ISP DHCP... not static IP) 


    Is there a method to coerce the SRC (source) address of the Branch Office Zyxel USG to apear from the VTIx end (i.e 10.161.99.15/32) or a B.O LANx address (i.e. 10.233.109.0/24) ?


    Line2: The use of OSPF looks like the good. Is there any straight forward (easy to digest) documentation on this for the USG other than the ZYWALL USG Users Guide (V4.33)


    Any help or directions appreciated.

    Warwick

    Hong Kong 

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Answer ✓

    OSPF:

    Hi @Line2 and @Zyxel_Cooldia , this post by @Ian31 , from 2019-April-13 "OSPF Configuration", OSPF with VTI - his article on these forums was most helpful..


    https://businessforum.zyxel.com/discussion/comment/7528#Comment_7528

    .. and some healthy R.T.F.M.

    Method: Using OSPF to coerce a route from Branch Office Zyxel USG Remote logger n to Head Office USG LANx host - works well.


    The detail is using the zyxel USG CLI - refer to ZyWALL USG/VPN/ATP Series CLI Reference Guide - Section 14.2.7 - very good


    The USG WEBUI seems deficient in configuring the subtle details of OSPF. The informative post from @Ian31 utilises the USG's CLI.


    Highlights:

    NO static routes nor any additional Policy Routes required - nice.

    Just tetsing with simple OSPF Area 0.0.0.0 between these two and works great.

    Will move other routers in subsequent OSPF areas and confgure accoringly when stable.


    Results:


    Head Office ZYXEL USG:

    router# show ospf interfaces all area

    Router(config)# show ospf interface all area 

    Interface      Area       

    ===============================================================================

    wan1        0.0.0.0      

    wan2        none        

    lan1        0.0.0.0      

    lan2        0.0.0.0      

    lan3        none        

    guest        none        

    vlan95       0.0.0.0      

    vti1        0.0.0.0      

    vti2        none        

    vti3        none        

    Router#  



    Branch Office ZYXEL USG:

    Router# show ospf interface all area 

    Interface      Area       

    ===============================================================================

    wan1        0.0.0.0      

    lan1        0.0.0.0      

    lan2        none        

    lan3        none        

    opt         none        

    vti1        0.0.0.0      

    vti2        none        

    Router#


    Steps to Do this with OSPF using the USG CLI (ssh (-p <port>) admin-account@your-router.internal.domain ) :

    1) map the routers into an OSPF backbone (Area 0.0.0.0) and subsequent satellite OSPF areas 

    2) add some IPV4 style OSPF identifier to each router... 


    3) on each router, configure the the particulare OSPF AREA number and associate it with the INTERFACE(s) that are associated wi that OSPF.


    e.g.

    Router(config-router)# network WAN1 area 0.0.0.0

    Router(config-router)# network VTI2 area 0.0.0.3 etc etc 


    refer to the current flavour of ' ZyWALL USG/VPN/ATP Series CLI Reference Guide - Section 14.2.7'


    Thanks for the assistance to this point.


    Regards

    Warwick

    Hong Kong

Security Highlight