I can't believe that 1) Allow Management from the internet is enabled out of the box and 2) you can't actually disable it dispite the management settings stating it's not enabled.

I've just installed a new 2925 and used Nessus to port scan the WAN internet facing port from another ISP and guess what it found.

HTTPS 443 - Open
FTP 21 - Open

Anyone on the internet can login to these firewalls using default passwords if they have not been re-set.

This is a major security flaw and needs to be addressed ASAP.

I previously raised this flaw with Draytek over 4 years ago and it's still not resolved in newer firewalls. Shocking!

http://www.forum.draytek.co.uk/viewtopic.php?f=2&t=13903

Last time I managed to port forward the offending PORTs to a non functioning IP address which provided as least some level of security, however this new 2925 does not allow that because of a port conflict. So i'm stuck.

Anyone else found a work around to this security flaw?

Might have found a way to block the open ports.

1) SSL Web/General Settings - Moved Default port 443 to something else like 2443 (Make sure SSL Web is disabled)
2) System Maint/Management - Internet Access Control - check and uncheck all including ping.
3) System Maint/Management - LAN Access Control - Only select LAN not any of the others.
4) System Maint/Management - Access List from the Internet - enter your local Subnet x.x.x.0 / 255.255.255.0/24
5) Reboot.
6) Portscan from outside your network to be 100% sure.

I've done the above and no longer getting the Web Console login on the WAN side, and yes I could login and re-configure my firewall from the internet before.

Raised this as a but with Draytek (again) but I hope this helps others.