USG110 / 4.65 AAPH.1 - new "Policy Control Warning"

Options
USG_User
USG_User Posts: 369  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited October 2021 in Security
The 4.65 AAPH.1 newly implements a Policy Control Warning in case it detects opportunities for internet access to management interface or SSL VPN. If such rules will be detected an additional button "Update Security Settings" is displayed above the Policy Control.

But what is this button for?
The change log is only stating: "Security Policy page add warning message and button to Security Check configuration page when security risk detected."

We're aware that our SSL VPN is accessable from the internet. That is the sense of it. Otherwise our streetworkers have no access.

But what happens when pressing this new button? Will any rules be changed or adapted? Or is it removing the red security warning message only?
We're a little bit afraid to click on it, but would like to have the red message gone.



All Replies

  • jonatan
    jonatan Posts: 148  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    This is a warning - with a proposal to change the rules. When you click on the button, you will be prompted to change the ports of the https,sslvpn .....

    If there is a WAN rule for Zywall Source Any Allow, then there will be a message, if in the Source field you specify a group of countries or addresses, then there will be no error.



  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Thanks for the image and explanation, Jonatan.
    • Management access will only be granted with us from LAN1. All other zones (including WAN) are prohibited.
    • Management access port is different from SSL VPN access Port.
    • But we need an access opportunity from WAN for our streetworkers. Unfortunately they have to visit ships all over the world. That's why we are not able to limit the SSL VPN access to special trusted regions only.
    • 2F Authentication is not in use with us.
    Does the red security note disappears only when all 4 checkboxes are ticked? This would be a kind of constraint. But anyway, safety first and because of the last lessions learnt by Zyxel they consider it right.

  • jonatan
    jonatan Posts: 148  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2021
    Options
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Thanks Jonatan,
    but as said, our management access port is already different from SSL VPN access port. This was the first thing we've done after Zyxel has implemented it.
    BTW, for both accesses we do not use any standard ports (like 443) anymore.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2021
    Options
    Hi @USG_User

    The purpose of this feature is to guide the users how to deploy the devices in “more secured way” 
    Please refer to the below link: https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure#latest Once the recommended practice is followed(edit one of Security Check for WAN interface checkbox), the red warning message will disappear.


  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Thanks Jeff, but an option "Noted" (or something like that for expert users) would be appreciated, which let the red warning message disappear after reading.
    Further the present button "Update Security Settings" looks like "quick & dirty" added. It sticks to the newly added separator line. It's cosmetics only, but will be noticed by the user!
  • mMontana
    mMontana Posts: 1,342  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hint for improving: instead of a Q&D button "fix it for me", maybe the info box could provide the "ticks not ticked" that are triggering it.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Thanks for your suggestion, we will evaluate this in our future improvement.
  • Catkins
    Options

    Having been directed to this forum for submitting ideas, I'd love to chuck my 2p worth in. We have this same issue, we use SSL VPN and use non-standard ports, and yet in Policy Control we're constantly mithered that “you have a rule that allows anyone on the internet to access the web management interface and the SSL VPN service”. Except in the case of the former, we have a rule that denies, and in the case of the latter, we kinda need the service to be visible externally, or it's not much use as a VPN server.

    How do we get this annoying prompt to go away? Hitting “Update Security Settings” will create rules that blocks the SSL VPN service.

    We have followed the best practices (and in fact, had paid you guys set up the SSL VPN service, so you'd hope you'd be on the ball), and yet the only way we can make the infernal message disappear is to allow it to block the service we need…

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Catkins ,

    Could you send me the device start up configurtian file. Assume the security policy already follow the best practice. the error message should be gone.


Security Highlight