USG110 / 4.65 AAPH.1 - new "Policy Control Warning"

USG_User

The 4.65 AAPH.1 newly implements a Policy Control Warning in case it detects opportunities for internet access to management interface or SSL VPN. If such rules will be detected an additional button "Update Security Settings" is displayed above the Policy Control.

But what is this button for?

The change log is only stating: "Security Policy page add warning message and button to Security Check configuration page when security risk detected."

We're aware that our SSL VPN is accessable from the internet. That is the sense of it. Otherwise our streetworkers have no access.

But what happens when pressing this new button? Will any rules be changed or adapted? Or is it removing the red security warning message only?

We're a little bit afraid to click on it, but would like to have the red message gone.

jonatan

This is a warning - with a proposal to change the rules. When you click on the button, you will be prompted to change the ports of the https,sslvpn .....

If there is a WAN rule for Zywall Source Any Allow, then there will be a message, if in the Source field you specify a group of countries or addresses, then there will be no error.

USG_User

Thanks for the image and explanation, Jonatan.

• Management access will only be granted with us from LAN1. All other zones (including WAN) are prohibited.
• Management access port is different from SSL VPN access Port.
• But we need an access opportunity from WAN for our streetworkers. Unfortunately they have to visit ships all over the world. That's why we are not able to limit the SSL VPN access to special trusted regions only.
• 2F Authentication is not in use with us.

Does the red security note disappears only when all 4 checkboxes are ticked? This would be a kind of constraint. But anyway, safety first and because of the last lessions learnt by Zyxel they consider it right.

jonatan

HI @USG_User

Then change the standard Ssl vpn to access the gateway . This message is for informational purposes only.

Instructions here

https://mysupport.zyxel.com/hc/en-us/articles/4403366981522--ZyWALL-USG-How-to-change-the-SSL-VPN-Server-port-on-the-security-gateway-WebUI-

Firmware info

https://community.zyxel.com/en/discussion/10971/zld4-64-5-01-firmware-release#latest

USG_User

Thanks Jonatan,

but as said, our management access port is already different from SSL VPN access port. This was the first thing we've done after Zyxel has implemented it.

BTW, for both accesses we do not use any standard ports (like 443) anymore.

Zyxel_Jeff

Hi @USG_User

The purpose of this feature is to guide the users how to deploy the devices in “more secured way” 

Please refer to the below link: https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure#latest Once the recommended practice is followed(edit one of Security Check for WAN interface checkbox), the red warning message will disappear.

USG_User

Thanks Jeff, but an option "Noted" (or something like that for expert users) would be appreciated, which let the red warning message disappear after reading.

Further the present button "Update Security Settings" looks like "quick & dirty" added. It sticks to the newly added separator line. It's cosmetics only, but will be noticed by the user!

mMontana

Hint for improving: instead of a Q&D button "fix it for me", maybe the info box could provide the "ticks not ticked" that are triggering it.

Zyxel_Jeff

Thanks for your suggestion, we will evaluate this in our future improvement.

Catkins

Having been directed to this forum for submitting ideas, I'd love to chuck my 2p worth in. We have this same issue, we use SSL VPN and use non-standard ports, and yet in Policy Control we're constantly mithered that “you have a rule that allows anyone on the internet to access the web management interface and the SSL VPN service”. Except in the case of the former, we have a rule that denies, and in the case of the latter, we kinda need the service to be visible externally, or it's not much use as a VPN server.

How do we get this annoying prompt to go away? Hitting “Update Security Settings” will create rules that blocks the SSL VPN service.

We have followed the best practices (and in fact, had paid you guys set up the SSL VPN service, so you'd hope you'd be on the ball), and yet the only way we can make the infernal message disappear is to allow it to block the service we need…

Zyxel_Cooldia

Hi @Catkins ,

Could you send me the device start up configurtian file. Assume the security policy already follow the best practice. the error message should be gone.