Nebula Default Security Rules Do Not Apply ?

Sébastien
Sébastien Posts: 41  Freshman Member
First Anniversary 10 Comments Friend Collector
Hi everyone,

My USG Flex 100 is connected to Nebula with 5 VLANs defined, one of which is connected through an IPSec tunnel to Azure, and one other has a webserver connected to it (on site).

Nebula shows me the default rules as :

In summary, LAN connections are allowed from inside (LANs to Any and LANs to Device) and everything else is denied.

Two things are surprising:
  1. For the webserver, I have configured NAT rules for ports 80 and 443. The webserver is responding from outside whereas security rules are not set up to allow that. Shouldn't the Deny rule apply in that case ?
  2. Concerning the site-to-site VPN to Azure, the Azure subnet is not defined on the USG and therefore not part of the "implicit allow rules". And again, the traffic flows except if I define a Deny rule myself !
Is this the normal behavior ?

Thanks.

Sébastien

Accepted Solution

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    1. When you add NAT rule on Nebula, you don't need to create a firewall rule. It will be automatically created while creating the NAT rules. You can use the command "debug sdwan show firewall running-config" on USG FLEX 100 to check the rule. 
    The automatically added firewall rule can be found in:
    <firewall-name> SN_port_forwarding_IndexNumber </firewall-name>

    2. Currently all subnets you choose here are going to be reachable for all non-nebula VPN peers. It is a feature request that user can define the exported local subnets per each individual non-nebula VPN connection. This request is already in our feature enhancement queue.

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    1. When you add NAT rule on Nebula, you don't need to create a firewall rule. It will be automatically created while creating the NAT rules. You can use the command "debug sdwan show firewall running-config" on USG FLEX 100 to check the rule. 
    The automatically added firewall rule can be found in:
    <firewall-name> SN_port_forwarding_IndexNumber </firewall-name>

    2. Currently all subnets you choose here are going to be reachable for all non-nebula VPN peers. It is a feature request that user can define the exported local subnets per each individual non-nebula VPN connection. This request is already in our feature enhancement queue.
  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hi Emily,

    Thanks for your answer which is complete and accurate.

    Regards,

    Sébastien

Security Highlight