Nebula Default Security Rules Do Not Apply ?
Options
Hi everyone,
My USG Flex 100 is connected to Nebula with 5 VLANs defined, one of which is connected through an IPSec tunnel to Azure, and one other has a webserver connected to it (on site).
Nebula shows me the default rules as :
In summary, LAN connections are allowed from inside (LANs to Any and LANs to Device) and everything else is denied.
Two things are surprising:
Thanks.
Sébastien
My USG Flex 100 is connected to Nebula with 5 VLANs defined, one of which is connected through an IPSec tunnel to Azure, and one other has a webserver connected to it (on site).
Nebula shows me the default rules as :
In summary, LAN connections are allowed from inside (LANs to Any and LANs to Device) and everything else is denied.
Two things are surprising:
- For the webserver, I have configured NAT rules for ports 80 and 443. The webserver is responding from outside whereas security rules are not set up to allow that. Shouldn't the Deny rule apply in that case ?
- Concerning the site-to-site VPN to Azure, the Azure subnet is not defined on the USG and therefore not part of the "implicit allow rules". And again, the traffic flows except if I define a Deny rule myself !
Thanks.
Sébastien
0
Accepted Solution
-
Hi @Sébastien,1. When you add NAT rule on Nebula, you don't need to create a firewall rule. It will be automatically created while creating the NAT rules. You can use the command "debug sdwan show firewall running-config" on USG FLEX 100 to check the rule.The automatically added firewall rule can be found in:
<firewall-name> SN_port_forwarding_IndexNumber </firewall-name>2. Currently all subnets you choose here are going to be reachable for all non-nebula VPN peers. It is a feature request that user can define the exported local subnets per each individual non-nebula VPN connection. This request is already in our feature enhancement queue.0
All Replies
-
Hi @Sébastien,1. When you add NAT rule on Nebula, you don't need to create a firewall rule. It will be automatically created while creating the NAT rules. You can use the command "debug sdwan show firewall running-config" on USG FLEX 100 to check the rule.The automatically added firewall rule can be found in:
<firewall-name> SN_port_forwarding_IndexNumber </firewall-name>2. Currently all subnets you choose here are going to be reachable for all non-nebula VPN peers. It is a feature request that user can define the exported local subnets per each individual non-nebula VPN connection. This request is already in our feature enhancement queue.0 -
Hi Emily,
Thanks for your answer which is complete and accurate.
Regards,
Sébastien0
Categories
- All Categories
- 383 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 75 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 889 Nebula FAQ
- 415 Security FAQ
- 232 Switch FAQ
- 203 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight