Policy Control in USG FLEX 100

Marcin_marcin

Hi, I have a question about Policy Control in USG FLEX 100.

Default rules allow all traffic. They create two HOST objects, how to block traffic between them in LAN1? I tried to do it between two computers and despite different settings in the sections: From , To, IPv4 Source , IPv4 Destination and setting the Action tab to deny, computers can still ping and see shared resources in the network environment.

I understand that the rule should be in the Policies list before the default Policies?

What should a rule blocking traffic between two computers in Lan1 look like? Can I have an example please? Thank you for your help and have a nice weekend.

StefanZ

This works for me to block VLAN10 (users) from accessing VLAN1000 (admin).

VLAN1000 can still access VLAN10 – if you want it to be mutual, you need a second, reversed policy.

Source objects would be Hosts – but generally I would just put those hosts on seperate VLANs or Zones.
In your case a host could just chose another IP to be allowed again. With MAC/DHCP enforcement the host could still spoof its' MAC… and so on.

If you generally want to isolate all hosts on that subnet from each other, you want "Layer-2-Isolation" as a concept.

PeterUK

Computers on the same subnet or LAN1 can't blocked due to a switch or if you port role LAN ports to LAN1 which is still a switch before it gets to the Policy Control.

Two way to block is to have the computers on different subnets which the Policy Control can see or with a VLAN set to general with proxy arp and a managed switch with Send the packet to the egress port with ARP out the port to USG which you make a LAN to LAN Policy Control rules to limit what computers can connect to each other on the same subnet.

mMontana

how to block traffic between them in LAN1?
You cannot in USG device. Because for communicate between them, USG is not involved at all.

Marcin_marcin

Thank you very much for your posts. Have a great week.