How do I block IPs in USG60?

Options

I do not have an IP Reputation feature or similar as described here below. So how do I add one, or several ip addresses to block to an USG60 firewall?

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hello @DennisFi
    As @StefanZ suggested, if it's a large list of blocked IPs, you may try only allowing a few IPs.
    Or you can do it by manually adjusting your configuration file.

    • Download the startup-config.conf
    • open the .conf file with txt notebook
    • Find address-object address and object-group address
    • Then you can add the IP addresses in this format
      address-object x.x.x.x
      address-object y.y.y.y
    • And add an address group including the address-object
      object-group address
      address-object address name1
      address-object address name2

    This way is easier to add the address group if it's a large list.

All Replies

  • PeterUK
    PeterUK Posts: 2,876  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023
    Options

    If you know the IP, range, subnet or FQDN you can make a group list in objects > address then add to security policy > policy control for LAN to WAN or WAN to LAN source/destination as needed.

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello @DennisFi
    Welcome to Zyxel Community!

    • Go to Configuration > Security Policy > Policy Control, and click "Add" to create a policy rule
    • From: LAN1, To: WAN (the direction could be incoming too)
    • Source: specific LAN host. (For blocking incoming traffic, the Source could be an external IP address or FQDN)
    • Action: Deny

  • DennisFi
    DennisFi Posts: 2
    Friend Collector First Comment
    Options

    OK so I would have to do that for every IP or range then. I was wondering or hoping one might've had the ability to insert a lot of IPs in a list somewhere and tie those to a policy.

    I was considering making an app to connect to the firewall via SSH and automatically keep an list of blocked IPs.

  • StefanZ
    StefanZ Posts: 192  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023
    Options

    Have a look at Configuration > Address/GEO IP > Address Group (if that feature exists on your device).

    Here you can bundle multiple Address Objects into a group which you can then reference in Policy Control.

    Generally I think you should do the reverse of what you want: Only allow certain IPs or ranges and keep everyone else out. Thats basically what a firewall does with the Default Rule – deny everything that is not explicitly allowed.

    Changing your config via SSH / CLI might also restart the device every time you alter the config. At least that is what happens via file-upload > apply or when replacing it via FTP…

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hello @DennisFi
    As @StefanZ suggested, if it's a large list of blocked IPs, you may try only allowing a few IPs.
    Or you can do it by manually adjusting your configuration file.

    • Download the startup-config.conf
    • open the .conf file with txt notebook
    • Find address-object address and object-group address
    • Then you can add the IP addresses in this format
      address-object x.x.x.x
      address-object y.y.y.y
    • And add an address group including the address-object
      object-group address
      address-object address name1
      address-object address name2

    This way is easier to add the address group if it's a large list.

Security Highlight