Please review my security policy setup

Options
tesagig
tesagig Posts: 56  Ally Member
First Anniversary 10 Comments Friend Collector

Does anything look odd?

I did hide some very specific rules

«1

All Replies

  • Omnia
    Omnia Posts: 39  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited June 2023
    Options

    Hi,

    It's a very strange configuration, what's the goal?

    IPsec con can't reach Lan..

    Lan to Lan it's strange... Have you VLAN?

    Geo ip you can set allow from nation who wants to be reach and you can block any from wan to zywall.

    With app patrol you can block or allow application without use service ports like Spotify

  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    thanks for reviewing it.

    IPsec con can't reach Lan..

    —> I started playing around with VPN. Goal was when traveling to have access to ISP (not local resources)

    Lan to Lan it's strange... Have you VLAN?

    —> I have no VLAN. LAN to LAN traffic is allowed anyhow. So, this rule has to go.

    Geo ip you can set allow from nation who wants to be reach and you can block any from wan to zywall.

    —> I might need additional pointers here. My goal was to block traffic from certain geo areas to zywall etc.

    With app patrol you can block or allow application without use service ports like Spotify

    —> I am going to research. Sound like I could flip on spotify in app control on my "general internet" policy"?

  • Omnia
    Omnia Posts: 39  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

    "started playing around with VPN. Goal was when traveling to have access to ISP (not local resources)"

    - IPsec can access to the resource of phase2 policy.. in same cases can go to the internet by your firewall but it isn't a standard configuration

    "I might need additional pointers here. My goal was to block traffic from certain geo areas to zywall etc"

    Usually I make this 2 rule (example)

    Pos 3 From wan to zywall source "geo_ip_allow" service https/Ike/ecc.. action allow

    Pos 4 ( under the allow policy)

    From wan to zywall source any service any action deny

    " I am going to research. Sound like I could flip on spotify in app control on my "general internet" policy"?"

    Security service,➡️ app patrol --- edit default rule

    Search Spotify you can choose drop or pass

    Apply the rule to Lan to wan

    In the first moment I suggest to you to make one rule, try, and log to check if it works..

    In monitor log you can see if the rule drop or pass

    Good work

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023
    Options

    Lan to Lan it's strange... Have you VLAN?

    Its needed if traffic goes in on LAN and out on LAN by routing

  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options
  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    thank you. I will do this in steps. Working first on the app patrol.

    Is app patrol essentially a collection of ports that are opened? If so, is there a way to review which ports?

  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    Looks like the app patrol for Spotify does not include port 4070. It is blocked…

  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    ok. this must be a rookie issue.

    Started adding apps I need. But when I go back to the profile, the list is empty.

    I do know from the log that the apps are working. As everything gets logged. Wanted to go back and switch off logging for forwards.

  • Omnia
    Omnia Posts: 39  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited June 2023
    Options

    https://support.zyxel.eu/hc/en-us/categories/360001546960-Next-Generation-Firewall

    https://support.zyxel.eu/hc/en-us/articles/4411322123666-Best-Practice-ATP-UTM-Features

  • Omnia
    Omnia Posts: 39  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

    Here you can find many guide check if it can help you!

Security Highlight