Please review my security policy setup
All Replies
-
Hi,
It's a very strange configuration, what's the goal?
IPsec con can't reach Lan..
Lan to Lan it's strange... Have you VLAN?
Geo ip you can set allow from nation who wants to be reach and you can block any from wan to zywall.
With app patrol you can block or allow application without use service ports like Spotify
0 -
thanks for reviewing it.
IPsec con can't reach Lan..
—> I started playing around with VPN. Goal was when traveling to have access to ISP (not local resources)
Lan to Lan it's strange... Have you VLAN?
—> I have no VLAN. LAN to LAN traffic is allowed anyhow. So, this rule has to go.
Geo ip you can set allow from nation who wants to be reach and you can block any from wan to zywall.
—> I might need additional pointers here. My goal was to block traffic from certain geo areas to zywall etc.
With app patrol you can block or allow application without use service ports like Spotify
—> I am going to research. Sound like I could flip on spotify in app control on my "general internet" policy"?
0 -
"started playing around with VPN. Goal was when traveling to have access to ISP (not local resources)"
- IPsec can access to the resource of phase2 policy.. in same cases can go to the internet by your firewall but it isn't a standard configuration
"I might need additional pointers here. My goal was to block traffic from certain geo areas to zywall etc"
Usually I make this 2 rule (example)
Pos 3 From wan to zywall source "geo_ip_allow" service https/Ike/ecc.. action allow
Pos 4 ( under the allow policy)
From wan to zywall source any service any action deny
" I am going to research. Sound like I could flip on spotify in app control on my "general internet" policy"?"
Security service,➡️ app patrol --- edit default rule
Search Spotify you can choose drop or pass
Apply the rule to Lan to wan
In the first moment I suggest to you to make one rule, try, and log to check if it works..
In monitor log you can see if the rule drop or pass
Good work
0 -
Lan to Lan it's strange... Have you VLAN?
Its needed if traffic goes in on LAN and out on LAN by routing
0 -
should I have a rule for Zywall to LAN?
0 -
thank you. I will do this in steps. Working first on the app patrol.
Is app patrol essentially a collection of ports that are opened? If so, is there a way to review which ports?
0 -
Looks like the app patrol for Spotify does not include port 4070. It is blocked…
0 -
ok. this must be a rookie issue.
Started adding apps I need. But when I go back to the profile, the list is empty.
I do know from the log that the apps are working. As everything gets logged. Wanted to go back and switch off logging for forwards.
0 -
https://support.zyxel.eu/hc/en-us/categories/360001546960-Next-Generation-Firewall
https://support.zyxel.eu/hc/en-us/articles/4411322123666-Best-Practice-ATP-UTM-Features
0 -
Here you can find many guide check if it can help you!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight