Disable creation of implicit allow rules

Good afternoon,

I've noticed that whenever I create a new network interface/vlan on a Nebula controlled Firewall (in this case USG Flex 100W), the network interface/vlan gets automatically added to the following 2 implicit allow rules:

Allow to Any and Allow to Device.

Is there a way to stop the CREATION of this? Let's say you create a new interface and you forget to add deny deny rules above the implicit allow rules, devices in that network can literally reach EVERY DEVICE in the ENTIRE network.

Huge security concern.

PS: No, enabling guest is not an option.

Thanks in advance!

All Replies

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You can use standalone.

  • Hi Peter,

    Thanks for your reply.

    I'm well familiar with standalone but that's a workaround not a solution.

    We need them to be in Nebula for specific reasons.

    Again: Is there a way to disable the auto creation of impicit allow rules in Nebula? No workarounds.

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    I don't use Nebula so can't help but I agree with you.

    You would think Nebula have the same config layout just that the USG connects to the cloud to config it but someone had other plans.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @DenizYildiz,

    The implicit cannot be modified. You can add new deny rules which have higher priority to block the traffic.
    For example,
    Rule1. Action: Deny; Source: lan10 and lan20; Destination: Any
    Rule2. Action: Deny; Source: lan10 and lan20; Destination: Device

Nebula Tips & Tricks