Disable creation of implicit allow rules
Good afternoon,
I've noticed that whenever I create a new network interface/vlan on a Nebula controlled Firewall (in this case USG Flex 100W), the network interface/vlan gets automatically added to the following 2 implicit allow rules:
Allow to Any and Allow to Device.
Is there a way to stop the CREATION of this? Let's say you create a new interface and you forget to add deny deny rules above the implicit allow rules, devices in that network can literally reach EVERY DEVICE in the ENTIRE network.
Huge security concern.
PS: No, enabling guest is not an option.
Thanks in advance!
All Replies
-
You can use standalone.
0 -
Hi Peter,
Thanks for your reply.
I'm well familiar with standalone but that's a workaround not a solution.
We need them to be in Nebula for specific reasons.
Again: Is there a way to disable the auto creation of impicit allow rules in Nebula? No workarounds.
0 -
I don't use Nebula so can't help but I agree with you.
You would think Nebula have the same config layout just that the USG connects to the cloud to config it but someone had other plans.
0 -
Hi @DenizYildiz,
The implicit cannot be modified. You can add new deny rules which have higher priority to block the traffic.
For example,
Rule1. Action: Deny; Source: lan10 and lan20; Destination: Any
Rule2. Action: Deny; Source: lan10 and lan20; Destination: Device0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight