Security Policy, NO "ANY" option in drop down list.

jef
jef Posts: 39  Freshman Member
First Comment First Anniversary

Why is there not an 'any' option in the drop down.
"any(Excluding Zywall). But I want Zywall protected also?

Do I have to create 2 rules "any(Excluding)" and another "Zywall"..

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 9

    Do I have to create 2 rules "any(Excluding)" and another "Zywall"..

    Yes its for better security like this

    If you had from WAN to ANY that would mean include Zywall by ANY Excluding Zywall any but not Zywall

  • jef
    jef Posts: 39  Freshman Member
    First Comment First Anniversary

    Thanks, I did create two rules.
    Wan to "Any (Excluding Zywall)" deny
    Wan to "Zywall" deny.
    I do not understand how that would differ from Wan to "Any". If "Any" was an option?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 9

    The default deny rule would of applied then needing Wan to "Zywall" deny unless you have a rule WAN (or any) to Zywall allow

  • jef
    jef Posts: 39  Freshman Member
    First Comment First Anniversary

    Ah I get it, thank you… Yes, but I do.
    China was trying to hack IPSEC Tunnel. Wan to Zywall required for IPSEC.

    I thought I was blocking China (Asia) high in the list, but the zyxel "Exclude" poked a hole in that.
    I try never rely on the default rule.
    I still think "Any" needs to be an option, just like the "any" in the "default rule".
    I think it would be cleaner than making 2 rules for the same thing. Or allow us to choose multiple objects.

  • jef
    jef Posts: 39  Freshman Member
    First Comment First Anniversary

    Looks innocent enough.
    But, I didn't recognize the 223.113.128.138.. It is not one of our remote corporations.
    I back tracked that IP to china. Then got grumpy wondering how it got that far into my zyxel.

  • jef
    jef Posts: 39  Freshman Member
    First Comment First Anniversary

    Zyxel doesn't allow IPsec by FQDN .. which would be nice for dynamic gate addresses.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 9

    You likely have a rule from WAN to zyxel to allow VPN from any IP

    The USG comes with default rules which you should check

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Hello @jef
    From/To is to configure the direction of travel of packets, which is only allowed to be set as a Zone instead of an interface or an address.
    It's more like we determine ZyWall itself as a Zone, and Any as a Zone means any interfaces, and ZyWall is not considered as an interface.

Security Highlight