Security Policy, NO "ANY" option in drop down list.

jef
jef Posts: 37  Freshman Member
First Anniversary 10 Comments

Why is there not an 'any' option in the drop down.
"any(Excluding Zywall). But I want Zywall protected also?

Do I have to create 2 rules "any(Excluding)" and another "Zywall"..

All Replies

  • PeterUK
    PeterUK Posts: 2,590  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 9

    Do I have to create 2 rules "any(Excluding)" and another "Zywall"..

    Yes its for better security like this

    If you had from WAN to ANY that would mean include Zywall by ANY Excluding Zywall any but not Zywall

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments

    Thanks, I did create two rules.
    Wan to "Any (Excluding Zywall)" deny
    Wan to "Zywall" deny.
    I do not understand how that would differ from Wan to "Any". If "Any" was an option?

  • PeterUK
    PeterUK Posts: 2,590  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 9

    The default deny rule would of applied then needing Wan to "Zywall" deny unless you have a rule WAN (or any) to Zywall allow

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments

    Ah I get it, thank you… Yes, but I do.
    China was trying to hack IPSEC Tunnel. Wan to Zywall required for IPSEC.

    I thought I was blocking China (Asia) high in the list, but the zyxel "Exclude" poked a hole in that.
    I try never rely on the default rule.
    I still think "Any" needs to be an option, just like the "any" in the "default rule".
    I think it would be cleaner than making 2 rules for the same thing. Or allow us to choose multiple objects.

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments

    Looks innocent enough.
    But, I didn't recognize the 223.113.128.138.. It is not one of our remote corporations.
    I back tracked that IP to china. Then got grumpy wondering how it got that far into my zyxel.

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments

    Zyxel doesn't allow IPsec by FQDN .. which would be nice for dynamic gate addresses.

  • PeterUK
    PeterUK Posts: 2,590  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 9

    You likely have a rule from WAN to zyxel to allow VPN from any IP

    The USG comes with default rules which you should check

Security Highlight