USG FLEX H Series - VPN Zone Security

Options
Zyxel_Richard
Zyxel_Richard Posts: 249  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited May 17 in VPN

USG FLEX H Series - VPN Zone Security

Overview

In the latest update (version 1.20) for the USG FLEX H Series, there's a significant improvement in handling IPsec VPN and SSL VPN configurations. Now, users can automatically add VPN tunnels to their respective security zones during the VPN setup, eliminating the need for manual configuration.

IPsec VPN Zone Integration

Previous Process

Before version 1.20, when you created an IPsec VPN profile, you had to manually add the VPN tunnel to the IPsec VPN zone through the security object settings. This involved navigating to the security policy and manually including the tunnel as a member of the IPsec VPN zone. Failure to do so would prevent clients from accessing your network through the VPN tunnel.

New Automatic Zone Assignment

In version 1.20, when configuring a VPN profile, you can now automatically add the VPN tunnel to the IPsec VPN zone. This streamlines the process and ensures that your VPN tunnel is correctly integrated into your network's security policies without additional steps.

Steps to Configure IPsec VPN with Automatic Zone Assignment

Create VPN Profile:

  • Navigate to VPN > IPsec VPN.
  • Create a new IPsec VPN profile or edit an existing one.

Zone Selection:

  • In the VPN configuration settings, you'll see an option to assign the VPN tunnel to a zone.
  • Select the appropriate zone (e.g., IPsec VPN zone).

Save Configuration:

  • Complete the rest of the VPN setup and save the configuration.

Verify Zone Assignment:

  • Navigate to Object > Zone to ensure the VPN tunnel is listed under the selected zone.

By doing this, the VPN tunnel is automatically included in the zone, which is crucial for the tunnel to function correctly as it needs to be part of the security policy that allows traffic through the IPsec VPN.

SSL VPN Zone Integration

Similar to IPsec VPN, the SSL VPN configuration also benefits from the automatic zone assignment feature.

Automatic Zone Assignment for SSL VPN

Create SSL VPN Profile:

  • Navigate to VPN > SSL VPN.
  • Create a new SSL VPN profile or edit an existing one.

Zone Selection:

  • In the SSL VPN configuration settings, ensure the tunnel is assigned to the appropriate zone (e.g., SSL VPN zone).

Save Configuration:

  • Complete and save the configuration.

Verify Zone Assignment:

  • Navigate to Object > Zone to ensure the SSL VPN tunnel is included in the correct zone.

Importance of Zone Assignment

Security Policies

Both IPsec and SSL VPN tunnels must be included in their respective zones to work correctly. The default security policies are set to allow traffic from these zones. If a tunnel is not correctly assigned to a zone, the traffic will not be allowed, and clients will be unable to access the network through the VPN.

Example of Security Policy

  • IPsec VPN Zone: The default security policy will have an allow action for the IPsec VPN zone. Ensure your IPsec VPN tunnel is part of this zone to allow traffic through the tunnel.
  • SSL VPN Zone: Similarly, the default security policy will allow traffic from the SSL VPN zone. Ensure your SSL VPN tunnel is correctly assigned to this zone.

Summary

The new automatic zone assignment feature in version 1.20 of the USG FLEX H Series simplifies the VPN configuration process and ensures that your VPN tunnels are correctly integrated into your network's security policies. This reduces the risk of misconfiguration and enhances the overall security and functionality of your VPN setup.

By following the steps outlined above, you can ensure that your IPsec and SSL VPN tunnels are correctly assigned to their respective zones, enabling secure and seamless access for your clients.