Firewall on prem - Login for some local users only from LAN

GiuseppeR
GiuseppeR Posts: 250  Master Member
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

Hello everyone,

I have some on prem installations where I want to limit specific users to login to admin the webUI only if they are in LAN1.

I tried different Policy Rules but I can still login with those users when contacting the firewall via WAN.

How is it possible to have this working properly?
Thanks in advance

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You can limit logon for a given LAN in system > WWW like this

    backup first

  • GiuseppeR
    GiuseppeR Posts: 250  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hello @PeterUK

    in that scenario I can logon only from LAN1.

    I need to logon also remotely via HTTPS page, I need to know if it is possible to have a group of users that could logon only from LAN1.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,004  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @GiuseppeR

    If you want to restrict the admin service to HTTPS only, go to CONFIGURATION > System > WWW and limit the HTTP service.

    With this configuration, logging in to the device GUI via HTTP will be denied.

    Kay

    Engage in the Community, become an MVP, and win exclusive prizes! https://bit.ly/Community_MVP

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 18

    I need to logon also remotely via HTTPS page, I need to know if it is possible to have a group of users that could logon only from LAN1.

    you can limit by IP too if you try to login from any other IP you be denied

    or are you needing to limit to WAN or from VPN?

  • GiuseppeR
    GiuseppeR Posts: 250  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hello @Zyxel_Kay & @PeterUK

    thanks for the tips, but what I was looking for is something different.

    I desire to have a policy where I can force the ZyWALL to accept remote connections ONLY from some specific users.

    So I can have:

    • Admin1
    • Admin2
    • Admin3

    And ONLY Admin1 is able to connect via HTTPS to ZyWALL from WAN.

    Admin2 and Admin3 are inside a group "Local_Admin" and these Admin* are able to logon only if they are inside LAN.

    I tried to setup this limitation inside Security Policy but the firewall did not deny the access for that specific group "Local_Admin".

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Devices on a LAN not connected by VPN don't have a user name you can only use Security Policy user option if the client makes a connection by VPN to Zywall

  • GiuseppeR
    GiuseppeR Posts: 250  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @PeterUK

    I thought that when logging in via a user the ZyWALL checks the IP so it could understand easily from where that user is logging on

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 20

    Yes from IP but it does not know the user so you can have a Security Policy like

    from LAN1

    to zywall

    source 192.168.255.250

    service HTTPS

    note their is a default rule that might be enabled to allow all from LAN1 to zywall you need to disable

Security Highlight