Firewall on prem - Login for some local users only from LAN

GiuseppeR
GiuseppeR Posts: 201  Master Member
Second Anniversary 100 Comments Zyxel Certified Network Engineer Level 1 - Nebula Zyxel Certified Network Engineer Level 1 - Switch
in Security

Hello everyone,

I have some on prem installations where I want to limit specific users to login to admin the webUI only if they are in LAN1.

I tried different Policy Rules but I can still login with those users when contacting the firewall via WAN.

How is it possible to have this working properly?
Thanks in advance

All Replies

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers

    You can limit logon for a given LAN in system > WWW like this

    Screenshot 2024-07-17 205434.png

    backup first

  • GiuseppeR
    GiuseppeR Posts: 201  Master Member
    Second Anniversary 100 Comments Zyxel Certified Network Engineer Level 1 - Nebula Zyxel Certified Network Engineer Level 1 - Switch

    Hello @PeterUK

    in that scenario I can logon only from LAN1.

    I need to logon also remotely via HTTPS page, I need to know if it is possible to have a group of users that could logon only from LAN1.

  • Zyxel_Kay
    Zyxel_Kay Posts: 830  Zyxel Employee
    Second Anniversary 500 Comments 100 Answers Zyxel Certified Network Engineer Level 2 - Security

    Hi @GiuseppeR

    If you want to restrict the admin service to HTTPS only, go to CONFIGURATION > System > WWW and limit the HTTP service.

    image.png

    With this configuration, logging in to the device GUI via HTTP will be denied.

    image.png

    Kay

    Untitled Image

    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    edited July 18

    I need to logon also remotely via HTTPS page, I need to know if it is possible to have a group of users that could logon only from LAN1.

    you can limit by IP too if you try to login from any other IP you be denied

    Screenshot 2024-07-18 153221.png

    or are you needing to limit to WAN or from VPN?

  • GiuseppeR
    GiuseppeR Posts: 201  Master Member
    Second Anniversary 100 Comments Zyxel Certified Network Engineer Level 1 - Nebula Zyxel Certified Network Engineer Level 1 - Switch

    Hello @Zyxel_Kay & @PeterUK

    thanks for the tips, but what I was looking for is something different.

    I desire to have a policy where I can force the ZyWALL to accept remote connections ONLY from some specific users.

    So I can have:

    • Admin1
    • Admin2
    • Admin3

    And ONLY Admin1 is able to connect via HTTPS to ZyWALL from WAN.

    Admin2 and Admin3 are inside a group "Local_Admin" and these Admin* are able to logon only if they are inside LAN.

    I tried to setup this limitation inside Security Policy but the firewall did not deny the access for that specific group "Local_Admin".

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers

    Devices on a LAN not connected by VPN don't have a user name you can only use Security Policy user option if the client makes a connection by VPN to Zywall

  • GiuseppeR
    GiuseppeR Posts: 201  Master Member
    Second Anniversary 100 Comments Zyxel Certified Network Engineer Level 1 - Nebula Zyxel Certified Network Engineer Level 1 - Switch

    Hi @PeterUK

    I thought that when logging in via a user the ZyWALL checks the IP so it could understand easily from where that user is logging on

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    edited July 20

    Yes from IP but it does not know the user so you can have a Security Policy like

    from LAN1

    to zywall

    source 192.168.255.250

    service HTTPS

    note their is a default rule that might be enabled to allow all from LAN1 to zywall you need to disable

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)