Firewall on prem - Login for some local users only from LAN

GiuseppeR
GiuseppeR Posts: 394  Master Member
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

Hello everyone,

I have some on prem installations where I want to limit specific users to login to admin the webUI only if they are in LAN1.

I tried different Policy Rules but I can still login with those users when contacting the firewall via WAN.

How is it possible to have this working properly?
Thanks in advance

All Replies

  • PeterUK
    PeterUK Posts: 3,820  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You can limit logon for a given LAN in system > WWW like this

    Screenshot 2024-07-17 205434.png

    backup first

  • GiuseppeR
    GiuseppeR Posts: 394  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hello @PeterUK

    in that scenario I can logon only from LAN1.

    I need to logon also remotely via HTTPS page, I need to know if it is possible to have a group of users that could logon only from LAN1.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,280  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @GiuseppeR

    If you want to restrict the admin service to HTTPS only, go to CONFIGURATION > System > WWW and limit the HTTP service.

    image.png

    With this configuration, logging in to the device GUI via HTTP will be denied.

    image.png

    Kay

  • PeterUK
    PeterUK Posts: 3,820  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2024

    I need to logon also remotely via HTTPS page, I need to know if it is possible to have a group of users that could logon only from LAN1.

    you can limit by IP too if you try to login from any other IP you be denied

    Screenshot 2024-07-18 153221.png

    or are you needing to limit to WAN or from VPN?

  • GiuseppeR
    GiuseppeR Posts: 394  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hello @Zyxel_Kay & @PeterUK

    thanks for the tips, but what I was looking for is something different.

    I desire to have a policy where I can force the ZyWALL to accept remote connections ONLY from some specific users.

    So I can have:

    • Admin1
    • Admin2
    • Admin3

    And ONLY Admin1 is able to connect via HTTPS to ZyWALL from WAN.

    Admin2 and Admin3 are inside a group "Local_Admin" and these Admin* are able to logon only if they are inside LAN.

    I tried to setup this limitation inside Security Policy but the firewall did not deny the access for that specific group "Local_Admin".

  • PeterUK
    PeterUK Posts: 3,820  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Devices on a LAN not connected by VPN don't have a user name you can only use Security Policy user option if the client makes a connection by VPN to Zywall

  • GiuseppeR
    GiuseppeR Posts: 394  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @PeterUK

    I thought that when logging in via a user the ZyWALL checks the IP so it could understand easily from where that user is logging on

  • PeterUK
    PeterUK Posts: 3,820  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2024

    Yes from IP but it does not know the user so you can have a Security Policy like

    from LAN1

    to zywall

    source 192.168.255.250

    service HTTPS

    note their is a default rule that might be enabled to allow all from LAN1 to zywall you need to disable