SD-WAN VPN50 Firewall rules and content filter

Report_Srl Posts: 4
First Anniversary First Comment
edited April 2021 in Security
Greetings everyone, i'm new to sd-wan and testing a couple of configuration for one of our clients.
I'm used to the usual Zywall/USG configuration, and was trying to setup a "all denied"+"I decide what to open" in a test site.

That test site is configured as this: my laptop connected to a VPN50, its wan connected to my office's lan.
It connects and get configuration from the orchestrator, and adding the necessary NAT rules i can connect to the test HQ.

Now what i want is to set things up in a way that a lan client will not be able to use anything if it's not been configured to... That is: I don't want my laptop be able to open our office lan's firewall (private ip) nor my rdp server.
So i configured a org-wide firewall default rule as "From any, to Any, Any service, any user, Block" and put it at the bottom.
Then I added another rule as "From any to any, any service, any user + content filter rule to permit only Computers And Technology".

Now, if i use a browser I can open but not (as expected).

My problem is: If i open a MS RDP client and connect to an host on the office lan "192.168.129.xx" i can open it; I even able to open an SSH session to a linux server that is in the same subnet ... and that subnet is WAN for my VPN50... Those attempt get logged as " Rule name=P_HTTPS_Allow_IT, TCP Port 22 ACCEPT 192.168.129.xx tcp ACCESS FORWARD".

Workaround I used was: modify the ALLOW_IT and change the "service any" to a "service https". effectively blocking anything else but https... but i had to create an identical rule for "service http" and found that some of our needed sites use also 8080 port... that is an overwork in configuration and there's no copy/paste option.

Can someone help me?

Best Regards, Andrea

All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Could you add authority to accounts below to let us check on your settings further?
    Moreover, please let us know what's the Org. name you authorized us so that we can further check if settings are correct firstly.
  • Report_Srl
    Hi, just added as read only the two accounts you specified. Organization name is ZanasiGroup.
    Please note I went back to my "more complex" configuration where I created 2 rules to let only http and https with content filter...
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Report_Srl
    I didn't see the Org name you mentioned by using account
    By the way, can you also let us know what GROUP name is it?
  • Report_Srl
    Hi Vic, group name is ClientiReport, in that group the only org we enabled so far is ZanasiGroup...
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,333  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Report_Srl,

    If you would like to deny the access of a range/specific address of the remote site, you can create a firewall rule using “site scope”.

    Here is the example for your reference.




    Firewall Rule 1: All clients in site VPN100 are not able to access the server in VPN300.

    Firewall Rule 2: For all clients in site VPN100 and VPN300, block all CF category except “computers and technology”.


    Test Result:

    Client in VPN100 is not able to ping or RDP to

    Client is able to access but not

    Client is able to access but not

    Want a FREE Access Point? Participate in our campaign and share your network setup for a chance to win!

  • Report_Srl
    Thank you Emily, I think I understand your point but i wished to configure it more on a "deny everything"+"allow only what I need"... and that works but only for browsers... 
    My doubt is: ok, i've denied access to browsers to "private ip addresses" so I cannot browse the webconfig of a router... but if a client can (for example) launch an ssh client and connect to the router the whole point of "deny everything" goes south...

    My Organization Profile now looks like this (and it's only a test run):

    under "block web pages" (as an example) I put all categories BUT "Computers and Technology".
    I can now browse regular http and https and :8080 websites under the right category.
    That way, we can browse / but no p***hub (;P) AND no one can run TOR to bypass the rules I need in place (hopefully, need to test)... 
    My personal opinion: if i'm content filtering i mean on any port...
    If there's a better approach to what I need to accomplish I'm all ears!

    Thank everyone for your time !!

Security Highlight