USG and rules where user are defined and not "any"

ChrisGer
ChrisGer Posts: 205  Ally Member
Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
edited April 2021 in Security
Hi together.
i'm a bit confused, because i try to establisch the following rule in a internal vlan...

1. by default (no user is authenticated by web internface) the user can connet to the corporate URLs by define the destination URLs in a content filter set -> no internet access eg. google.de is allowed -> that works fine ....

but

The marked two rules should be used to grand access to the internet, if the defined user is logged on at the USG interface. If this rules are enabled the corporate access is broken, but www.google.de is reachable :(



any idea, why it dosen't work ?

Best regards
Christian
«1

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello Christian,
    Since you add the corporate URLs in the content filter white list page, may I know what is your meaning "corporate access is broken"? cannot access in or the corporate's webpage does not appear completely?
    Moreover, please private message the configuration for checking further.
    Charlie 
  • Rob
    Rob Posts: 1  Freshman Member
    First Comment
    I have the same problem. I have a security policy using AD users, the logs show the rule is ignored and a rule further down is triggered.
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Hi Zyxel_Charlie,
    The Rule description show the source VLAN and the definition, what's established in this rule, e.g.
    DIR= not DirX - it's for direct - bit....

    if I add a rule above the marked policy rules, that should be forward traffic, only if there is a dedicated user logged on, that wouldn't work.

    if I add a rule above the marked policy rules, that should be blocked any service/destination at the WAN site, the complete data transfer from this VLAN033 to the WAN is blocked and i've no access to the defined corporate FQDN, that are listed in my content-filres-profile.


    if I disable the rules (where the user are defined), then the connection to the company works again.
    But the user is not logged on at this time at the USG. with 4.25-P1 it was working fine.

    Required solution:
    default (not logged on at the USG)
    - able to connect to the defined FQDN in the content filter list to get successful connected with corporate ressource at the extranet.

    option 2 (logged on at the USG)
    - logged on with a user from the user-group that's defined in a rule, that grant access to the internet without restriction of FQDN by a content-filter.
    If option 2 is active, the corporate FQDN's should be blocked until the user logged out fom the USG.

    It should not be possible that with option 2, the company addresses in the extranet can be reached.

    Result
    It should no possibility to get directly in the extranet without any logon to the USG or corporate VPN.

    I define it as a toggle switch
    either only access to company resources (extranet - without registration) or no company resources and for this the internet is open (logged on at the USG)

    Thx forward and best regards
    Christian

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello Christian,
    I want to double confirm with your description first.
    May I know the what is service and port number of "G_W_HTTP_S"?
    As your mentioned "if I add a rule above the marked policy rules, that should be forward traffic, only if there is a dedicated user logged on, that wouldn't work."~~Please move first marked rule to first priority on the list and test again.
    Moreover, may I confirm your configuration on this scenario,
    do you configure the firm's URL in trusted website on content filter? do you enable web-authentication?
    if possible, could you please private message the configuration to me for checking?
    Charlie
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Hello Christian,
    I want to double confirm with your description first.

    May I know the what is service and port number of "G_W_HTTP_S"?
    As your mentioned "if I add a rule above the marked policy rules, that should be forward traffic, only if there is a dedicated user logged on, that wouldn't work."~~Please move first marked rule to first priority on the list and test again.
    Moreover, may I confirm your configuration on this scenario,
    do you configure the firm's URL in trusted website on content filter? do you enable web-authentication?
    if possible, could you please private message the configuration to me for checking?
    Charlie

    Hello Charlie,
    The Group Objekt has the following Notation and Services:

    G_ = Group-Objekt
    W = Object for WAN Traffic
    HTTP_S = Service HTTP and HTTPS are in the Group-Object.

    I've allready placed bothe rules under the entry VLAN033-DNS (see screen).
    After this, the traffic is totaly blocked by the Rule "VLAN033-DIR-BLOCK" -> but there is also the USG user-group placed and not "any" in the User section. :'(
     
    The Label "VLAN_" after the service field is the local "User-Group" on the USG.

    Therefore, I can currently report that apparently when processing the rules, the "user field" is ignored and used allways "any" at this section :/

    With FW 4.25-P1 it works fine :s

    And @Rob reported the same issue with AD credentials :s

    Are you able to chek this on a USG or do you require the running config by PM?

    Best regards
    Christian

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited February 2018

    @ChristianG

    The feature of Walled Garden may match your requirement.
    1. Not login users only can access the URL(internal) which you configured.
    2. After login, users can access the internet. 
    Please check the attached SOP for configuration.
    (Note: Hotspot can be supported by USG110,210,310,1100,1900 )
    Charlie 

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited February 2018
    @Zyxel_Charlie,
    thanks for the tip with the Walled Garden.... but
    in our conpany we had about 34 FQDN *.comapny.com / *.microsft.com for corporate and O365 connectivity. The Walled Garden can not be handle a the Content-Filter object to managed the free FQDN's like in a Policy Control.  :s
     
    I use the Wallet Garden, if a company use this for present the own homepage for mobile users free in the WLAN and have only one dedicated FQDN in the configuration ;)
    Are you able to check the reported issue on a test device to have a triple check of the phenomenon :)
    Thus, the care of the approved FQDNs is very complex compared to a content filter ;)
    I hope, ZYXEL can reproduce the phenomenon and solved the problem in 4.31 ;)

    Thx and best regards
    Christian







  • Line2
    Line2 Posts: 40  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    Hi Christian

    I know I'm a little bit late for this party.
    Have you ever tested with disabled 'Enable user idle detection' in Object - User/Group - Setting?

    best regards
    Line2
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited February 2018
    Hi@Line2 
    this option is enabled and has a idle time of 15 minutes set.
    I've disabled this option right now and will test it on Monday (Business hours).
    Have you any experiance in the requirement, that should be configured in my case?
    i'm a bit confused, cause in 4.25-P1 it was working fine :'(

    thanks forward and best regards inside germany ;)
    Christian
  • Line2
    Line2 Posts: 40  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    Hi Christian

    How are your tests going today?
    I found an error in V4.30.0 with IKEv2- and L2TP/IPSec-VPN. Users are logged of after the 'idle time out'-time whatever there was traffic or not from this user. Maybe that's also the case in your environment. I didn't made any tests beside VPN users.

    best regards from greater german area ;-)
    Line2

Security Highlight