USG and rules where user are defined and not "any"

Zyxel_Charlie

@ChristianG
I tested the walled Garden with content Filter locally without any problem.

As I checked, USG can hold maximum 50 on Walled Garden (Domain/IP based).

I configured URL of Apple, zyxek,skype and *.microsoft.com on the walled garden page. Also, I block *.yahoo.com on the content filter page.

Moreover, Enable Web-Authentication, and set the configuration on content filter.

After setting, I can access the URL which I configuration on walled garden, and yahoo.com will be blocked.

Mobile:

PC:

Not sure is it what you are discussing about, please check it.

Charlie

ChrisGer

Hello Line2,
after a "small" major incident :/i tested your reported possibility, but nothing changed
the issue is not solved and i've configured the following:

enabled the required rule as displayed in screen 01

Rule 112/113 are the rules, to grant authenticated users a full internet access.

But it's no configured user logged on at the USG (screen 02)

User admin is not in the group_VLAN033-INET

If the rule is activated i get the following log (screen 03)

Rule 112 should be used, if a user is authenticated by the USG (local users/groups).

I've the same effect before changeing the itle time value as described

Any Idea @Zyxel_Charlie or Line2 what happed and how to fix it?

Best regards
Christian

Line2

Hi Christian

You say no user is logged on? So the problem is not the firewall rule, the problem is there are no authenticated users? In which way your users log in? Can you log in as a user, check whether he is logged in after that?
Maybe I misunderstood something

best regards
Line2

ChrisGer

Hi Line2,
the user logged in by useing the gateway-ip from the USG and is useing a local account, that's a member of the user-group on the USG.
 
Rules 112 and 113 should be effective if a user has authenticated himself/herself at the web interface of the USG and is member from the user group in the rules.

Requisition
if a user from the user-group is logged on at the web interface at the USG, rule 112 and 113, he/she may enter the internet (without restriction to the company fqdn addresses).
if no user is logged on, the access is restricted to the company defined FQDN's based on the Content-Filter-Option. That works fine in 4.25-P1

Regards
Christian

Line2

Hi Christian

Sorry I can't help here

best regards
Dani

Zyxel_Charlie

@ChristianG

enabled the required rule as displayed in screen 01

Rule 112/113 are the rules, to grant authenticated users a full internet access.
But it's no configured user logged on at the USG (screen 02)

User admin is not in the group_VLAN033-INET
If the rule is activated i get the following log (screen 03)

Rule 112 should be used, if a user is authenticated by the USG (local users/groups).

Do you mean when you use admin which is not in the "group_VLAN033-INET" but he can reach internet and hit the rule 112? 

From the log message, The user is from 192.168.33.10:60068 with account which in the  "group_VLAN033-INET"  match rule 112.

I just tried to establish the similar environment locally and cannot reproduce it. 

Moreover, 

for your requirement, 

No login users: can only access the defined FQDN

Login users:  The users can access internet, but cannot access the FQDN which we defined

I configured locally and it seems working, so please check the attached as your reference.

Seems your environment is complex, so if possible, could you please share the remote access for checking?

ChrisGer

@Zyxel_Charlie
the following steps are not configured in 4.25-p1

The FQDN was defined on DNS page
the FQDN are FQDNs in the Extranet (not in the LAN area).

Web-Authentication
is disabled. The required authentication is placed in the security rule set and is proceed by authentication at USG web interface.

The possibility to:
not logged on users -> grand access to the FQDN's that are defined in the content filter
logged on users -> grant access to the internet, but block corporate sites
is actualy not given

and as reported -> LAN1 -> the functionality is working, but if you useing a vLAN attached to the CAPWAP with forward mode "local bridge" it failes and should be disabled to have access to the corporate FQDNs in the extranet area. Is there a difference between LAN1 and the described Forward Mode in a WLAN ?

Regards
Christian

Zyxel_Charlie

@ChristianG

It’s difficult for us to identify what exactly the root cause may lead to this result in your environment, thus, it will be helpful if we can get your configuration file to upload and check locally. If you have concern with confidential information in your configuration file, you can modify the config file(the file format is just plain text) and then private message the configuration to me.
Moreover, your purpose is that non-login users who can only access the defined FQDN, so I would like to know which firewall rule is related with this request.(The number of Priority?)

Charlie

ChrisGer

Hello Community,
@Zyxel_Charlie @Line2
The upgrade from 4.30-R0 to 4.30-WK06 was of course (with the FW 4.30) only possible with a reset to factory settings.... but with the WK06 my historical rules (based on user/groups) are working as in 4.25-p1.
This suggests that upgrading from 4.25-P1 to 4.30-P0 may cause this side-effect (but not necessarily so).
Currently I still have to reboot on the USG, so that it can be checked if the USG is doing a clean reboot again and not hanging itself up. If the reboot is still not runing i've to reset the whol device (not only to factory default) and restore my configuration to the device.
I'm in direct contact with ZYXEL in my country to analyse this, what's happend.
 
It is also a bit irritating that NWA5xxx firmware is downloaded to the USG although I have no NWA5xxx connected.

Regards
Christian