USG and rules where user are defined and not "any"
Hi together.
i'm a bit confused, because i try to establisch the following rule in a internal vlan...
1. by default (no user is authenticated by web internface) the user can connet to the corporate URLs by define the destination URLs in a content filter set -> no internet access eg. google.de is allowed -> that works fine ....
but
The marked two rules should be used to grand access to the internet, if the defined user is logged on at the USG interface. If this rules are enabled the corporate access is broken, but www.google.de is reachable
any idea, why it dosen't work ?
Best regards
Christian
i'm a bit confused, because i try to establisch the following rule in a internal vlan...
1. by default (no user is authenticated by web internface) the user can connet to the corporate URLs by define the destination URLs in a content filter set -> no internet access eg. google.de is allowed -> that works fine ....
but
The marked two rules should be used to grand access to the internet, if the defined user is logged on at the USG interface. If this rules are enabled the corporate access is broken, but www.google.de is reachable
any idea, why it dosen't work ?
Best regards
Christian
0
Comments
-
Hello Christian,
Since you add the corporate URLs in the content filter white list page, may I know what is your meaning "corporate access is broken"? cannot access in or the corporate's webpage does not appear completely?
Moreover, please private message the configuration for checking further.
Charlie0 -
I have the same problem. I have a security policy using AD users, the logs show the rule is ignored and a rule further down is triggered.
0 -
Hi Zyxel_Charlie,
The Rule description show the source VLAN and the definition, what's established in this rule, e.g.
DIR= not DirX - it's for direct - bit....
if I add a rule above the marked policy rules, that should be forward traffic, only if there is a dedicated user logged on, that wouldn't work.
if I add a rule above the marked policy rules, that should be blocked any service/destination at the WAN site, the complete data transfer from this VLAN033 to the WAN is blocked and i've no access to the defined corporate FQDN, that are listed in my content-filres-profile.
if I disable the rules (where the user are defined), then the connection to the company works again.
But the user is not logged on at this time at the USG. with 4.25-P1 it was working fine.
Required solution:
default (not logged on at the USG)
- able to connect to the defined FQDN in the content filter list to get successful connected with corporate ressource at the extranet.
option 2 (logged on at the USG)
- logged on with a user from the user-group that's defined in a rule, that grant access to the internet without restriction of FQDN by a content-filter.
If option 2 is active, the corporate FQDN's should be blocked until the user logged out fom the USG.
It should not be possible that with option 2, the company addresses in the extranet can be reached.
Result
It should no possibility to get directly in the extranet without any logon to the USG or corporate VPN.
I define it as a toggle switch
either only access to company resources (extranet - without registration) or no company resources and for this the internet is open (logged on at the USG)
Thx forward and best regards
Christian
0 -
Hello Christian,
I want to double confirm with your description first.
May I know the what is service and port number of "G_W_HTTP_S"?
As your mentioned "if I add a rule above the marked policy rules, that should be forward traffic, only if there is a dedicated user logged on, that wouldn't work."~~Please move first marked rule to first priority on the list and test again.
Moreover, may I confirm your configuration on this scenario,
do you configure the firm's URL in trusted website on content filter? do you enable web-authentication?
if possible, could you please private message the configuration to me for checking?
Charlie0 -
Zyxel_Charlie said:Hello Christian,
I want to double confirm with your description first.
May I know the what is service and port number of "G_W_HTTP_S"?
As your mentioned "if I add a rule above the marked policy rules, that should be forward traffic, only if there is a dedicated user logged on, that wouldn't work."~~Please move first marked rule to first priority on the list and test again.
Moreover, may I confirm your configuration on this scenario,
do you configure the firm's URL in trusted website on content filter? do you enable web-authentication?
if possible, could you please private message the configuration to me for checking?
Charlie
Hello Charlie,
The Group Objekt has the following Notation and Services:
G_ = Group-Objekt
W = Object for WAN Traffic
HTTP_S = Service HTTP and HTTPS are in the Group-Object.
I've allready placed bothe rules under the entry VLAN033-DNS (see screen).
After this, the traffic is totaly blocked by the Rule "VLAN033-DIR-BLOCK" -> but there is also the USG user-group placed and not "any" in the User section.
The Label "VLAN_" after the service field is the local "User-Group" on the USG.
Therefore, I can currently report that apparently when processing the rules, the "user field" is ignored and used allways "any" at this section
With FW 4.25-P1 it works fine
And @Rob reported the same issue with AD credentials
Are you able to chek this on a USG or do you require the running config by PM?
Best regards
Christian
0 -
The feature of Walled Garden may match your requirement.
1. Not login users only can access the URL(internal) which you configured.
2. After login, users can access the internet.
Please check the attached SOP for configuration.(Note: Hotspot can be supported by USG110,210,310,1100,1900 )
Charlie0 -
@Zyxel_Charlie,
thanks for the tip with the Walled Garden.... but
in our conpany we had about 34 FQDN *.comapny.com / *.microsft.com for corporate and O365 connectivity. The Walled Garden can not be handle a the Content-Filter object to managed the free FQDN's like in a Policy Control.
I use the Wallet Garden, if a company use this for present the own homepage for mobile users free in the WLAN and have only one dedicated FQDN in the configuration
Are you able to check the reported issue on a test device to have a triple check of the phenomenon
Thus, the care of the approved FQDNs is very complex compared to a content filter
I hope, ZYXEL can reproduce the phenomenon and solved the problem in 4.31
Thx and best regards
Christian
0 -
Hi Christian
I know I'm a little bit late for this party.
Have you ever tested with disabled 'Enable user idle detection' in Object - User/Group - Setting?
best regards
Line2
0 -
Hi@Line2
this option is enabled and has a idle time of 15 minutes set.
I've disabled this option right now and will test it on Monday (Business hours).
Have you any experiance in the requirement, that should be configured in my case?
i'm a bit confused, cause in 4.25-P1 it was working fine
thanks forward and best regards inside germany
Christian
0 -
Hi Christian
How are your tests going today?
I found an error in V4.30.0 with IKEv2- and L2TP/IPSec-VPN. Users are logged of after the 'idle time out'-time whatever there was traffic or not from this user. Maybe that's also the case in your environment. I didn't made any tests beside VPN users.
best regards from greater german area ;-)
Line2
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 260 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight