USG40: disable the web authentification on the WAN side, but keep it internally (LAN)

Horia
Horia Posts: 33  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
Hi to everybody and especially to @Zyxel_Charlie (who was the last time very helpful!).


short story

I would like to use a USG40 as follows:
1) remote access to the Zyxel by SSL VPN only, with Secuextender (or other similar VPN access, eg. LT2P etc., using a Dyndns address) 
2) no access to the Zyxel over the web authentification page, if the user is coming from the WAN (from the exterior)
3) Access to the Zyxel over the web authentification page, if the user is coming from the LAN (from the internal network)
4) I would like to block the "admin" user to enter into the Zyxel settings, if it comes from the WAN side.

Is this possible?
Thank you in advance!


long story (my comments, to read only if the upper list is still unclear)

Right now, if I am coming from the web (WAN) side, I can simply see the "web authentification page" as soon as I go to the DynDNS URL of my USG40. I would like, for security matters, to disable that access, and to only be able to see the authentification page only after I already am inside the LAN (by logging into the LAN through VPN, with a PC using Secuextender or other kind of VPN access).

I think it should be possible to simply deactivate the "web authentification", (in configuration > web authentification > global settings > enable/disable web authentification). But I am afraid that this authentification could be disabled for ALL sides (so not only from the WAN side, but also from the LAN side!) which would lock me out of the Zyxel.

Secondly, if I could be able to disallow any user with "admin" rights from accessing the Zyxel configuration from the WAN side, I would be on the secure side, as noone could enter the Zyxel by guessing passwords (brute force attack). But so far I could not find any kind of settings that would disallow users to access the "web authentification" from a certain side (WAN, LAN, etc.), I only found settings to disallow/allow users to access the VPN tunnel.

I very much hope that there is a simple answer to this! :) If not, I could phone the Zyxel support...
Thank you in advance!
«1

Comments

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    In System > www you could do this.

  • Horia
    Horia Posts: 33  Freshman Member
    First Comment Friend Collector
    edited February 2018
    cool! thanks a lot, PeterUK! I'll test it and revert here, but it seems to be exactly the point that I was looking for... :)
  • Horia
    Horia Posts: 33  Freshman Member
    First Comment Friend Collector
    I tested the recommendation of PeterUK and it worked fine! Thank you again for your fast reply!

    I found in the end also the page in the "handbook" of USG40, where it is described also a very similar solution. I post it here below for anybody interested at, in the future!

    I tested my ZyWall USG40 with a page called mxtools and the result was coorect: only the port 443 (https) is open, for VPN SSL access. But at that port, there is no web interface to be seen, if trying to access it with a browser (by typing the DDNS domain name of my USG40). So it works fine, as desired.

    Also, there is no necessity to bar a certain category of users (Admins) as I wrote above, originally.

    Here the settings recommendation from the Handbook (which are, in fact, made with a USG60, so with little difference to USG40, but mainly the same)



  • ictforever
    ictforever Posts: 15  Freshman Member
    First Comment Friend Collector
    I am looking almost for the same. 

    I have a head office and branch. Both connected with ipsec vpn usg to usg. I want to block the web authentication page from the WAN. So when you go to the ip of the firewall, you dont see anything.

    I only want to access the web authentication page from both LAN, on both firewalls.

    What I am looking for:
    WAN access should be disabled on both firewalls. I should not see the zyxel web authentication page when connected from WAN.
    I should see the zyxel web authentication page from all the local LAN networks. (Head office + branch) 

    Thanks. 
  • ictforever
    ictforever Posts: 15  Freshman Member
    First Comment Friend Collector
    If i go to the section, just like the image attached down below. I leave https enabled and I put in: WAN All Deny. 

    When connecting from outside the network, I would not see a zyxel login page? 

    When I login from LAN head office and branch, I would see a zyxel login page?

    thanks!


  • Horia
    Horia Posts: 33  Freshman Member
    First Comment Friend Collector
    yes, that's correct. At least in my case it works, as I already described it.
    Just try it for yourself and you can then check your domain (or WAN IP address) by using the website I indicated here above
  • ictforever
    ictforever Posts: 15  Freshman Member
    First Comment Friend Collector
    I just tried it. It did not work. 
    I still see the login screen of Zyxel when I enter the wan IP from outside the network. 


  • Horia
    Horia Posts: 33  Freshman Member
    First Comment Friend Collector
    edited February 2018
    Ok, this seems to be different. But what happens if you try to login with whatever username you have there? The handbook says you should now not be able to access the zyxel settings anymore, with none of the existing users.

    Also, you have to check how your WAN "object" and addresses are exactly configured.

    (Did you ever check your Handbook of the USG? You should have there such a detail. I copied the image here above from there.)

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 2018

    If you allow from WAN to ZyWall as a firewall rule you will still get to the login screen but even with the correct Admin password with not be able to log in from WAN to ZyWall.

  • ictforever
    ictforever Posts: 15  Freshman Member
    First Comment Friend Collector
    Login does not work anymore from WAN. So that is good. But I want it completely blocked from WAN. 

    I have a wan to zywall rule on the branch office firewall. If I disable that rule. I can't connect anymore from the WAN to the firewall. I dont see the login form anymore. That is good. But I only can access it from branch LAN. Not from the Headoffice LAN. 

    So the question is. Do I have to edit the wan to zywall rule or do I have to keep it disabled and add a new policy rule?

Security Highlight