USG110 / 4.65 AAPH.1 - new "Policy Control Warning"

USG_User
USG_User Posts: 253  Master Member
edited October 2021 in Security
The 4.65 AAPH.1 newly implements a Policy Control Warning in case it detects opportunities for internet access to management interface or SSL VPN. If such rules will be detected an additional button "Update Security Settings" is displayed above the Policy Control.

But what is this button for?
The change log is only stating: "Security Policy page add warning message and button to Security Check configuration page when security risk detected."

We're aware that our SSL VPN is accessable from the internet. That is the sense of it. Otherwise our streetworkers have no access.

But what happens when pressing this new button? Will any rules be changed or adapted? Or is it removing the red security warning message only?
We're a little bit afraid to click on it, but would like to have the red message gone.



All Replies

  • jonatan
    jonatan Posts: 95  Ally Member
    This is a warning - with a proposal to change the rules. When you click on the button, you will be prompted to change the ports of the https,sslvpn .....

    If there is a WAN rule for Zywall Source Any Allow, then there will be a message, if in the Source field you specify a group of countries or addresses, then there will be no error.



  • USG_User
    USG_User Posts: 253  Master Member
    Thanks for the image and explanation, Jonatan.
    • Management access will only be granted with us from LAN1. All other zones (including WAN) are prohibited.
    • Management access port is different from SSL VPN access Port.
    • But we need an access opportunity from WAN for our streetworkers. Unfortunately they have to visit ships all over the world. That's why we are not able to limit the SSL VPN access to special trusted regions only.
    • 2F Authentication is not in use with us.
    Does the red security note disappears only when all 4 checkboxes are ticked? This would be a kind of constraint. But anyway, safety first and because of the last lessions learnt by Zyxel they consider it right.

  • jonatan
    jonatan Posts: 95  Ally Member
    edited October 2021
  • USG_User
    USG_User Posts: 253  Master Member
    Thanks Jonatan,
    but as said, our management access port is already different from SSL VPN access port. This was the first thing we've done after Zyxel has implemented it.
    BTW, for both accesses we do not use any standard ports (like 443) anymore.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 213  Zyxel Employee
    edited October 2021
    Hi @USG_User

    The purpose of this feature is to guide the users how to deploy the devices in “more secured way” 
    Please refer to the below link: https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure#latest Once the recommended practice is followed(edit one of Security Check for WAN interface checkbox), the red warning message will disappear.


  • USG_User
    USG_User Posts: 253  Master Member
    Thanks Jeff, but an option "Noted" (or something like that for expert users) would be appreciated, which let the red warning message disappear after reading.
    Further the present button "Update Security Settings" looks like "quick & dirty" added. It sticks to the newly added separator line. It's cosmetics only, but will be noticed by the user!
  • mMontana
    mMontana Posts: 461  Master Member
    Hint for improving: instead of a Q&D button "fix it for me", maybe the info box could provide the "ticks not ticked" that are triggering it.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 213  Zyxel Employee
    Thanks for your suggestion, we will evaluate this in our future improvement.

Security Highlight