USG FLEX 100 - GEO block seems doesn't work

Kolomeyets
Kolomeyets Posts: 5
edited February 2022 in Security
Dear all, could you please help me with the next question I have USG FLEX 100 V5.20(ABUH.0), configured GEO_BLOCK deny policy (priority 2) from WAN to any (Excluding ZyWALL) for sources IP including China. (action - deny, log - no)


but in the log I see:




This is why I assume my policy doesn't work properly.  Why the rule id "from WAN to ANY" has priority 1 and how to change this?  Any idea how to solve the issue?

Thank you in advance

Accepted Solution

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Answer ✓
    Kolomeyets,
    You also need to add from WAN to ZyWALL rules, to deny access to ports of USG FLEX itself.
     

All Replies

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Answer ✓
    Kolomeyets,
    You also need to add from WAN to ZyWALL rules, to deny access to ports of USG FLEX itself.
     
  • I have an update on the subject, it seems the problem appeared again.

    policy:


    Any idea how to handle this?
  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited February 2022
    Hello @Kolomeyets, IMVHO... the problem seems just... the logging.
    Rule #1 and #2 say "if it's coming from GEO_BLOCK" then "deny connection" and "don't log it".
    Well... seems from the log that access is blocked; Rule #1 for "all but USG", rule #2 "USG". Issue seems that it's logged anyway.

    Maybe a little bug on logging options by zyxel?
    Moreover: is any policy with "log alert" or "log" enabled?
  • I have plenty of policies with log enabled, but as a matter of fact, you may see in the screen upper the cause rule id 1 "from WAN to Any", and unfortunately I don't have any clue how to manage it.
  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    You could try to change the setting from "no" to "Log alert" and see if the rule #1 triggers alerts...

Security Highlight