Nebula Default Security Rules Do Not Apply ?
Freshman Member
Hi everyone,
My USG Flex 100 is connected to Nebula with 5 VLANs defined, one of which is connected through an IPSec tunnel to Azure, and one other has a webserver connected to it (on site).
Nebula shows me the default rules as :
In summary, LAN connections are allowed from inside (LANs to Any and LANs to Device) and everything else is denied.
Two things are surprising:
Thanks.
Sébastien
My USG Flex 100 is connected to Nebula with 5 VLANs defined, one of which is connected through an IPSec tunnel to Azure, and one other has a webserver connected to it (on site).
Nebula shows me the default rules as :
In summary, LAN connections are allowed from inside (LANs to Any and LANs to Device) and everything else is denied.
Two things are surprising:
- For the webserver, I have configured NAT rules for ports 80 and 443. The webserver is responding from outside whereas security rules are not set up to allow that. Shouldn't the Deny rule apply in that case ?
- Concerning the site-to-site VPN to Azure, the Azure subnet is not defined on the USG and therefore not part of the "implicit allow rules". And again, the traffic flows except if I define a Deny rule myself !
Thanks.
Sébastien
0
Accepted Solution
-
Hi @Sébastien,1. When you add NAT rule on Nebula, you don't need to create a firewall rule. It will be automatically created while creating the NAT rules. You can use the command "debug sdwan show firewall running-config" on USG FLEX 100 to check the rule.The automatically added firewall rule can be found in:
<firewall-name> SN_port_forwarding_IndexNumber </firewall-name>2. Currently all subnets you choose here are going to be reachable for all non-nebula VPN peers. It is a feature request that user can define the exported local subnets per each individual non-nebula VPN connection. This request is already in our feature enhancement queue.0
Zyxel Employee
All Replies
-
Hi @Sébastien,1. When you add NAT rule on Nebula, you don't need to create a firewall rule. It will be automatically created while creating the NAT rules. You can use the command "debug sdwan show firewall running-config" on USG FLEX 100 to check the rule.The automatically added firewall rule can be found in:
<firewall-name> SN_port_forwarding_IndexNumber </firewall-name>2. Currently all subnets you choose here are going to be reachable for all non-nebula VPN peers. It is a feature request that user can define the exported local subnets per each individual non-nebula VPN connection. This request is already in our feature enhancement queue.0 -
Hi Emily,
Thanks for your answer which is complete and accurate.
Regards,
Sébastien0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
