Security Policy Help - Policies are not applying to traffic
First question - is how does the zyxel process the rules? The documentation on page 553 (ftp://ftp2.zyxel.com/USG20-VPN/user_guide/USG20-VPN_V4.32_Ed1.pdf) states that the rules are applied sequentially. I assume that once it hits the first match, it then stops processing so any additional matches do not apply? Because I've tried putting both these rules at the top, and bottom of the policies, and it didn't make any difference for me.
With both these rules in place, if I ping the VLAN 20 GW from a VLAN 10 client, I get replies back, and if I ping the VLAN 10 GW from a VLAN 20 client, I get replies also. I've tried changing the source and destination IPv4 from the VLAN 10 and VLAN 20 interfaces, to just another subnet object I created for those interfaces (i.e. 192.168.10.0/24 and 192.168.20.0/24 instead of the built in VLAN10 - 192.168.10.0/24 and VLAN20 - 192.168.20.0/24) and that didn't make any difference either. Both VLAN's can still talk to each other. Can you help let me know what I'm doing wrong? I'm sure I'm missing something easy and fundamental because I just don't understand the nuances of how a Zyxel works.
I've been trying to follow this article:
http://www.crabtree-consulting.com/vlan-for-guest-wifi-on-zyxel-usg-router-with-engenius-access-points/
and looked through chapter 27 in the documentation here:
ftp://ftp2.zyxel.com/USG20-VPN/user_guide/USG20-VPN_V4.32_Ed1.pdf
But I'm still stumped. Thanks all!
All Replies
-
In addition, looking at the traffic logs filtering on my VLAN 10 client as the source, it doesn't look like any of the traffic is being passed through the firewall. Is this because VLAN 10 & VLAN 20 are both in the LAN1 zone? Do the VLAN's need to be in different zones before the firewall will inspect the traffic?
0 -
Hi @ZyxelNewb
Does the traffic forward by your switch?
You can capture the packets on VLAN10 and VLAN20 interface together to make sure the traffic has forwarded by USG or not.
(1) Go to Maintenance > Diagnostics > Packet Capture > Add interfaces as capturing member
(2) Click capture button.
(3) Send traffic from VLAN10 to VLAN20
(4) Click Stop button.
(5) You can find the packets in files tab. And you can check the packets has routed by USG or not.
0 -
Thank you for the reply - yes, I've confirmed that the traffic is indeed being routed by the Zyxel, but the security policies are still not applying. What should my next step(s) be? Thank you!
0 -
I stand corrected. Everything seems to be working "ok" for the most part. I was pinging the GW on the other VLAN's as a test, but I ping anything past the GW, it blocks the traffic. Can you tell me why that is? Shouldn't even the GW be blocked based on the security policies I put in place above? And why isn't the traffic showing up in the packet capture above?0
-
Hi @ZyxelNewb
The destination IP of USG interface IP is belonging "ZyWALL" zone.
So If you need to manage the traffic accessing to the USG, the rule of destination zone should be “ZyWALL”.
(1) Create a customized zone in object.
Configuration > Object > Zone > User Configuration > Add VLAN10
(2) Change VLAN10 zone as VLAN10 zone which you added.
Configuration > Network > Interface > VLAN > Edit VLAN10
(3) Add Security Policy to block VLAN to ZyWALL.
From: VLAN10, To: ZyWALL, Action: Deny.
This rule will drop the traffic from VLAN10 to ZyWALL.
Then destination IP address to ZyWALL will drop successfully.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight