Policy Control in USG FLEX 100
Hi, I have a question about Policy Control in USG FLEX 100.
Default rules allow all traffic. They create two HOST objects, how to block traffic between them in LAN1? I tried to do it between two computers and despite different settings in the sections: From , To, IPv4 Source , IPv4 Destination and setting the Action tab to deny, computers can still ping and see shared resources in the network environment.
I understand that the rule should be in the Policies list before the default Policies?
What should a rule blocking traffic between two computers in Lan1 look like? Can I have an example please? Thank you for your help and have a nice weekend.
All Replies
-
This works for me to block VLAN10 (users) from accessing VLAN1000 (admin).
VLAN1000 can still access VLAN10 – if you want it to be mutual, you need a second, reversed policy.
Source objects would be Hosts – but generally I would just put those hosts on seperate VLANs or Zones.
In your case a host could just chose another IP to be allowed again. With MAC/DHCP enforcement the host could still spoof its' MAC… and so on.If you generally want to isolate all hosts on that subnet from each other, you want "Layer-2-Isolation" as a concept.
6 -
Computers on the same subnet or LAN1 can't blocked due to a switch or if you port role LAN ports to LAN1 which is still a switch before it gets to the Policy Control.
Two way to block is to have the computers on different subnets which the Policy Control can see or with a VLAN set to general with proxy arp and a managed switch with Send the packet to the egress port with ARP out the port to USG which you make a LAN to LAN Policy Control rules to limit what computers can connect to each other on the same subnet.
6 -
how to block traffic between them in LAN1?
You cannot in USG device. Because for communicate between them, USG is not involved at all.2 -
Thank you very much for your posts. Have a great week.
0
Master Member
Guru Member
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 165 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 364 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 262 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight
