How do I block IPs in USG60?
Accepted Solution
-
Hello @DennisFi
As @StefanZ suggested, if it's a large list of blocked IPs, you may try only allowing a few IPs.
Or you can do it by manually adjusting your configuration file.- Download the startup-config.conf
- open the .conf file with txt notebook
- Find address-object address and object-group address
- Then you can add the IP addresses in this format
address-object x.x.x.x
address-object y.y.y.y - And add an address group including the address-object
object-group address
address-object address name1
address-object address name2
This way is easier to add the address group if it's a large list.
0
Zyxel Employee
All Replies
-
If you know the IP, range, subnet or FQDN you can make a group list in objects > address then add to security policy > policy control for LAN to WAN or WAN to LAN source/destination as needed.
1 -
Hello @DennisFi
Welcome to Zyxel Community!- Go to Configuration > Security Policy > Policy Control, and click "Add" to create a policy rule
- From: LAN1, To: WAN (the direction could be incoming too)
- Source: specific LAN host. (For blocking incoming traffic, the Source could be an external IP address or FQDN)
- Action: Deny
1 -
OK so I would have to do that for every IP or range then. I was wondering or hoping one might've had the ability to insert a lot of IPs in a list somewhere and tie those to a policy.
I was considering making an app to connect to the firewall via SSH and automatically keep an list of blocked IPs.
0 -
Have a look at
Configuration > Address/GEO IP > Address Group(if that feature exists on your device).Here you can bundle multiple
Address Objectsinto a group which you can then reference inPolicy Control.Generally I think you should do the reverse of what you want: Only allow certain IPs or ranges and keep everyone else out. Thats basically what a firewall does with the
Default Rule– deny everything that is not explicitly allowed.Changing your config via SSH / CLI might also restart the device every time you alter the config. At least that is what happens via
file-upload > applyor when replacing it via FTP…0 -
Hello @DennisFi
As @StefanZ suggested, if it's a large list of blocked IPs, you may try only allowing a few IPs.
Or you can do it by manually adjusting your configuration file.- Download the startup-config.conf
- open the .conf file with txt notebook
- Find address-object address and object-group address
- Then you can add the IP addresses in this format
address-object x.x.x.x
address-object y.y.y.y - And add an address group including the address-object
object-group address
address-object address name1
address-object address name2
This way is easier to add the address group if it's a large list.
0
Guru Member
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
