USG110 / 4.65 AAPH.1 - new "Policy Control Warning"
This is a warning - with a proposal to change the rules. When you click on the button, you will be prompted to change the ports of the https,sslvpn .....If there is a WAN rule for Zywall Source Any Allow, then there will be a message, if in the Source field you specify a group of countries or addresses, then there will be no error.
Thanks for the image and explanation, Jonatan.
Does the red security note disappears only when all 4 checkboxes are ticked? This would be a kind of constraint. But anyway, safety first and because of the last lessions learnt by Zyxel they consider it right.0
- Management access will only be granted with us from LAN1. All other zones (including WAN) are prohibited.
- Management access port is different from SSL VPN access Port.
- But we need an access opportunity from WAN for our streetworkers. Unfortunately they have to visit ships all over the world. That's why we are not able to limit the SSL VPN access to special trusted regions only.
- 2F Authentication is not in use with us.
HI @USG_UserThen change the standard Ssl vpn to access the gateway . This message is for informational purposes only.Instructions herehttps://mysupport.zyxel.com/hc/en-us/articles/4403366981522--ZyWALL-USG-How-to-change-the-SSL-VPN-Server-port-on-the-security-gateway-WebUI-Firmware infohttps://community.zyxel.com/en/discussion/10971/zld4-64-5-01-firmware-release#latest
Thanks Jonatan,but as said, our management access port is already different from SSL VPN access port. This was the first thing we've done after Zyxel has implemented it.BTW, for both accesses we do not use any standard ports (like 443) anymore.0
Hi @USG_UserThe purpose of this feature is to guide the users how to deploy the devices in “more secured way”Please refer to the below link: https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure#latest Once the recommended practice is followed(edit one of Security Check for WAN interface checkbox), the red warning message will disappear.
Thanks Jeff, but an option "Noted" (or something like that for expert users) would be appreciated, which let the red warning message disappear after reading.Further the present button "Update Security Settings" looks like "quick & dirty" added. It sticks to the newly added separator line. It's cosmetics only, but will be noticed by the user!0
Hint for improving: instead of a Q&D button "fix it for me", maybe the info box could provide the "ticks not ticked" that are triggering it.
Thanks for your suggestion, we will evaluate this in our future improvement.
Having been directed to this forum for submitting ideas, I'd love to chuck my 2p worth in. We have this same issue, we use SSL VPN and use non-standard ports, and yet in Policy Control we're constantly mithered that “you have a rule that allows anyone on the internet to access the web management interface and the SSL VPN service”. Except in the case of the former, we have a rule that denies, and in the case of the latter, we kinda need the service to be visible externally, or it's not much use as a VPN server.
How do we get this annoying prompt to go away? Hitting “Update Security Settings” will create rules that blocks the SSL VPN service.
We have followed the best practices (and in fact, had paid you guys set up the SSL VPN service, so you'd hope you'd be on the ball), and yet the only way we can make the infernal message disappear is to allow it to block the service we need…0
Hi @Catkins ,
Could you send me the device start up configurtian file. Assume the security policy already follow the best practice. the error message should be gone.0
- 8.4K All Categories
- 1.6K Nebula
- 70 Nebula Ideas
- 57 Nebula Status and Incidents
- 4.5K Security
- 226 Security Ideas
- 981 Switch
- 46 Switch Ideas
- 872 WirelessLAN
- 22 WLAN Ideas
- 5.1K Consumer Product
- 156 Service & License
- 280 News and Release
- 97 Success Stories
- 59 Security Advisories
- 13 Education Center
- 579 FAQ
- 262 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 74 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 46 Security Highlight