USG FLEX H models: security services by policy?

PhilippeB
PhilippeB Posts: 18  Freshman Member
First Comment Friend Collector
edited December 2023 in USG FLEX H Series

The previous ATP and USG FLEX models could be switched to inspection by policy ("secure-policy-style advance") instead of using IP exception to exclude the unwanted services.

The table in Firmware Release Note V1.10 doesn't mention this feature as not yet supported, but I haven't found it nonetheless. Is the function really missing?

All Replies

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Hello @PhilippeB
    USGFLEX H firewall also can select the SSL inspection profile by the policy, and IP exception is there too.
    I don't quite understand your question, could you rephrase it again? What's the exact feature you asking for in the H series?

  • PhilippeB
    PhilippeB Posts: 18  Freshman Member
    First Comment Friend Collector

    I'll explain it with some screenshots. In the previous models it was possible to link each of the security services individually to one or more security policies:

    This function makes it much easier to set up complex scenarios and keep a simple overview. Without this function, unneeded or even interfering security services must be laboriously bypassed with quite a number of IP Exception rules. There, the logging options are also limited (e.g. no log alert in IP Exception rules).

    With the H series, only these three security services canbe linked individually:

    All the other security service like IPS have to be enabled or disabled globally:

    This simplified approach may be good for SOHO administrators. In more complex networks, this simplification is counterproductive.

    So the question is: will this important function return?

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    @PhilippeB Currently, this feature is not in the roadmap for uOS.

    I will put this suggestion into ideation for further evaluation.

  • p4_greg
    p4_greg Posts: 16  Freshman Member
    Network Detective-New Adventure Badge First Comment Friend Collector Third Anniversary

    When trying to up-vote this, I am getting error : "Category is not configured for ideation"

  • PhilippeB
    PhilippeB Posts: 18  Freshman Member
    First Comment Friend Collector

    Are there any news? Without inspection by policy, we probably look for other models/brands. We use the function now on a countless number of USG 200 devices. Sometime, we'll have to exchange them.

  • PhilippeB
    PhilippeB Posts: 18  Freshman Member
    First Comment Friend Collector

    @HendrixChana , I received the notification about an answer in this thread:

    But I'm unable to open it. I only get the following error messages:

    Can you post it once more please?

  • Matthew
    Matthew Posts: 9  Freshman Member
    First Answer First Comment Friend Collector Seventh Anniversary

    I too would like to see this feature added back in. I use this feature regularly as not all traffic needs to be inspected (especially if there is limited inspection bandwidth to go around) and some traffic needs to be alerted on/logged differently. If I have Flex routers at both ends of a VPN connection, I either don't need to inspect the traffic (it's all internal LAN traffic) or only one side needs to handle inspection.

    The H-series should carry the same feature set as the Flex and USG series. I uses this

  • PhilippeB
    PhilippeB Posts: 18  Freshman Member
    First Comment Friend Collector

    I agree that the H series firewalls should include all the features and possibilities as previous models. Without inspection by policiy we'd run into severe problems because IP exceptions can't handle all the conditions (e.g. service, devices, user) that policy control can easily.

    For the good money of a H series firewalls, serious admins don't wan't get a Plug&Play SOHO firewall.