USG FLEX H models: security services by policy?
The previous ATP and USG FLEX models could be switched to inspection by policy ("secure-policy-style advance") instead of using IP exception to exclude the unwanted services.
The table in Firmware Release Note V1.10 doesn't mention this feature as not yet supported, but I haven't found it nonetheless. Is the function really missing?
All Replies
-
Hello @PhilippeB
USGFLEX H firewall also can select the SSL inspection profile by the policy, and IP exception is there too.
I don't quite understand your question, could you rephrase it again? What's the exact feature you asking for in the H series?0 -
I'll explain it with some screenshots. In the previous models it was possible to link each of the security services individually to one or more security policies:
This function makes it much easier to set up complex scenarios and keep a simple overview. Without this function, unneeded or even interfering security services must be laboriously bypassed with quite a number of IP Exception rules. There, the logging options are also limited (e.g. no log alert in IP Exception rules).
With the H series, only these three security services canbe linked individually:
All the other security service like IPS have to be enabled or disabled globally:
This simplified approach may be good for SOHO administrators. In more complex networks, this simplification is counterproductive.
So the question is: will this important function return?
2 -
@PhilippeB Currently, this feature is not in the roadmap for uOS.
I will put this suggestion into ideation for further evaluation.
2 -
When trying to up-vote this, I am getting error : "Category is not configured for ideation"
0 -
I also had the same problem as you, did you fix it?
0 -
@plonkarchivist @p4_greg Please vote here
0 -
Are there any news? Without inspection by policy, we probably look for other models/brands. We use the function now on a countless number of USG 200 devices. Sometime, we'll have to exchange them.
0 -
@HendrixChana , I received the notification about an answer in this thread:
But I'm unable to open it. I only get the following error messages:
Can you post it once more please?
0 -
I too would like to see this feature added back in. I use this feature regularly as not all traffic needs to be inspected (especially if there is limited inspection bandwidth to go around) and some traffic needs to be alerted on/logged differently. If I have Flex routers at both ends of a VPN connection, I either don't need to inspect the traffic (it's all internal LAN traffic) or only one side needs to handle inspection.
The H-series should carry the same feature set as the Flex and USG series. I uses this
1 -
I agree that the H series firewalls should include all the features and possibilities as previous models. Without inspection by policiy we'd run into severe problems because IP exceptions can't handle all the conditions (e.g. service, devices, user) that policy control can easily.
For the good money of a H series firewalls, serious admins don't wan't get a Plug&Play SOHO firewall.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight