Security Policy, NO "ANY" option in drop down list.

Options
jef
jef Posts: 37  Freshman Member
First Anniversary 10 Comments
in Security

Why is there not an 'any' option in the drop down.
"any(Excluding Zywall). But I want Zywall protected also?

Do I have to create 2 rules "any(Excluding)" and another "Zywall"..

Why-No-Any.png

All Replies

  • PeterUK
    PeterUK Posts: 2,806  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 9
    Options

    Do I have to create 2 rules "any(Excluding)" and another "Zywall"..

    Yes its for better security like this

    If you had from WAN to ANY that would mean include Zywall by ANY Excluding Zywall any but not Zywall

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments
    Options

    Thanks, I did create two rules.
    Wan to "Any (Excluding Zywall)" deny
    Wan to "Zywall" deny.
    I do not understand how that would differ from Wan to "Any". If "Any" was an option?

  • PeterUK
    PeterUK Posts: 2,806  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 9
    Options

    The default deny rule would of applied then needing Wan to "Zywall" deny unless you have a rule WAN (or any) to Zywall allow

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments
    Options

    Ah I get it, thank you… Yes, but I do.
    China was trying to hack IPSEC Tunnel. Wan to Zywall required for IPSEC.

    I thought I was blocking China (Asia) high in the list, but the zyxel "Exclude" poked a hole in that.
    I try never rely on the default rule.
    I still think "Any" needs to be an option, just like the "any" in the "default rule".
    I think it would be cleaner than making 2 rules for the same thing. Or allow us to choose multiple objects.

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments
    Options

    Looks innocent enough.
    But, I didn't recognize the 223.113.128.138.. It is not one of our remote corporations.
    I back tracked that IP to china. Then got grumpy wondering how it got that far into my zyxel.

    Screenshot_2024-02-09_01-55-31.png

  • jef
    jef Posts: 37  Freshman Member
    First Anniversary 10 Comments
    Options

    Zyxel doesn't allow IPsec by FQDN .. which would be nice for dynamic gate addresses.

  • PeterUK
    PeterUK Posts: 2,806  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 9
    Options

    You likely have a rule from WAN to zyxel to allow VPN from any IP

    The USG comes with default rules which you should check

  • Zyxel_James
    Zyxel_James Posts: 624  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello @jef
    From/To is to configure the direction of travel of packets, which is only allowed to be set as a Zone instead of an interface or an address.
    It's more like we determine ZyWall itself as a Zone, and Any as a Zone means any interfaces, and ZyWall is not considered as an interface.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)