Geo Filter - access for only certain countries

Options
weite
weite Posts: 33 image  Freshman Member
First Comment Seventh Anniversary
in USG FLEX H Series

If I want only one country to access from WAN to ZyWALL/Intranet. How can I make this simple?

I know I could exclude all other countries and continents, but is this the only way? A simple one were better. 😅

Thanks!

All Replies

  • PeterUK
    PeterUK Posts: 4,247 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 24

    The end default rule is from any to any deny but also check your default rules to Zywall.

    So a rule that is from WAN to Zywall with Source country allow is all you need to do.

  • weite
    weite Posts: 33 image  Freshman Member
    First Comment Seventh Anniversary

    Thanks PeterUK!

    I'm not sure if I'm missing something. If i put a rule at the first position an say that the country xy is allow than the following rules will be executed and if the country not xy it will end the execution?

    I think only a denied will end the execution of the rules, or not?

    I want to prevent access immediately.

  • PeterUK
    PeterUK Posts: 4,247 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    There is a WAN_to_Device rule that is a default you can disable

    or you can under the allow rule for the given country add a deny rule under it for from WAN to Zywall if you want. 

  • Zyxel_Tina
    Zyxel_Tina Posts: 422 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 50 Answers First Comment

    Hi @weite,

    To restrict WAN access to your ZyWALL/Intranet to only one specific country on your USG FLEX H device, you can efficiently use Geo Filter policies. Instead of denying access from all other countries individually, you can create an "allow" rule for your desired country and then a general "deny" rule for everything else.

    Here’s how to set this up:

    1. Update GeoIP Database: First, ensure your GeoIP database is current. Go to Object > Address > GeoIP in the Web GUI and configure scheduled updates.
    2. Configure Policy Rules:
      1. Navigate to Security Policy > Policy Control.
      2. Rule 1 (Allow Specific Country): Create a new policy rule with,
        1. Action: Allow
        2. From: WAN
        3. To: ZyWALL (or your Intranet zone)
        4. Source: Select your specific country (you can use keyword search).
        5. Service: Specify the services you want to allow (e.g., HTTPS, HTTP).
      3. Rule 2 (Deny All Others): Create another policy rule below the first one with,
        1. Action: Deny
        2. From: WAN
        3. To: ZyWALL (or your Intranet zone)
        4. Source: Any
        5. Service: Any (or the specific services you are protecting).

    This setup allows traffic from your chosen country while blocking all other WAN traffic to your ZyWALL/Intranet, making the configuration simpler.

    Zyxel Tina

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)