zyman2008  Master Member

Support in USG FLEX on premise mode. Not support on cloud nebula mode. All the configuration take place on USG FLEX local GUI.

Hi @greg USG FLEX 200/500/700 + Hotspot Management service license can integrate with Socifi. You can refer the guide, The main use case is for wifi marking/Ads: () Socifi as external captive portal (easy and quick to customize the portal page) Can setup dynamic media contents once guest visit portal page Can mange…

Hi @emisaacson , Add policy routes on both sites. Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443 On ZyWALL 1100, 1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site. Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161 source: any, destination: 10.168.20.161,…

Hi @EricLogsdon , I do recommend to use route-based IPSec VPN instead of policy-based VPN which is limited for link to cloud service and not easy to trouble shoot. Also, I think Zyxel obsoleted the policy-based KB by route-based.

Just add the Signature ID into the IPS allow list.

Vary depends on the behavior of FritzBox & clients setting. Clients on 192.168.1.0/24 request to 192.168.20.0/24 will forward packet to default gateway 192.168.1.1, the FritzBox. What's FritzBox will do ? Reply ICMP redirect to clients ? Tell client the Next-Hop to 192.168.20.0/24 is 192.168.1.2 Also forward the first…

Once the interface join into a ridge interface. The original interface function will be turn off and acting like a layer 2 port. No matter the bridge interface is active or not.

Here the guideline to create VPN rule, Static Site to Site: One rule for one peer My IP - Peer IP will be the matching criteria Site to Site with dynamic Peer & Remote Access: One rule for all peers. Setup Local ID/Remote ID is any. On the peer setup remote ID/Local ID. Setup the proposal different with other Site to Site…

Just one VPN rule Gateway/Conenction rule on firewall. But on each client need to setup unique local-id. The point of view comes from IPSec IKE RFC standard. Remote/Local ID is one of the matching criteria for IKE negotiation. But the default value of local id is depends on the design of the VPN client. Here an example of…

Hi @KonradWo , Multiple clients under the same NAT router. The source IP address of VPN (IKE) request from clients is the same IP. VPN server cannot identify the different without unique "fingerprint". So that you need to setup different "local ID" on each client. How to do that ? It's vary depends what's client software…

Here what I think the root cuase of issue. Triangle route issue (without SNAT to 192.168.99.1) No triangle route (with SNAT) So either Zyxel Firewall to allow asymmetric route or doing SNAT can solve the issue.

Usually a triangle route issue if multiple Stateful firewall as router in the same subnet. Enable “Allow Asymmetrical Route” option in policy control page. On both USG20 and USG FLEX firewall.

The most easy way is using a middleware Idp cloud to integrate.

I don't want to activate any service. Then just add the default profile is need. configure terminal anti-virus default_profile infected-action destroy log exit anti-spam profile 1 profile-name default_profile exit write exit

I think you need add these CLI to setup the default profile for AntiMalware and Email Security. configure terminal anti-virus default_profile infected-action destroy log exit anti-spam profile 1 profile-name default_profile exit security-service ips activate security-service anti-virus activate security-service…