zyman2008  Master Member

Just add the Signature ID into the IPS allow list.

Vary depends on the behavior of FritzBox & clients setting. Clients on 192.168.1.0/24 request to 192.168.20.0/24 will forward packet to default gateway 192.168.1.1, the FritzBox. What's FritzBox will do ? Reply ICMP redirect to clients ? Tell client the Next-Hop to 192.168.20.0/24 is 192.168.1.2 Also forward the first…

Once the interface join into a ridge interface. The original interface function will be turn off and acting like a layer 2 port. No matter the bridge interface is active or not.

Here the guideline to create VPN rule, Static Site to Site: One rule for one peer My IP - Peer IP will be the matching criteria Site to Site with dynamic Peer & Remote Access: One rule for all peers. Setup Local ID/Remote ID is any. On the peer setup remote ID/Local ID. Setup the proposal different with other Site to Site…

Just one VPN rule Gateway/Conenction rule on firewall. But on each client need to setup unique local-id. The point of view comes from IPSec IKE RFC standard. Remote/Local ID is one of the matching criteria for IKE negotiation. But the default value of local id is depends on the design of the VPN client. Here an example of…

Hi @KonradWo , Multiple clients under the same NAT router. The source IP address of VPN (IKE) request from clients is the same IP. VPN server cannot identify the different without unique "fingerprint". So that you need to setup different "local ID" on each client. How to do that ? It's vary depends what's client software…

Here what I think the root cuase of issue. Triangle route issue (without SNAT to 192.168.99.1) No triangle route (with SNAT) So either Zyxel Firewall to allow asymmetric route or doing SNAT can solve the issue.

Usually a triangle route issue if multiple Stateful firewall as router in the same subnet. Enable “Allow Asymmetrical Route” option in policy control page. On both USG20 and USG FLEX firewall.

The most easy way is using a middleware Idp cloud to integrate.

I don't want to activate any service. Then just add the default profile is need. configure terminal anti-virus default_profile infected-action destroy log exit anti-spam profile 1 profile-name default_profile exit write exit

I think you need add these CLI to setup the default profile for AntiMalware and Email Security. configure terminal anti-virus default_profile infected-action destroy log exit anti-spam profile 1 profile-name default_profile exit security-service ips activate security-service anti-virus activate security-service…

Hi @StefanZ, If the USG 20 also behind NAT with dynamic public IP address. Then, On USG FLEX 200 create another IKEv1 aggressive mode rule (make it easy to different from to other rules to avoid conflict) On USG FLEX 200, Select Aggressive mode. After rules created. You need to Edit this VPN Gateway rule. In advanced…

Hi @StefanZ, Zyxel firewall doesn't support as a L2TP/IPSec VPN client. Using VPN wizard to create another Site-to-Site rule on USG FLEX 200 and FLEX 50. On FLEX 200: Select IKEv2 to make it different with the L2TP/IPSec server rule. On FLEX 50: Select Remote Access (client role)

Hi @DG_1, Sorry, I don't know much about it.

Hi @DG_1, As I know, Zyxel firewall doesn't support to identify different user's sessions from the same Terminal Server. user1 -> RDS IP address user2 -> RDS IP address It can support users in different workstation. (different IP addresses) user1 -> PC1 IP address user1 -> PC2 IP address user2 -> PC3 IP address The user's…