SD-WAN VPN50 Firewall rules and content filter

Report_Srl
Report_Srl Posts: 4
First Anniversary First Comment
edited April 2021 in Security
Greetings everyone, i'm new to sd-wan and testing a couple of configuration for one of our clients.
I'm used to the usual Zywall/USG configuration, and was trying to setup a "all denied"+"I decide what to open" in a test site.

That test site is configured as this: my laptop connected to a VPN50, its wan connected to my office's lan.
It connects and get configuration from the orchestrator, and adding the necessary NAT rules i can connect to the test HQ.

Now what i want is to set things up in a way that a lan client will not be able to use anything if it's not been configured to... That is: I don't want my laptop be able to open our office lan's firewall (private ip) nor my rdp server.
So i configured a org-wide firewall default rule as "From any, to Any, Any service, any user, Block" and put it at the bottom.
Then I added another rule as "From any to any, any service, any user + content filter rule to permit only Computers And Technology".

Now, if i use a browser I can open Microsoft.com but not Nasa.gov (as expected).

My problem is: If i open a MS RDP client and connect to an host on the office lan "192.168.129.xx" i can open it; I even able to open an SSH session to a linux server that is in the same subnet ... and that subnet is WAN for my VPN50... Those attempt get logged as " Rule name=P_HTTPS_Allow_IT, TCP Port 22 ACCEPT 10.0.3.2 192.168.129.xx tcp ACCESS FORWARD".

Workaround I used was: modify the ALLOW_IT and change the "service any" to a "service https". effectively blocking anything else but https... but i had to create an identical rule for "service http" and found that some of our needed sites use also 8080 port... that is an overwork in configuration and there's no copy/paste option.

Can someone help me?

Best Regards, Andrea

All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi 
    Could you add authority to accounts below to let us check on your settings further?
    cso_security@zyxel.com.tw
    sdwan-its@zyxel.com.tw
    Moreover, please let us know what's the Org. name you authorized us so that we can further check if settings are correct firstly.
  • Hi, just added as read only the two accounts you specified. Organization name is ZanasiGroup.
    Please note I went back to my "more complex" configuration where I created 2 rules to let only http and https with content filter...
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Report_Srl
    I didn't see the Org name you mentioned by using account cso_security@zyxel.com.tw
    By the way, can you also let us know what GROUP name is it?
  • Hi Vic, group name is ClientiReport, in that group the only org we enabled so far is ZanasiGroup...
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,280  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Report_Srl,

    If you would like to deny the access of a range/specific address of the remote site, you can create a firewall rule using “site scope”.

    Here is the example for your reference.

    VPN300-hub: 192.168.0.0/24

    VPN100-branch: 192.168.3.0/24

     

    Firewall Rule 1: All clients in site VPN100 are not able to access the server 192.168.0.2 in VPN300.

    Firewall Rule 2: For all clients in site VPN100 and VPN300, block all CF category except “computers and technology”.

     

    Test Result:

    Client 192.168.3.3 in VPN100 is not able to ping or RDP to 192.168.0.2.

    Client 192.168.3.3 is able to access Microsoft.com but not nasa.gov.

    Client 192.168.0.2 is able to access Microsoft.com but not nasa.gov.



  • Thank you Emily, I think I understand your point but i wished to configure it more on a "deny everything"+"allow only what I need"... and that works but only for browsers... 
    My doubt is: ok, i've denied access to browsers to "private ip addresses" so I cannot browse the webconfig of a router... but if a client can (for example) launch an ssh client and connect to the router the whole point of "deny everything" goes south...

    My Organization Profile now looks like this (and it's only a test run):

    under "block web pages" (as an example) I put all categories BUT "Computers and Technology".
    I can now browse regular http and https and :8080 websites under the right category.
    That way, we can browse microsoft.com / zyxel.com but no p***hub (;P) AND no one can run TOR to bypass the rules I need in place (hopefully, need to test)... 
    My personal opinion: if i'm content filtering i mean on any port...
    If there's a better approach to what I need to accomplish I'm all ears!

    Thank everyone for your time !!

Security Highlight