Knowledge Base

How to exempt specific users from a blocked website?

Scenario

This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from a blocked Website, while controlling Internet access for other employees’ accounts.
With executives connect to a blocked Website using PCs with static IP addresses, you could set up address group to allow their traffic. 
 
Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).

Step

Set Up the Security Policy on the ZyWALL/USG for Employees
 
1. In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. 
 
2. Set up Security Policy for employees, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the employees’ Security Policy profile. 
 
For From and To policies, select the direction of travel of packets to which the policy applies. Select Source to be the Employees to apply the policy to all traffic coming from them.
 
Scroll down to UTM Profile, select the general policy that allows employees to access the Internet. (Using built-in Office profile in this example blocks the non-productive services, such as Advertisement & Pop-Ups, Gambling and Peer to Peer services…etc.).
 
 
 
Set Up the Security Policy on the ZyWALL/USG for Executives 
 
1. In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address for each executives. 
 
 
 
2. Then, go to CONFIGURATION > Object > Address Group > Add Address Group Rule to create a Group Members’ Name and move the just created executives address object to Member
 
3. Set up Security Policy for executives, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the executives’ Security Policy profile. 
 
For From and To policies, select the direction of travel of packets to which the policy applies. Select Source to be the Executives to apply the policy to all traffic coming from them. In order to view the results later, to have the ZyWALL/USG generate Log matched traffic (log).
 
Leave all UTM Profiles disabled.
 

Verification

Test the Result 
 
1. Connect to the Internet from two computers: one from executive_2 address (192.168.10.2) and one from an employee address (192.168.20.1) and both access to https://hangouts.google.com/.
 
2. Go to the ZyWALL/USG Monitor > Log, you will see [notice] and [info] log message such as below. In this example result, connections from executive_2 address (192.168.10.2) use Security Policy priority: 1. Connections from employee address (192.168.20.1) use Security Policy priority: 2 and UTM Profile Rule_id=2.
 
 
What Can Go Wrong? 
 
1. If you are not be able to configure any UTM policies or it’s not working, there are two possible reasons:
 
a. You have not subscribed for the UTM service.
b. You have subscribed for the UTM service but the license is expired.
 
You can click the link from the CONFIGURATION > Licensing > Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/) to register or extend your UTM license.



YES NO

Please leave your comment:

SUBMIT

Question Profile

LANGUAGE:
ARTICLE ID:015523
TYPE:Application / Configuration Example
FIRMWARE:4.13 and above
VIEWS:1415
VOTES:1
TECHNOLOGY:
MODEL:USG110,USG1100,USG1900 (view more model name)

Still have trouble with your device? Contact Zyxel technology support team directly!

Contact Zyxel Support