USG FLEX H Series [Firewall] - How to allow HTTPS Web GUI Access from WAN?

Created - Updated
Serhii Boiarynov
Print Friendly and PDF
Have more questions? Submit a request

This article will take a short introduction to HTTPS Secure Access to the Management Web GUI of Your Security USG FLEX H Series Device over the WAN.

Disclaimer!  This article offers a general overview of the series and may not apply uniformly to every model, software/firmware version. Before purchasing or using the device, please consult the model/version-specific documentation or reach out to technical support for accurate information.

Note: Grant access only to the IP addresses listed at the end of the article if requested by technical support.

Allowing Remote Access over the Default Objects

  • The initial step is to add the HTTPS protocol to permit access from the WAN.

Navigate to the section in the left menu:

Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL > Edit

  • Select the HTTPS protocol from the list and use the appropriate button to move it to Allowed, as shown in the figure below.

  • It is very important not to forget to press the "Apply" button after making changes to the device settings

You can then access Your Security Device over its WAN Interface. But we strongly recommend that you change the port and restrict access to your device only from certain trusted IP addresses.

Best Practice for a Secure Access

  • Changing the HTTPS Port

Go to > System > Settings > Administration Settings
  • Please change the HTTPS port. E.g. 8443
  • Afterward, please click on "Apply" at the bottom of the Page.

  • Creating a separate Object for the Remote Access

It is very important not to forget to press the "Apply" button after making changes to the device settings.

  • Creating a separate Rule for the Remote Access

  • Name: "Your Rule Name" (Advice: Use "Speaking Names")
  • From: "WAN"
  • To: "ZyWall"
  • Service: "Your HTTPS Object"
  • Action: "allow"
  • Click on "Apply"

 

Limiting the Access

It is very important to provide maximum security for the local network and therefore it is necessary to restrict access to the web interface. One way to accomplish this is to allow only certain trusted IP addresses.

Go to > Object > Address > Add
  • First, we need to create an object with a trusted IP.
  • If Your Trusted Peer does not have a static Public IP, You can use FQDN Objects with a DDNS. (Same Procedure, choose FQDN instead of Host)

Note: We will support the FQDN object in 2024 Q3.

  • Name: "Name of the Object" (Advice: Use "Speaking Names")
  • Address Type: "HOST"
  • IP Address: "Trusted IP"
  • Click on "Apply"

If you have several addresses and in general to simplify administration, it is necessary to create an "Address Group" to add multiple IPs/FQDNs without creating a new Security Policy for each

Go to > Object > Address > Address Group > Add
  • Name: "Your Group Name" (Advice: Use "Speaking Names")
  • Address Type: Choose "Address" (If You use FQDN -> "FQDN")
  • Member List: Choose the Object(s) You created previously
  • Click the "->" Arrow
  • Click "Apply"

  • Now we need to add our Group as a Source for the Security Policy we created earlier
Go to > Security Policy > Policy Control
  • Select the desired policy and click "Edit"

  • Source: Choose the IP Group/FQDN Group
  • Click on "Apply" at the Bottom of the Page


Other Types

You can also Block a complete Country or Region using our GeoIP feature:
How to use the Geo-IP feature

Remote Access for Support Purposes

In case one of our Agents asks for Remote Access, You can limit the access to our official public IPs:

(HQ)
61.222.75.14
61.220.247.157
61.220.247.158
61.220.247.160​
(Support Campus DE)
93.159.250.200

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful
Share