USG FLEX 200: Application Patrol / Content Filtering Policy

thwartedEfforts
thwartedEfforts Posts: 10  Freshman Member
First Comment Third Anniversary
I have a FLEX 200 running V5.30(ABUI.0)

Creating the following Twitter app in Firewall🡒Configure🡒Security service


And the following outbound lan policy in Firewall🡒Configure🡒Security policy



My expectation would be that only traffic matching the Twitter app profile definition above would trigger it.

But this is not the case, with any/all traffic triggering the policy



What am I doing wrong? What have I missed? Thanks in advance!

P.S. Second time of creating this message; had a modal JSON error dialog appear after editing a much longer post, then the discovery the post had been deleted  :|

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    The steps a packet goes through a USG FLEX is illustrated in the diagram. If the traffic matches a UTM feature, then the gateway follows the action configured in the first matched UTM feature to block the traffic. In your example, the traffic needs to pass security policy rule first. Then the passed traffic will be scanned by App Patrol. 

  • thwartedEfforts
    thwartedEfforts Posts: 10  Freshman Member
    First Comment Third Anniversary
    edited June 2022
    Thanks for your help.

    I've removed the Firewall entry and my single App Patrol test definition remains as below:



    The Firewall🡒Configure🡒Security service page has Content filtering enabled and the App Patrol rule for Twitter visible:



    However, nothing is logged from the above settings, and Twitter is not being blocked despite the App Patrol profile action rejecting it; this behaviour is the reason I'd originally created the Firewall rule.

    I'm a little lost now!
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    You still need to apply App Patrol and Content Filter policy to security policy to make these UTM features work.

    The traffic that match the action(allow), protocol, source, destination, dst. port, user and schedule in the security policy will be allowed and passed through the device. That's why all traffic that pass the security policy are logged in the event logs. 
    - If the traffic is blocked by security policy rule, then it is blocked at the firewall and will not enter UTM engine for further check.
    - If the traffic is allowed by security policy rule, then the traffic enters the device and then enters UTM engine for App Patrol/Content Filter check if you apply App Patrol/Content Filter policies to this security policy rule. 


Security Highlight