Content Filter & Application Filter Best Practice ?

FelixSchneider
Posts: 28
Freshman Member




The only way to do proper Content or Application Filtering without opening up the Network is to Block Private Networks and then do the Filtering.
Like this...

If I disable the SF_Deny_Private_Networks, Devices on the Guest Network are able to access the Home Network.
A way easier way would be possible if instead for "Any" something like "Internet" or "WAN" could be used for the Destination.
For inexperianced Users this could lead to a fatal flaw in their network when following the official Guide.
https://support.zyxel.eu/hc/en-us/articles/5950712044690-DNS-Content-Filter-on-Nebula-Firewalls-ATP-USG-Flex-
Zyxels own documentation leads to an open Network, or am I missing something ?
Edit:
Just got an Answer from @Zyxel_Stanley the usage of a Deny rule with higher priority is the current way to do Content / Application Filtering.
Kind Regards
Felix Schneider
Like this...

If I disable the SF_Deny_Private_Networks, Devices on the Guest Network are able to access the Home Network.
A way easier way would be possible if instead for "Any" something like "Internet" or "WAN" could be used for the Destination.
For inexperianced Users this could lead to a fatal flaw in their network when following the official Guide.
https://support.zyxel.eu/hc/en-us/articles/5950712044690-DNS-Content-Filter-on-Nebula-Firewalls-ATP-USG-Flex-
Zyxels own documentation leads to an open Network, or am I missing something ?
Edit:
Just got an Answer from @Zyxel_Stanley the usage of a Deny rule with higher priority is the current way to do Content / Application Filtering.
Kind Regards
Felix Schneider
0
Accepted Solution
-
Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.
e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any
0
All Replies
-
Thanks, @Zyxel_Stanley !
Could you please update the Documentation regarding this.
I accepted the Answer, but I have got a Question, are ther any plans to implement a Internet or Wan identifier making it possible to define Content Filters with one Firewall rule ?0 -
Zyxel_Stanley said:Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.
e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any0 -
Unfortunately there is no Object based Firewall-Rule creation in Nebula Cloud Mode...0
Categories
- 8K All Categories
- 1.6K Nebula
- 60 Nebula Ideas
- 54 Nebula Status and Incidents
- 4.4K Security
- 224 Security Ideas
- 897 Switch
- 46 Switch Ideas
- 868 WirelessLAN
- 20 WLAN Ideas
- 5.2K Consumer Product
- 139 Service & License
- 260 News and Release
- 53 Security Advisories
- 12 Education Center
- 573 FAQ
- 273 Nebula FAQ
- 132 Security FAQ
- 73 Switch FAQ
- 72 WirelessLAN FAQ
- 7 Consumer Product FAQ
- Documents
- 34 Nebula Monthly Express
- 71 About Community
- 44 Security Highlight