Content Filter & Application Filter Best Practice ?

FelixSchneider
FelixSchneider Posts: 49  Freshman Member
First Comment Friend Collector Third Anniversary
edited October 2022 in Nebula
The only way to do proper Content or Application Filtering without opening up the Network is to Block Private Networks and then do the Filtering.

Like this...


If I disable the SF_Deny_Private_Networks, Devices on the Guest Network are able to access the Home Network.

A way easier way would be possible if instead for "Any" something like "Internet" or "WAN" could be used for the Destination.

For inexperianced Users this could lead to a fatal flaw in their network when following the official Guide.

https://support.zyxel.eu/hc/en-us/articles/5950712044690-DNS-Content-Filter-on-Nebula-Firewalls-ATP-USG-Flex-

Zyxels own documentation leads to an open Network, or am I missing something ?

Edit:
Just got an Answer from @Zyxel_Stanley the usage of a Deny rule with higher priority is the current way to do Content / Application Filtering.

Kind Regards
Felix Schneider

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Answer ✓
    Hi @FelixSchneider
    In current design, "Any" object include IP address of Intranet and Internet.
    As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
    Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

    e.g.
    (1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
    (2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Answer ✓
    Hi @FelixSchneider
    In current design, "Any" object include IP address of Intranet and Internet.
    As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
    Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

    e.g.
    (1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
    (2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any
  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Comment Friend Collector Third Anniversary
    Thanks, @Zyxel_Stanley !
    Could you please update the Documentation regarding this.

    I accepted the Answer, but I have got a Question, are ther any plans to implement a Internet or Wan identifier making it possible to define Content Filters with one Firewall rule ?
  • Rix
    Rix Posts: 21  Freshman Member
    First Comment Friend Collector SurveyFeedback-2022-Nov First Anniversary
    Hi @FelixSchneider
    In current design, "Any" object include IP address of Intranet and Internet.
    As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
    Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

    e.g.
    (1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
    (2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any
    I don't see these in the drop-down.  Just peck them in and click add_new?  It can't be that smart. Can't create an object or object_group because it is so smart...lol.
  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited November 2022
    Unfortunately there is no Object based Firewall-Rule creation in Nebula Cloud Mode... :/

Nebula Tips & Tricks