Content Filter & Application Filter Best Practice ?

FelixSchneider

The only way to do proper Content or Application Filtering without opening up the Network is to Block Private Networks and then do the Filtering.

Like this...


If I disable the SF_Deny_Private_Networks, Devices on the Guest Network are able to access the Home Network.

A way easier way would be possible if instead for "Any" something like "Internet" or "WAN" could be used for the Destination.

For inexperianced Users this could lead to a fatal flaw in their network when following the official Guide.

https://support.zyxel.eu/hc/en-us/articles/5950712044690-DNS-Content-Filter-on-Nebula-Firewalls-ATP-USG-Flex-

Zyxels own documentation leads to an open Network, or am I missing something ?

Edit:
Just got an Answer from @Zyxel_Stanley the usage of a Deny rule with higher priority is the current way to do Content / Application Filtering.

Kind Regards
Felix Schneider

Zyxel_Stanley

Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any

Zyxel_Stanley

Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any

FelixSchneider

Thanks, @Zyxel_Stanley !
Could you please update the Documentation regarding this.

I accepted the Answer, but I have got a Question, are ther any plans to implement a Internet or Wan identifier making it possible to define Content Filters with one Firewall rule ?

Rix

Zyxel_Stanley said:

Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any

I don't see these in the drop-down.  Just peck them in and click add_new?  It can't be that smart. Can't create an object or object_group because it is so smart...lol.

FelixSchneider

Unfortunately there is no Object based Firewall-Rule creation in Nebula Cloud Mode...