Content Filter & Application Filter Best Practice ?

FelixSchneider
FelixSchneider Posts: 24
First Comment Friend Collector First Anniversary
 Freshman Member
edited October 12 in Nebula
The only way to do proper Content or Application Filtering without opening up the Network is to Block Private Networks and then do the Filtering.

Like this...


If I disable the SF_Deny_Private_Networks, Devices on the Guest Network are able to access the Home Network.

A way easier way would be possible if instead for "Any" something like "Internet" or "WAN" could be used for the Destination.

For inexperianced Users this could lead to a fatal flaw in their network when following the official Guide.

https://support.zyxel.eu/hc/en-us/articles/5950712044690-DNS-Content-Filter-on-Nebula-Firewalls-ATP-USG-Flex-

Zyxels own documentation leads to an open Network, or am I missing something ?

Edit:
Just got an Answer from @Zyxel_Stanley the usage of a Deny rule with higher priority is the current way to do Content / Application Filtering.

Kind Regards
Felix Schneider

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,210
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member
    Answer ✓
    Hi @FelixSchneider
    In current design, "Any" object include IP address of Intranet and Internet.
    As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
    Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

    e.g.
    (1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
    (2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any

All Replies

  • FelixSchneider
    FelixSchneider Posts: 24
    First Comment Friend Collector First Anniversary
     Freshman Member
    Thanks, @Zyxel_Stanley !
    Could you please update the Documentation regarding this.

    I accepted the Answer, but I have got a Question, are ther any plans to implement a Internet or Wan identifier making it possible to define Content Filters with one Firewall rule ?
  • Rix
    Rix Posts: 18
    First Comment Friend Collector
     Freshman Member
    Hi @FelixSchneider
    In current design, "Any" object include IP address of Intranet and Internet.
    As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
    Then it means you have to add block rule with higher priority to block Guest zone to Intranet.

    e.g.
    (1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
    (2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any
    I don't see these in the drop-down.  Just peck them in and click add_new?  It can't be that smart. Can't create an object or object_group because it is so smart...lol.
  • FelixSchneider
    FelixSchneider Posts: 24
    First Comment Friend Collector First Anniversary
     Freshman Member
    edited November 12
    Unfortunately there is no Object based Firewall-Rule creation in Nebula Cloud Mode... :/

Nebula Tips & Tricks