Exceptions to URL Threat Filtering
Options
My business uses a USG Flex firewall. The URL Threat Filtering feature is slowing map loading in AutoCAD to a crawl. As best I can tell, AutoCAD uses http (not https) to communicate with their Bing Maps servers to load online map data. URL Threat Filtering is not blocking any of the data from coming in, but given that we are loading map data in real time, it seems simply the inspection is causing roughly a 10x slowdown in map loading time. If I turn URL Threat Filtering off, the problem goes away. If I add an exception for the IP of the Bing Maps server a user is currently connected to, the problem also goes away. However, AutoCAD is using a rotating pool of Akamai servers to provide map data, so the IPs change from hour to hour and day to day. Therefore, adding exceptions for IPs is not a good solution. If I try to add an exception for the Akamai FQDN, it doesn't help at all. I've added exceptions already for all of the domains Autodesk recommends for communication with their servers. Is there a practical solution that anyone knows of for bypassing the URL Threat Filter for all of these AutoCAD http map connections?
0
Accepted Solution
-
Hello @udpllcnet
Welcome to the Zyxel community. You could add IP Exception profiles to define which host could bypass the URL Threat Filter's inspection. As the below example, I configure a host(with IP address 192.168.66.88) that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
Add an address object.
Add an IP exception profile to define the host that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
You could define the whole lan to bypass URL Threat Filter's inspection as well.
Add an address group object.
Choose which address object you would like to add as a group.
Add an IP exception profile to define the address group that could bypass the URL Threat Filter
inspection.
Thanks
. 1
Zyxel Employee
All Replies
-
Hello @udpllcnet
Welcome to the Zyxel community. You could add IP Exception profiles to define which host could bypass the URL Threat Filter's inspection. As the below example, I configure a host(with IP address 192.168.66.88) that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
Add an address object.
Add an IP exception profile to define the host that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
You could define the whole lan to bypass URL Threat Filter's inspection as well.
Add an address group object.
Choose which address object you would like to add as a group.
Add an IP exception profile to define the address group that could bypass the URL Threat Filter
inspection.
Thanks . 1 -
This is very helpful! So as far as I can tell, you are bypassing filtering for internal IPs (individual PCs or groups of PCs within the LAN). I can definitely see using this solution if there aren't any better options. Is there any way you know of to bypass URL Filtering only for the map data connections (and not for other http/https connections from the same PC) if the IPs of the servers providing the maps are unpredictable? Just as an idea, is there any way to bypass filtering based on some combination of the requesting service, application, and protocol? I suspect the answer is no since this would involve many layers of the TCP/IP stack, but it can't hurt to ask
0 -
Hello @udpllcnet
Great! Thanks for your feedback.udpllcnet said:This is very helpful! So as far as I can tell, you are bypassing filtering for internal IPs (individual PCs or groups of PCs within the LAN). I can definitely see using this solution if there aren't any better options.
Currently, we don't support this feature. But you could configure IP Exception and security policy to allow the specific host to bypass security services' inspection.Is there any way you know of to bypass URL Filtering only for the map data connections (and not for other http/https connections from the same PC) if the IPs of the servers providing the maps are unpredictable?
The IP Exception profile allows the host won't be inspected by Anti-Malware, URL Threat Filter, and IPS services.
The security policy allows the host won't be inspected by App Patrol, Web Content Filter, DNS Content Filter, and SSL Inspection services.
You could refer to the above answer.Just as an idea, is there any way to bypass filtering based on some combination of the requesting service, application, and protocol? I suspect the answer is no since this would involve many layers of the TCP/IP stack, but it can't hurt to ask
Thanks.
0
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 52 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
