Exceptions to URL Threat Filtering

Options
My business uses a USG Flex firewall. The URL Threat Filtering feature is slowing map loading in AutoCAD to a crawl. As best I can tell, AutoCAD uses http (not https) to communicate with their Bing Maps servers to load online map data. URL Threat Filtering is not blocking any of the data from coming in, but given that we are loading map data in real time, it seems simply the inspection is causing roughly a 10x slowdown in map loading time. If I turn URL Threat Filtering off, the problem goes away. If I add an exception for the IP of the Bing Maps server a user is currently connected to, the problem also goes away. However, AutoCAD is using a rotating pool of Akamai servers to provide map data, so the IPs change from hour to hour and day to day. Therefore, adding exceptions for IPs is not a good solution. If I try to add an exception for the Akamai FQDN, it doesn't help at all. I've added exceptions already for all of the domains Autodesk recommends for communication with their servers. Is there a practical solution that anyone knows of for bypassing the URL Threat Filter for all of these AutoCAD http map connections?

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hello @udpllcnet

    Welcome to the Zyxel community. You could add IP Exception profiles to define which host could bypass the URL Threat Filter's inspection. As the below example, I configure a host(with IP address 192.168.66.88) that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.

    Add an address object.




    Add an IP exception profile to define the host that could bypass Anti-Malware, URL Threat Filter, and IPS inspections. 
     



    You could define the whole lan to bypass URL Threat Filter's inspection as well.

    Add an address group object.


    Choose which address object you would like to add as a group. 


    Add an IP exception profile to define the address group that could bypass the URL Threat Filter 
     inspection.





    Thanks ;) .

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hello @udpllcnet

    Welcome to the Zyxel community. You could add IP Exception profiles to define which host could bypass the URL Threat Filter's inspection. As the below example, I configure a host(with IP address 192.168.66.88) that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.

    Add an address object.




    Add an IP exception profile to define the host that could bypass Anti-Malware, URL Threat Filter, and IPS inspections. 
     



    You could define the whole lan to bypass URL Threat Filter's inspection as well.

    Add an address group object.


    Choose which address object you would like to add as a group. 


    Add an IP exception profile to define the address group that could bypass the URL Threat Filter 
     inspection.





    Thanks ;) .
  • udpllcnet
    udpllcnet Posts: 2
    First Comment
    edited December 2022
    Options
    This is very helpful! So as far as I can tell, you are bypassing filtering for internal IPs (individual PCs or groups of PCs within the LAN). I can definitely see using this solution if there aren't any better options. Is there any way you know of to bypass URL Filtering only for the map data connections (and not for other http/https connections from the same PC) if the IPs of the servers providing the maps are unpredictable? Just as an idea, is there any way to bypass filtering based on some combination of the requesting service, application, and protocol? I suspect the answer is no since this would involve many layers of the TCP/IP stack, but it can't hurt to ask :)
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hello @udpllcnet

    udpllcnet said:
    This is very helpful! So as far as I can tell, you are bypassing filtering for internal IPs (individual PCs or groups of PCs within the LAN). I can definitely see using this solution if there aren't any better options.
    Great! Thanks for your feedback.

    Is there any way you know of to bypass URL Filtering only for the map data connections (and not for other http/https connections from the same PC) if the IPs of the servers providing the maps are unpredictable?
    Currently, we don't support this feature. But you could configure IP Exception and security policy to allow the specific host to bypass security services' inspection.

    The IP Exception profile allows the host won't be inspected by Anti-Malware, URL Threat Filter, and IPS services.

    The security policy allows the host won't be inspected by App Patrol, Web Content Filter, DNS Content Filter, and SSL Inspection services.



    Just as an idea, is there any way to bypass filtering based on some combination of the requesting service, application, and protocol? I suspect the answer is no since this would involve many layers of the TCP/IP stack, but it can't hurt to ask :)
    You could refer to the above answer.

    Thanks.

Security Highlight