Blocking access to web sites
Best Answers
-
Hi @Dovetail_MD
After uploaded firmware to device, all of the sessions will closed and reboot system.
You can try to Ctrl + F5 to flush your browser after system boots up.
5 -
now dealt with0
All Replies
-
HI @Dovetail_MD
I suggest to watch the following video, it will show to you how to do it
https://www.youtube.com/watch?v=JOAY4fzoX_E
Best regards0 -
Hi @Dovetail_MD this is pretty easy to do in all current USG models.
One assumes you would like to do all of the following:
- block specific websites hosts by FQDN
- block a generic (wildcard/mask) of websites | hosts by partial DN's
- log some event that it happens so you can see the triggers
The above if very straighforward in the Web UI with V4.33 firmware and to a lesser extent with previous versions of firmware.
what you need:
- administrator access ot the USG appliance as expected via the WEB UI.
- be at firmware V4.33 to use DN wildcard mask to add to an Address Group
Suggested approach:
- use an Address Group with all your host DN and FQDN in it
- set up a Security Policy that DENY's and logs the event to and from your WAN(s) or LAN(s)
Before you start:
Consider pushing the USG60W logs to an external server (syslog or syslog-ng for example ). That way you can look (grep) these at your leisure.
Procedure:
This works for us: using Configuration / Object / Address GEO IP and Security Policy
We've found the addition of wilcards DN Addresses to Address Group in Firmware V4.33 (??)
- for each restricted domain as a FQDN or wildcard DN make an Address Object entry
- here's an example of one with a FQDN host name using the FQDN listbox item:
- you can TEST the Name server look up using the TEST button .. (cute):
- also do these for IPV6 if you access these .
- Also create a WILDCARD address object using partial name & asterisk for all of a particular D/Name
- Repeat steps 2 to 5 for all the FQDN hosts or DN's that you wish to block
- Now CREATE an Address Group to use for blocking all of these in one go
- configure the address your name and then add the Address Object from above
- After "OK", it will needed to be added to the Configuration / Security Policy.
- Create new Security Policy: In the following example this is at Security Policy:3 (Priority:3). In this example it simply restricted access FROM: LAN1 .. to can do ALL as well. .. experiment
- Optionally: enable "Log denied Traffic" to log or Log alert to test and log to your logger
- Confirm "OK" this and make sure its enabled.
- Yes this with a curl or browser of choice...
- (TIP: installations we use external loggers for each router to keep logs for two weeks then age them out.) Below ... Here's an access to one of these scum bogus fake sites from a web page, logs this stuff out.
- Using a simple grep for something (e.g., anything from priority:3 or some other search ) yields a log...
<div>macmini-07-server:~ warwick$ tail -f /Library/Logs/msf-usg60-01.log | grep -i "priority:3"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55537" dst="198.134.112.242:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55538" dst="198.134.112.243:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55539" dst="198.134.112.244:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55540" dst="198.134.112.241:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div>
Hope that helps
Warwick
Hong Kong.
0 -
Hello there
Thank you for telling me where the log is...........................One assumes you would like to do all of the following:block specific websites hosts by FQDNblock a generic (wildcard/mask) of websites | hosts by partial DN'slog some event that it happens so you can see the triggers..............................
In fact, the problem I am having is the reverse of that - I want to get into a particular website and cannot because the USG 60 W blocking it and I cannot work out whyI have added the particular website to the relevant filter - I am using "office" - and then making sure that the particular LAN connection is using that particular filter.
However that still has not solved the problem
Best
Andy0 -
@Dovetail_MD
When the issue occur, you can go to monitor>Log, and message may appear which feature and profile block you PC to access particular website. Base on this clue, you can modify the rule correctly.
Charlie0 -
Good morning,Thank you!So what does this mean....(xxxx replaces real url)xxxx.com : unrated, Rule_id=1 (HTTPS Domain Filter)
This is an https site and I certainly have the "Enable HTTPS Domain Filter for HTTPS traffic" box ticked
bw
Andy
0 -
@Dovetail_MD
The message display "unrated" which means this URL does not record in database yet due to limited information was collected.
Can you share the screenshot and what URL did you check?
Charlie
0 -
Okay, here is a screenshot - and the URL was https://cp.sobase.uk
0 -
@Dovetail_MD
From your screenshot,
since https://cp.sobase.uk is the unrate URL, and you configured the Action for Unrate Web page: Warn. Therefore, there is warn notice on the log message.
Regarding to the log message, it's warning message and client will not be blocked via this rule.
Could you private message configuration for check further?
Charlie0 -
Good afternoon,Okay will do, but….Could you remind me how to download the configuration file?Thank you0
-
@Dovetail_MD
Here is the steps to download the configuration.
Go to Maintenance>File manager>Configuration file>Startup-config.conf>Download
Charlie0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight