Blocking access to web sites

Dovetail_MD · March 2019

Our USG 60 W blocks access to certain websites we use when we have set no limitations in the set up of the box.

The log seems to tell me nothing about what is going on.

Can somebody tell me what I should be looking for, how I can make an exception for 1 or 2 particular URLs?

Zyxel_Stanley · June 2019

Hi @Dovetail_MD

After uploaded firmware to device, all of the sessions will closed and reboot system.

You can try to Ctrl + F5 to flush your browser after system boots up.

Dovetail_MD · June 2019

now dealt with

Alfonso · March 2019

HI @Dovetail_MD

I suggest to watch the following video, it will show to you how to do it

https://www.youtube.com/watch?v=JOAY4fzoX_E

Best regards

warwickt · March 2019

Hi @Dovetail_MD this is pretty easy to do in all current USG models.

One assumes you would like to do all of the following:

block specific websites hosts by FQDN
block a generic (wildcard/mask) of websites | hosts by partial DN's
log some event that it happens so you can see the triggers

The above if very straighforward in the Web UI with V4.33 firmware and to a lesser extent with previous versions of firmware.

what you need:

administrator access ot the USG appliance as expected via the WEB UI.
be at firmware V4.33 to use DN wildcard mask to add to an Address Group

Suggested approach:

use an Address Group with all your host DN and FQDN in it
set up a Security Policy that DENY's and logs the event to and from your WAN(s) or LAN(s)

Before you start:

Consider pushing the USG60W logs to an external server (syslog or syslog-ng for example ). That way you can look (grep) these at your leisure.

Procedure:

This works for us: using Configuration / Object / Address GEO IP and Security Policy

We've found the addition of wilcards DN Addresses to Address Group in Firmware V4.33 (??)

for each restricted domain as a FQDN or wildcard DN make an Address Object entry
here's an example of one with a FQDN host name using the FQDN listbox item:
you can TEST the Name server look up using the TEST button .. (cute):
also do these for IPV6 if you access these .
Also create a WILDCARD address object using partial name & asterisk for all of a particular D/Name
Repeat steps 2 to 5 for all the FQDN hosts or DN's that you wish to block
Now CREATE an Address Group to use for blocking all of these in one go
configure the address your name and then add the Address Object from above
After "OK", it will needed to be added to the Configuration / Security Policy.
Create new Security Policy: In the following example this is at Security Policy:3 (Priority:3). In this example it simply restricted access FROM: LAN1 .. to can do ALL as well. .. experiment
Optionally: enable "Log denied Traffic" to log or Log alert to test and log to your logger
Confirm "OK" this and make sure its enabled.
Yes this with a curl or browser of choice...
(TIP: installations we use external loggers for each router to keep logs for two weeks then age them out.) Below ... Here's an access to one of these scum bogus fake sites from a web page, logs this stuff out.
Using a simple grep for something (e.g., anything from priority:3 or some other search ) yields a log...

<div>macmini-07-server:~ warwick$ tail -f &nbsp; /Library/Logs/msf-usg60-01.log | grep -i "priority:3"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55537" dst="198.134.112.242:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55538" dst="198.134.112.243:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55539" dst="198.134.112.244:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55540" dst="198.134.112.241:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div>

Hope that helps

Warwick

Hong Kong.

Dovetail_MD · March 2019

Hello there

Thank you for telling me where the log is

...........................

One assumes you would like to do all of the following:

block specific websites hosts by FQDN

block a generic (wildcard/mask) of websites | hosts by partial DN's

log some event that it happens so you can see the triggers

..............................

In fact, the problem I am having is the reverse of that - I want to get into a particular website and cannot because the USG 60 W blocking it and I cannot work out why

I have added the particular website to the relevant filter - I am using "office" - and then making sure that the particular LAN connection is using that particular filter.

However that still has not solved the problem

Best

Andy

Zyxel_Charlie · March 2019

@Dovetail_MD
When the issue occur, you can go to monitor>Log, and message may appear which feature and profile block you PC to access particular website. Base on this clue, you can modify the rule correctly.
Charlie

Dovetail_MD · March 2019

Good morning,

Thank you!

So what does this mean....(xxxx replaces real url)

xxxx.com : unrated, Rule_id=1 (HTTPS Domain Filter)

This is an https site and I certainly have the "Enable HTTPS Domain Filter for HTTPS traffic" box ticked

bw

Andy

Zyxel_Charlie · March 2019

@Dovetail_MD
The message display "unrated" which means this URL does not record in database yet due to limited information was collected.
Can you share the screenshot and what URL did you check?
Charlie

Dovetail_MD · April 2019

Okay, here is a screenshot - and the URL was https://cp.sobase.uk

Zyxel_Charlie · April 2019

@Dovetail_MD
From your screenshot,
since https://cp.sobase.uk is the unrate URL, and you configured the Action for Unrate Web page: Warn. Therefore, there is warn notice on the log message.

Image: https://us.v-cdn.net/6029482/uploads/editor/oi/u1s32zne0m5a.jpg

Regarding to the log message, it's warning message and client will not be blocked via this rule.
Could you private message configuration for check further?
Charlie

Dovetail_MD · April 2019

Good afternoon,

Okay will do, but….

Could you remind me how to download the configuration file?

Thank you

Zyxel_Charlie · April 2019

@Dovetail_MD
Here is the steps to download the configuration.
Go to Maintenance>File manager>Configuration file>Startup-config.conf>Download

Image: https://us.v-cdn.net/6029482/uploads/editor/cl/escxdme0rv8n.jpg

Charlie

Blocking access to web sites

Best Answers

All Replies

what you need:

Suggested approach:

Before you start:

Procedure:

Categories

Security Highlight

Security Help Center