Improve policy control for UTM Profile application patrol.

PeterUK
PeterUK Posts: 2,651  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

Just activated the IDP/AppPatrol Signature Service on my USG40 and found a problem.

So basically when you check a UTM Profile like application patrol the policy control need to ignore settings above source, destination, service and action and heres why.

Say you have a network setup for DMZ to WAN with the following rules in policy control

from DMZ to WAN HTTP allow

from DMZ to WAN HTTPS allow

from DMZ to WAN DNS allow

You then want to block Facebook by UTM Profile application that you make and you add a policy control top rule for that application patrol.

Well it blocks Facebook yes but it allows any thing from DMZ to WAN at the same time!


Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    In current design, the UTM services will scan packet content when traffic is “allowed” in policy control rule.
    If you would like to allow/block known website you can use “FQDN” object in your rule.
    It can prevent unexpected traffic is allowed by rule.

  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Ok but what if you what to block something like WhatsApp where you can't block by FQDN what then?

    In order to block WhatsApp you have to allow any ports in order to block WhatsApp by UTM services.

    Surely there is a way for UTM services to allow the traffic for checking for a match then blocks and goes to the next policy control rule.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    As your scenario it should add a service group which include service ports that you allow first.
    And attaches AppPatrol rule those you would like to block in the same rule.
    This rule will only allow specific service port, and also block Application you configured.

  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Yes that would work but what if you want to allow WhatsApp by UTM services then only HTTP, HTTPS or DNS? You would have to allow all if you don't know the ports used by WhatsApp.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020

    Hi @PeterUK

    In current design, policy control function can only drop specific applications and allow others in the rule.

    It is unable to: Allow specific Applications service but drop others.

     

    I would like to add this topic as idea.

  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020
    Ok I guess its tricky you would have to start allowing the traffic to match for Applications if no match check other policy control rules to then drop it.   

Security Highlight