Content Filter & Application Filter Best Practice ?
FelixSchneider
Posts: 49 Freshman Member
The only way to do proper Content or Application Filtering without opening up the Network is to Block Private Networks and then do the Filtering.
Like this...
If I disable the SF_Deny_Private_Networks, Devices on the Guest Network are able to access the Home Network.
A way easier way would be possible if instead for "Any" something like "Internet" or "WAN" could be used for the Destination.
For inexperianced Users this could lead to a fatal flaw in their network when following the official Guide.
https://support.zyxel.eu/hc/en-us/articles/5950712044690-DNS-Content-Filter-on-Nebula-Firewalls-ATP-USG-Flex-
Zyxels own documentation leads to an open Network, or am I missing something ?
Edit:
Just got an Answer from @Zyxel_Stanley the usage of a Deny rule with higher priority is the current way to do Content / Application Filtering.
Kind Regards
Felix Schneider
Like this...
If I disable the SF_Deny_Private_Networks, Devices on the Guest Network are able to access the Home Network.
A way easier way would be possible if instead for "Any" something like "Internet" or "WAN" could be used for the Destination.
For inexperianced Users this could lead to a fatal flaw in their network when following the official Guide.
https://support.zyxel.eu/hc/en-us/articles/5950712044690-DNS-Content-Filter-on-Nebula-Firewalls-ATP-USG-Flex-
Zyxels own documentation leads to an open Network, or am I missing something ?
Edit:
Just got an Answer from @Zyxel_Stanley the usage of a Deny rule with higher priority is the current way to do Content / Application Filtering.
Kind Regards
Felix Schneider
0
Accepted Solution
-
Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.
e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any
0
All Replies
-
Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.
e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any
0 -
Thanks, @Zyxel_Stanley !
Could you please update the Documentation regarding this.
I accepted the Answer, but I have got a Question, are ther any plans to implement a Internet or Wan identifier making it possible to define Content Filters with one Firewall rule ?0 -
Zyxel_Stanley said:Hi @FelixSchneider
In current design, "Any" object include IP address of Intranet and Internet.
As your scenario, if you would like to add Content Filtering and AppPatrol rules in "Guest zone" rules, then "any" will be required in destination for filtering traffic to Internet.
Then it means you have to add block rule with higher priority to block Guest zone to Intranet.
e.g.
(1) Action: Deny, Source: guest_subnet, Destination: Intranet_subnets
(2) Action: Allow, Applications: App/CF rules, Source: guest_subnet, Destination: Any0 -
Unfortunately there is no Object based Firewall-Rule creation in Nebula Cloud Mode...0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight