Exceptions to URL Threat Filtering
My business uses a USG Flex firewall. The URL Threat Filtering feature is slowing map loading in AutoCAD to a crawl. As best I can tell, AutoCAD uses http (not https) to communicate with their Bing Maps servers to load online map data. URL Threat Filtering is not blocking any of the data from coming in, but given that we are loading map data in real time, it seems simply the inspection is causing roughly a 10x slowdown in map loading time. If I turn URL Threat Filtering off, the problem goes away. If I add an exception for the IP of the Bing Maps server a user is currently connected to, the problem also goes away. However, AutoCAD is using a rotating pool of Akamai servers to provide map data, so the IPs change from hour to hour and day to day. Therefore, adding exceptions for IPs is not a good solution. If I try to add an exception for the Akamai FQDN, it doesn't help at all. I've added exceptions already for all of the domains Autodesk recommends for communication with their servers. Is there a practical solution that anyone knows of for bypassing the URL Threat Filter for all of these AutoCAD http map connections?
0
Accepted Solution
-
Hello @udpllcnet
Welcome to the Zyxel community. You could add IP Exception profiles to define which host could bypass the URL Threat Filter's inspection. As the below example, I configure a host(with IP address 192.168.66.88) that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
Add an address object.
Add an IP exception profile to define the host that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
You could define the whole lan to bypass URL Threat Filter's inspection as well.
Add an address group object.
Choose which address object you would like to add as a group.
Add an IP exception profile to define the address group that could bypass the URL Threat Filter
inspection.
Thanks .See how you've made an impact in Zyxel Community this year!
1
All Replies
-
Hello @udpllcnet
Welcome to the Zyxel community. You could add IP Exception profiles to define which host could bypass the URL Threat Filter's inspection. As the below example, I configure a host(with IP address 192.168.66.88) that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
Add an address object.
Add an IP exception profile to define the host that could bypass Anti-Malware, URL Threat Filter, and IPS inspections.
You could define the whole lan to bypass URL Threat Filter's inspection as well.
Add an address group object.
Choose which address object you would like to add as a group.
Add an IP exception profile to define the address group that could bypass the URL Threat Filter
inspection.
Thanks .See how you've made an impact in Zyxel Community this year!
1 -
This is very helpful! So as far as I can tell, you are bypassing filtering for internal IPs (individual PCs or groups of PCs within the LAN). I can definitely see using this solution if there aren't any better options. Is there any way you know of to bypass URL Filtering only for the map data connections (and not for other http/https connections from the same PC) if the IPs of the servers providing the maps are unpredictable? Just as an idea, is there any way to bypass filtering based on some combination of the requesting service, application, and protocol? I suspect the answer is no since this would involve many layers of the TCP/IP stack, but it can't hurt to ask
0 -
Hello @udpllcnetudpllcnet said:This is very helpful! So as far as I can tell, you are bypassing filtering for internal IPs (individual PCs or groups of PCs within the LAN). I can definitely see using this solution if there aren't any better options.Is there any way you know of to bypass URL Filtering only for the map data connections (and not for other http/https connections from the same PC) if the IPs of the servers providing the maps are unpredictable?
The IP Exception profile allows the host won't be inspected by Anti-Malware, URL Threat Filter, and IPS services.
The security policy allows the host won't be inspected by App Patrol, Web Content Filter, DNS Content Filter, and SSL Inspection services.
You could refer to the above answer.Just as an idea, is there any way to bypass filtering based on some combination of the requesting service, application, and protocol? I suspect the answer is no since this would involve many layers of the TCP/IP stack, but it can't hurt to ask
Thanks.
See how you've made an impact in Zyxel Community this year!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 264 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 41 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight