DNS Filter - does it cascade to the next firewall rule?
We have a client that has a default filter policy in their FLEX 200 for their employees, but wanted a less strict filter for a handful of management employees. So we have a LAN → WAN rule (Position 1 - LAN1_Mgmt_To_WAN) with the Source set to a group of their specific computer IPs (static reservation) and the less strict filter, then the LAN → WAN rule (Position 2 - LAN1_UTM_To_WAN) for everyone else. But we're finding that they are still getting caught in the main DNS filter. Logs confirm they are blocked by the second rule (LAN1_UTM).
And I thought I answered my own question while I wrote this out - they're being blocked by the LAN to Zywall DNS filter NOT the LAN → WAN filter. But the weird thing is - the logs were clear the block was from the company wide LAN to WAN filter (Rule #2 LAN1_UTM_To_WAN). We added a LAN1_Mgmt_to_Zywall rule with their less restrictive DNS filter (ahead of the main LAN1→ZyWall rule with DNS filter). But didn't matter. They are still blocked by Rule #2.
I get with the firewall, if traffic isn't allowed by Rule X, it tries rule X+1 and so on. But with the filters, we thought if a site was blocked, then it didn't cascade down the firewall rules anymore - it just blocked. But in this case, it seems to be cascading. We confirmed that Rule #1 IS passing allowed traffic from the correct IPs - so the Source group is working. What are we missing?
All Replies
-
Did a test here with grc.com and DNS Content Filter seems fine here
PC 192.168.255.193 < any DNS allowed to Zywall
secure-policy 1
name IP192168255193
from LAN1
to ZyWALL
sourceip IP192168255193
action allow
PC 192.168.255.194 < DNS block Business to Zywall
secure-policy 2
name Business_block
from LAN1
to ZyWALL
dns-cf-profile Business log by-profile activate
action allow
0 -
So, you made a full bypass. Try this. Make rule one block, say, porn and residential IPs. Make rule two block porn, residential IPs, and online shopping. Now go to an online shopping site with a machine that should use the first rule/filter.
Here's another weird thing. One site we're messing with is www.jlindeberg.com In the logs it flagged as Fashion/Beauty. But when we query it in the DNS Content Filter screen, it flags as Online Shopping.
Doesn't matter because NEITHER of those categories are blocked in the Mgmt bypass filter. They ARE blocked in the main site filter. Now I know sites can flag in multiple categories and the Domain test will usually only return one (really wish it returned all). But just odd they don't match up:
And again - LAN1_UTM is BELOW the special bypass rule LAN1_Mgmt_to_WAN. So how is it even getting hit? Source IP in the log matches up to the group in the Mgmt bypass rule. If I turn logging on in the bypass rule, I get tons of logs from the PCs in question - so it's being used.
Now the REALLY weird part? I go to amazon.com, rakuten.com, walmart.com - all load fine. So Online Shopping certainly isn't being blocked on these machines.
I even downloaded the config file and opened it up to make sure the filter didn't somehow have a phantom entry not showing up in the GUI. Nope - the rules all look fine.
We're stumped…
0 -
Ok I now test with grc.com Business Content Filter and kloth.net Technical_Business_Forums Content Filter
secure-policy 1
name IP192168255193
from LAN1
to ZyWALL
sourceip IP192168255193
action allow
dns-cf-profile Technical_Business_Forums log by-profile activate
!
secure-policy 2
name Business_block
from LAN1
to ZyWALL
dns-cf-profile Business log by-profile activate
action allow192.168.255.193 can get to grc.com but not kloth.net and 192.168.255.194 can get to kloth.net but not grc.com
did you make a new profile for the Content Filter for each rule?
You want to make sure clients are not bypassing DNS to zywall like LAN to WAN for DNS as the Content Filter can not passively block DNS when some other DNS like 1.1.1.1 is used by the clients it must be to Zywall gateway or the clients must not use DNS over HTTPS
0 -
Yes - there are two separate Content Filter profiles - one for each rule. There is no DNS bypass - this is a Microsoft AD environment. They all use the domain servers for DNS (forwarded to the FLEX) We try to include the canaries/GPO for disabling DNS over HTTPS, but if they were using DNS over HTTPS, you would expect them to not be blocked when they should. In our case, they're being blocked when they shouldn't AND they're being blocked by the wrong rule.
0 -
Still works with your test
secure-policy 1
name IP192168255193
from LAN1
to ZyWALL
sourceip IP192168255193
action allow
dns-cf-profile IP192168255193 log by-profile deactivate
!
secure-policy 2
name IP192168255194
from LAN1
to ZyWALL
dns-cf-profile IP192168255194 log by-profile deactivate
action allow
dns-content-filter profile IP192168255194
category business
category pornography
category residential-ip-addresses
!
dns-content-filter profile IP192168255193
category technical-business-forums
category pornography
category residential-ip-addresses
category online-shopping
I can get to www.jlindeberg.com on 192.168.255.194 but not 192.168.255.193 as well as swapping online-shopping to IP192168255194 and IP192168255193 not I can get to www.jlindeberg.com on 192.168.255.193 but not 192.168.255.194
Maybe you double NAT so that the FLEX200 see one source IP?
0 -
Hi @itxnc
Please confirm if the 'LAN to Any' and 'LAN to ZyWALL' policies have already been applied to the DNS Content Filter profile to ensure its proper functionality, as shown below:
Thanks.
See how you've made an impact in Zyxel Community this year!
0 -
I'll check for double NAT. Site has been in bridge mode forever, but Spectrum likes to randomly reset back to router mode.
I can confirm the DNS profiles were applied to both the WAN and Zywall rules.
The thing that's so weird is the logs show the block is happening from the 2nd rule, not the first, but when I turn logging on for the 1st rule, the client in question is clearly routing traffic through it.
UPDATE: Definitely not double NAT - router has public IP. I just did a test from another non Win 11 machine to rule out something weird with Windows 11, which reporting user has. Added machine to the 'Mgmt' address group so Rule #1 applies. Site is blocked by Rule #2 according to logs. Turned logging on for Rule #1 and immediately get traffic logs from machine I just added. So it's the rule in use for this machine. This makes no sense. If Rule #1 is clearly active, why is Rule #2 being logged as the source of the block? It should never get that far. I even removed ALL filters from Rule #1 (LAN to WAN and LAN to Zywall) and it still happens - Rule #2 logged as reason for the block.
I meant to restart the router last night but forgot. Will try to do that tonight.
UPDATE2: On a whim, I went to a known porn site because that's blocked in both rules - and again the logging shows it blocked by Rule #2, NOT Rule #1. Not only for LAN to WAN but also the DNS query via LAN to Device. In other words the DNS query is logged as blocked by the SECOND LAN to Zywall rule when it should have been the first LAN to Zywall rule (the Mgmt one). It's so weird. Traffic that goes through will clearly log in Rule #1 but any blocked traffic logs in Rule #2. Also of note - the block page header says "Zyxel Security Cloud DNS FiLter Service Portal" Is this some weird fluke with the realtime cloud protection?
0 -
Reboot of the router didn't help. Still getting blocked by the 2nd rule, even though the first rule is active and logs normal traffic for the machines in question.
0 -
Hi @itxnc
Could you provide a remote Web-GUI to us for further checking? We will send a private message to you later. Thanks.
See how you've made an impact in Zyxel Community this year!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight