This article explains how to configure content filter, and block traffic, for only specific/certain users/phones/PCs/computers/servers in your network. This article exist of three sections - (1) How content filter work (2) how to configure a content filter profile and apply it to your LAN and (3) how to configure content filter for only specific users.
Table of Content
1) How Does DNS Content Filter Work?
2) Configure DNS Content Filter
2.1 Configure the Content Filter Profile
2.2 Add Content Filter Profile to the firewall rules
3) Configure Web Content Filter
3.1 Configure the Content Filter Profile
3.2 Add Content Filter Profile to the firewall rules
4) Verification
5) Configure Content Filter for only specific users
Websites using TLS 1.3 are not categorized correctly by URL content filtering without SSL inspection.
For that, need a solution to have an early check on categorizations by DNS query instead. DNS content filter intercepts DNS requests from clients, check the domain name category and takes the corresponding action, reducing the risk of phishing attacks, and obfuscating source IPs using hijacked domain names.
1) How Does DNS Content Filter Work?
Compared with the shortcomings in the old protocol, TLS 1.3 can be regarded as a big step forward. It not only avoids the defects of the previous version, but it also reduces the TLS processing time.
DNS Content Filter identifies the Web content by catching the domain name in the DNS query message.
It can be configured to restrict access to certain categories of Internet content and block most malicious.
Web Content Filter
> Check category by Server Name Indication in HTTPS Client Hello
DNS Content Filter
> Check server name category by DNS query
The guide for setting up Web Content Filter can be found here:
2) Configure DNS Content Filter
Navigate to
Configuration -> Security Service -> Content Filter -> DNS Content Filter
2.1 Configure the Content Filter Profile
In the "Profile Management"-section you can define a new DNS Content Filter Profiles.
Based on your preferences, you can choose from the pre-defined categories.
2.2 Add Content Filter Profile to the firewall rules
After selecting your categories, you need to assign your profiles to a security policy. Unlike the web content filter, you need to assign the DNS Content Filter Profiles to the inbound and outbound security policies.
3) Configure Web Content Filter
Navigate to:
Configuration -> Security Service -> Content Filter -> Web Content Filter
1) Enable Content Filter through the "Enable HTTPS Domain Filter for HTTPS traffic" tick-box below:
2) You can also choose for the users to see a warn page by enabling the "Enable Content Filter HTTPS Domain Filter Block/Warn Page" below.
3) If you have old domains which has an old SSL Certificate (SSL version 3 or lower) you may un-tick the "Drop connection when HTTPS connection with SSL V3 or previous version" box below.
3.1 Configure the Content Filter Profile
1) First enable the content filter category service, as below
2) You can choose to warn the unrated web pages (as seen on the screen shot below), let them pass or block them
In the "Profile Management"-section you can define a new Web Content Filter Profiles.
Based on your preferences, you can choose from the pre-defined categories.
3.2 Add Content Filter Profile to the firewall rules
After selecting your categories, you need to assign your profiles to your LAN to Any security policy:
4) Verification
After the filter is setup properly, a blocked website by Web / DNS content filter displays like below:
Information on the blocked page is also listed in the log of the firewall.
The test can be performed manually by CLI command:
nslookup
> unblocked result:
> blocked result:
5) Troubleshooting Content Filter
if you encounter issues with the Content Filter not functioning properly, there are a few troubleshooting steps you can follow to resolve the problem. This article will guide you through the necessary checks to ensure your Zyxel firewall's Content Filter is working as intended.
Troubleshooting Steps:
-
Physically or Wirelessly Reconnect to the Network: Sometimes, network connectivity issues can cause the Content Filter to malfunction. Begin by unplugging yourself from the network and then reconnecting either physically or via Wi-Fi. This step helps to refresh the network connection and can resolve any temporary glitches affecting the Content Filter.
-
Verify DNS Settings: Ensure that the Zyxel firewall (Zywall) is set as the First DNS server on the LAN DHCP settings. Double-check your DNS settings to confirm that the Zyxel firewall's IP address is correctly configured as the primary DNS server for the network clients connecting to it. Correcting any misconfigurations can help restore the Content Filter functionality (this refers to the DNS content filter, which is not present in the Zyxel Zywall USG110).
-
Deactivate and Reactivate IP Reputation Filter, URL Threat Filter and DNS Threat Filter: If the Content Filter is still not working, it might be necessary to deactivate and reactivate the associated security services. In your Zyxel firewall's configuration interface, locate the IP Reputation Filter, URL Threat Filter, and DNS Threat Filter settings. Disable these filters and then re-enable them. This action can resolve any temporary inconsistencies in their functioning and restore the Content Filter's normal operation.
-
Block UDP443 (QUIC) in your Firewall Rules: In some cases, the Content Filter may encounter difficulties due to the presence of certain network protocols. To troubleshoot this, try blocking UDP443 (QUIC) traffic in the firewall rules. By preventing this protocol from traversing the firewall, you can potentially address issues related to the Content Filter's operation. Create a new firewall rule to block UDP traffic on port 443, specifying "any" as the source and destination. Apply the rule and test the Content Filter's functionality.
6) Configure Content Filter for only specific users
This section will show you how to block the traffic of certain users in your network.
1) Will the content filter be able to block all websites except chosen ones based on MAC-addresses?
- Answer: no.
However, you could go around the issue by below steps:
Step A
So there is no way to block content filtering by MAC-address because it's IP-based, so what you have to do is to bind certain IP-addresses to the MAC-addresses of the Samsung devices under Configuration -> Network -> Interface -> choose the interface you want and scroll down to DHCP server and bind IP addresses there:
Do not enable IP/MAC binding because it will apply to the whole network.
After you have done that, you can create a Address Group of all the IP-addresses chosen (under Configuration -> Address/Group -> create new).
Step B
Next step is to create a content filter profile under Configurations -> Security Service -> content filter -> and Add profile:
And then go to Custom service and tick the Allow web traffic for trusted web sites ONLY:
This will, as the name says, only allow the websites you put into the trusted websites section of the Content filter:
Putting a star in front of .samsung.com will allow all the different domains of samsung.com, for example, app.samsung.com, store.samsung.com etc.
Step C
Go and create a Security Policy as following:
LAN1 to WAN
Source: the Address Group you created for the Samsung devices, so this is only affecting them.
Content Filter should be the profile you created.
Comments
0 comments
Please sign in to leave a comment.