This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security Features > Web Filtering - Best practice for BYOD Devices

Hi.

I am looking for some advise around the best practise for Web Filtering for a BYOD network. 

We have a seperate network setup on our XG for residents who connect their own devices which are mainly mobile devices. We have a firewall rule crated to allow this dedicated zone out on the internet and in this rule I want to setup Web Filtering. I have created a Web Policy which includes a large amount of categories to block but I am unsure which of the other settings under this feature to enable or disable. These settings are shown as: 

Web Policy: 
Apply web category-based traffic shaping (currently disabled) 
Block QUC propocol (currently enalbed) 

Malware and contect scanning 
Scan HTTP and decrypt HTTPS (currently disabled) 
Use zero-day protection (currently disabled) 
Scan FTP for malware (currently enabled) 

Filtering common web ports 
Use web proxy instead of DPI engine (currently enabled) 

Web Proxy Options 
Decrypt HTTPS during web proxy filtering (currently disabled) 

I have SSL / TLS Inspection enabled but I read somewhere about a certificate being needed to allow this to work correctly. 

On the same XG we do have a corporate network which is setup against a different firewall rule and I plan to setup SSL and TLS inpection against this. 

With the testing I have done on the residents network I have found internet browsing to be slow which may be down to the amount of categories I have selected. As this is a residents network I need to make sure a solid level of proteciton is in place and I would like secure sites to be scanned as most sites have a certificate in place. 

Any guidance would be greatly apprecaited. 

Many thanks, Dan 



corrected the spell
[edited by: Vivek Jagad at 9:11 AM (GMT -7) on 20 Jun 2023]
Parents
  • Hello!

    I have SSL / TLS Inspection enabled but I read somewhere about a certificate being needed to allow this to work correctly. 

    You cannot do TLS Inspection with a BYOD network since It's necessary to have the certificate authority installed on each device. (But the DPI engine is still capable of doing web filtering with just the certificate information.)

    Over the current settings, I recommend you to change:

    Scan HTTP and decrypt HTTPS (currently disabled) 
    Use zero-day protection (currently disabled) 

    Enable both of those options, even If It can't scan HTTPS traffic - plain-text HTTP traffic will still be scanned. (For the Zero-Day protection, be sure you have a valid license before enabling It, a warning should appear if you don't have It.)

    Filtering common web ports 
    Use web proxy instead of DPI engine (currently enabled) 

    Disable this option to use the DPI engine, currently the DPI engine is better (secure) and faster than the old web proxy. (This could be the reason on why internet browsing is slow.)

    At last, depending on the scenario It's recommended to enable QoS for the BYOD Network.

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Hi Prism

    Many thanks for your detailed response. I will look to test with the recommendations you outined above. 

    I assume with the inability to scan and decrypt HTTPS that the SafeSearch functionality will not work without this. Is this correct? 

    Many thanks, Dan 

  • I assume with the inability to scan and decrypt HTTPS that the SafeSearch functionality will not work without this. Is this correct? 

    The SafeSearch function is currently only available through the Web Proxy, but you can create a separate Firewall Rule just for this function.

    (You can do this by creating another Firewall Rule on top of the current one with the "SafeSearch" FQDN's Group at the "Destination Networks", then enable the Web Proxy for the same Rule and use a Web Policy that have the "Enforce SafeSearch" function enabled.)


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Reply
  • I assume with the inability to scan and decrypt HTTPS that the SafeSearch functionality will not work without this. Is this correct? 

    The SafeSearch function is currently only available through the Web Proxy, but you can create a separate Firewall Rule just for this function.

    (You can do this by creating another Firewall Rule on top of the current one with the "SafeSearch" FQDN's Group at the "Destination Networks", then enable the Web Proxy for the same Rule and use a Web Policy that have the "Enforce SafeSearch" function enabled.)


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Children