Blocking Porn Category

H,

do you have CA installed on all devices on your LAN? Do you have "scan and decrypt" enabled in your firewall rule?

Ian 

H,

do you have CA installed on all devices on your LAN? Do you have "scan and decrypt" enabled in your firewall rule?

Ian 

Good question rfcat_vk.  Even without that, though, to ensure the same was captured with SSL/TLS Inspection disabled

I turned my inspection off, and still get a block page for this site:

The inspection certainly adds a higher chance of capturing more obscure websites, but without it, the firewall is just as capable.  In your above configuration, do you require the web proxy to be selected?

Also, just for reference, if you didnt deploy your certificate with TLS inspection enabled, a good method for blocking these items albeit sloppy would be to add an inspection and only target malcious web categories for inspection, it will break the chain and fail inspection, but the site itself will also fail to load at all.

Hi Matthew,

yes I do because SSL/TLS does not always pickup the traffic also you need to enable Application scanning and LAN to WAN type IPS filtering to bring all filtering tools into play. I have experimented with blocking sites and not all work because I haven't enabled sufficient web filters. Micheal Dunn explained what was missing in my setup in a thread a couple months ago about not being able to block embed ads etc. I applied those additional restrictions which worked but needed to many exception for general use.

Some sites have the porn and ads as side sites.

Ian

Another technique worth implementing depending on your view of it is using the firewalls application control policies to restrict "DNS over HTTPS" and of course enabling HTTPS Decryption on your Intercept X Advanced agent as well and setting the category in Web Control for Advertisements to "Block" never hurts.

or joining the DNS Protection EAP as well

I have implemented most of those except the dns EAP.

ian