Block one web profile accessing another?

Hi Louis-M,

do you use a transparent proxy for the guest network?

If so you can use the function to skip following networks from transparent proxy.

If you work with tags you can work with URLs cause their is an option to include subdomains

Best Regards
DKKDG

I'm leaning towards the tags to be honest. Any idea how to edit or delete created tags?

Hi Louis,

the only way i assume is via CC cause i did not find it via web admin

Best Regards
DKKDG

This behavior is a side effect of UTM's unique architecture.  It takes awhile to get your head around things.   UTM does not have security zones, and it has mutually-exclusive packet processors.   So you implement a zone by ensuring that all of the packet paths have been restricted.   We have tried to document this with articles in the Wiki section and in my Web Filtering Lessons Learned document at the top of the webfilter section.

My recommended way to block traffic between zones is in the Filter Action... Websites form.   Enter block rules for your internal DNS domain as well as your internal IP address range.  This approach works for both Transparent and Standard Mode proxies, and it leaves nothing to chance about whether both DNS and IP are restricted.

With transparent proxy, using the skip list works, because DNS resolution is done at the client.   When the traffic skips the web filter, it drops down to the firewall rules.   So you need a firewall rule to block traffic from the guest network to the internal network, but I assume you have that already because you need it to block other protocols.

Tags:

There is no "Tags Master List" form, instead tags are created as they are used.   Any place that accepts a tag will allow you to pick from the list of known tags or create a new tag.   One of the beauties of tags is that a well-chosen tag name helps to document what you are restricting.   In the Websites override list, you can use the search box to find all websites with a particular tag -- just enter all or part of a tag name and search.

Note: I am not a UTM firewall rule guy.  I've no idea if this would work.

Can you create a firewall rule.  Source is your Guest Network, Destination is your Corp network.  Service Web Surfing, and action Block.

The traffic is proxied before the firewall so fw rules won't come into effect here. Having no fw rules for web browsing will result in web traffic getting a default block if traffic ever got to it after the proxy.

So it's obviously:

1. Create tag for interesting traffic (url, domain, cidr etc) eg your corp domain

2. Apply that tag as a BLOCK on the filter that the above traffic hits eg Guest filter

And as an added precaution, don't let guest traffic use the DNS proxy on the UTM ie use an external dns

Louis, you might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

Cheers - Bob