This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block one web profile accessing another?

Corporate network = 10.1.1.0/24

Guest network = 192.168.1.0/24

Two web profiles created to allow the above.

However, clients accessing guest profile can browse to web servers on corp network. There are quite a few web servers so a block on the whole corp subnet would be nice.

If I put the subnet in tags, I can block it by IP but not by FQDN and I don't want to put 100 server URL's in there. Anybody know an easier way?



This thread was automatically locked due to age.
Parents
  • This behavior is a side effect of UTM's unique architecture.  It takes awhile to get your head around things.   UTM does not have security zones, and it has mutually-exclusive packet processors.   So you implement a zone by ensuring that all of the packet paths have been restricted.   We have tried to document this with articles in the Wiki section and in my Web Filtering Lessons Learned document at the top of the webfilter section.

    My recommended way to block traffic between zones is in the Filter Action... Websites form.   Enter block rules for your internal DNS domain as well as your internal IP address range.  This approach works for both Transparent and Standard Mode proxies, and it leaves nothing to chance about whether both DNS and IP are restricted.

    With transparent proxy, using the skip list works, because DNS resolution is done at the client.   When the traffic skips the web filter, it drops down to the firewall rules.   So you need a firewall rule to block traffic from the guest network to the internal network, but I assume you have that already because you need it to block other protocols.

    Tags:

    There is no "Tags Master List" form, instead tags are created as they are used.   Any place that accepts a tag will allow you to pick from the list of known tags or create a new tag.   One of the beauties of tags is that a well-chosen tag name helps to document what you are restricting.   In the Websites override list, you can use the search box to find all websites with a particular tag -- just enter all or part of a tag name and search.

     

     

Reply
  • This behavior is a side effect of UTM's unique architecture.  It takes awhile to get your head around things.   UTM does not have security zones, and it has mutually-exclusive packet processors.   So you implement a zone by ensuring that all of the packet paths have been restricted.   We have tried to document this with articles in the Wiki section and in my Web Filtering Lessons Learned document at the top of the webfilter section.

    My recommended way to block traffic between zones is in the Filter Action... Websites form.   Enter block rules for your internal DNS domain as well as your internal IP address range.  This approach works for both Transparent and Standard Mode proxies, and it leaves nothing to chance about whether both DNS and IP are restricted.

    With transparent proxy, using the skip list works, because DNS resolution is done at the client.   When the traffic skips the web filter, it drops down to the firewall rules.   So you need a firewall rule to block traffic from the guest network to the internal network, but I assume you have that already because you need it to block other protocols.

    Tags:

    There is no "Tags Master List" form, instead tags are created as they are used.   Any place that accepts a tag will allow you to pick from the list of known tags or create a new tag.   One of the beauties of tags is that a well-chosen tag name helps to document what you are restricting.   In the Websites override list, you can use the search box to find all websites with a particular tag -- just enter all or part of a tag name and search.

     

     

Children
No Data