Hello community,
I am using the UTM 9 at home for half a year now. All the time Web Filtering was running on the default policy in a transparent proxy mode where I just was blocking some categories. Now I would like to use Web Filtering in a more advanced use case, but was unfortunately, except of the Rulz by BAlfson, was not able to find any best practice descriptions explaining the impact of different settings on each other. So, I really hope for your help.
What I am trying to achieve:
- limit major spying by introduction of and maintenance of a url/domain block filter.
- split filtering for certain device groups (Parent Devices, Children Devices, IoT, Guests).
- Introduce time based internet access for children.
- restrict internet access for IoT and allow just certain domains/services to be accessed (e.g. Updates).
- restrict internet access for the guests and allow certain categories/services to be accessed.
What do I have so far for preparations:
- I have a DHCP running with a ip range of 200-254/24 to get know all new devices (presumable: Guests)
- All known "home" devices get a static ip via the host configuration in a range of 2-30/24.
- I have defined the following groups: "IoT Devices", "Parent Devices", "Children Devices", "Guests" containing the Hosts or IP Ranges for each of the logical device groups.
-
What is my plan and questions:
1) Set Default Web Filter to "Transparent Mode" and its Base Policy to "Default content filter block action".
- Would this really catch all web traffic?
2) Create Web Filter Profiles for each of the Device Groups with the correspondent policies and time events to allow traffic through.
- Which Operation mode shall be used in case the "Allowed Networks" only contains the correspondent devices?
- As far as I understand from the documentation, in order to be able to apply different Web Filter Profiles based on the IP and handle the HTTPS (decrypt and scan), I have to switch from the transparent proxy mode to the standard. Is my understanding correct or is there a way to use the transparent proxy with different profiles? For example, specifying the correspondent Device Groups as the "Allowed Networks" within each Web Filter Profile?
- For the transparent mode, documentation says "The disadvantage however is that only HTTP requests can be processed", but selecting the transparent mode I am still able to define the "HTTPS Scan Settings", which does not make any sense. So, will HTTPs be handled while in transparent mode or not? If not, which effect does the "HTTPS Scan Settings" have?
2) Block the "spying" sites by creation of a correspondent filter action and specifying it as a separate policy. This policy has to be applied for each Web Filter Profile.
- Is it so or is there a way to define this kind of filter action to be applied globally on any web traffic passed the filtering policies?
3) Further considerations on time restrictions: Is my understanding correct, that in order to restrict the internet usage of the children it is not sufficient to create corresponding time based Web Filtering profiles, as those would be just applied for browsing, but also have to create time based firewall rules in order to cut off the entire internet traffic?
4) rgd Application Control:
- first, I do not understand where to turn it on/off (handbook: "By default, all network traffic is allowed when application control is enabled."). Do they refer to enabling the "Network visibility"?
- second: I do not understand the creation of the Application Control Rules, especially the "For:" (Source Networks). The rules are applied for the connection initiated from the device of this source network? If so, what happens in case source network is specified as "Any"? Will the internet->intranet traffic let through by such a rule in case there is no explicit blocking firewall rule for that?
I am sorry in case I caused any confusions with the above. I am new to UTM and have much to learn about how it actually operates, the best practice, DOs and Don'ts.
You help is highly appreciated and I thank you in advance.
Max
This thread was automatically locked due to age.
