Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wifi, FTP TLS and new Xstream dpi engine

ckla

Hello

1. Is it really not possible to bridge WIFI to any other zone other than LAN? I only got option "bridge to AP LAN"

2. i noticed that app control and option "scan ftp for malware" in Firewall rule will break TLS in FTP or SFTP.

So i made an extra rule for ftp, is this a bug?

3. Also i noticed that the new dpi engine will break really a whole lot websites including microsoft, google, amazon. Is this gonna change in the future? Is it possible to make an decrypt exclution for a certain group of devices, like mobile phones? Currently i am using guest wifi for mobiles with ssl decryption disabled.

4. I set rules to allow everything outgoing because there are just too many services on the internet and i thought to rely on L7 filtering and AV. Is this still a safe approach?

5. In any other rule than webtraffic, do i also need to enable web filtering and other security features like app control or IPS?



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    1/. that will depend on which network you connect it to, eg DMZ would still be an AP LAN connection.

    2/. you will need to use the web proxy for scanning ftp etc

    3/. there area number of exceptions already created in the default SSL/TLS rule, you can add more if you desire.

    4/. you will find for security you will need to build firewall rules to access to specfic ports, web sites and applications otherwise you will not be able to scan them.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to rfcat_vk

    To extend this: 

    1. It means bridge to AP LAN. It references to the Rj45 interface of the AP itself. Simply forwarding the packet to the Interface of the Access point to provide a wireless switch. 

    2. It seems to be related to DPI engine? DPI will decrypt traffic on TLS; if you tell DPI to do so. 

    __________________________________________________________________________________________________________________

Reply
  • +1 in reply to rfcat_vk

    To extend this: 

    1. It means bridge to AP LAN. It references to the Rj45 interface of the AP itself. Simply forwarding the packet to the Interface of the Access point to provide a wireless switch. 

    2. It seems to be related to DPI engine? DPI will decrypt traffic on TLS; if you tell DPI to do so. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    1. i got a separate zone on a single port, but was not able to bridge that to i.e. guest WiFi. 

    2. dpi engine is enabled, but doesnt work. i thought old web proxy is only able to handle web traffic

    3. i guess its not possible to exclude like all "android" or all "apple" devices?

    4. So in rule "#Default_Network_Policy i ticked on all scan options and thought this is already enough if there were no other rules specified for outgoing traffic.  

    5. I made rules for i.e. dns and ping and only IPS is enabled, do i need more?

Unfiltered HTML