Why are Web Policy time constraints not dropping pre-existing connections?

XG is a stateful firewall and closing a open connection is always a issue for the most parts. 
Its like having a open connection and you deploy a DENY rule. This rule will not be applied to existing connections. 

The messy part starts in the whole "should XG drop active connections after some time?". Because closing a existing connection as a firewall can result in bad results. Application crash, data unsaved lost etc. 

There are two approaches from my point of view: Disciplinary or technically. You can tell your child, its not allowed to overuse the time, you are actively monitoring it, if he is to long online. Or you could write a little script, which will close all connections each time, if you have a linux/windows client at hand, which is online. 

Thanks very much for a super quick response!

I assumed that, since there are specific time constraints allowed within XG as part of firewall rules and web policies, it enforces additional restrictions beyond the typical stateful behaviour.  I was obviously incorrect.

The disciplinary or pedagogical approach is somewhat challenging in these unprecedented times, so I will have to resort to a technical workaround.  I may just force the iMac to log him out just after school time starts to restart all browser sessions...

It's too bad that this feature is not behaving completely as expected.  It would be nice if for each time constraint applied to firewall rule or web policy there was a dedicated ability (via GUI check box) to enforce pre-established traffic drop.

Hi,

you need to tighten your rules as well, because using any does not provide a limited path and some game will use none proxy ports to bypass limitations.

The XG wiki drop existing connections, I recently added some testing results to another thread with similar issues. One result was that the connection was not dropped immediately, one took 40 secs and the other took about 8 minutes.

Please check the logviewer to review which ports air being used to which URLs, because not all URLs are classified as games etc. Please post an expanded shot of your firewall rule.

Ian

More than likely you will also need to add application policy as well.

Ian

Thanks very much for your answer Ian.  I spent quite a while trying to locate the thread you referenced but was unable to find it.

Which specific part of the rule are you suggesting that I tighten up?

I started experimenting with the log viewer to see if I can figure out what is going on.  I also run a Wireshark session but have to learn how to interpret the results.

Which specific detail of the firewall rule would you like to see?

Thanks again!

Peter.

Hi ReXT3D,

Using 'any' is an easy way of setting up firewall rules fo general access. If you desire to limit access you need to use specific services, web and application policies and also IPS.

Not all web sites  and applications are classified in what you would consider the correct category and this results in bypassing firewall blocks.

You would need firewall rule/s that specifically allow or disallow you r son's Mac, but you also need specific rule/s to stop the Mac using other rules.

Now there's a catch with the new Big Sur, it generate what are called security MAC addresses for the wifi network - something to remember.

Now to see what is happening you can also use the connection report on the GUI, that will provide you with current connections for each device.

During testing do not delete a connection because the only way to restore it is to restart the XG, that is why you sue clienteles to drop and re-enable access.

Ian

Hi again Ian and thank you again for your input.

I actually had the firewall originally configured with a sequence of deny and accept rules dedicated to my son's iMac, but it started to become a losing battle as he is becoming quite creative.  So I switched to the current accept rule with app and web policy filters to block the unwanted stuff.  It works great for the most part and is very simple to implement, with the exception of the subject of this thread.

The iMac runs older Mac OS so fortunately I do not have to deal with MAC randomization - the hardware address remains fixed.  I will thoroughly review the logs and also my Wireshark captures when I have some spare time.  I will also replace the current 'Any' allowed services with a short list of only what he needs to access school.  I will also create a clienteles user for his iMac and explore the benefits.

Much appreciate your input once again.  If I manage to figure it out and this thread is still open I will post a response.

Peter.

Hi,

not a problem, I went through the same thing some 15 or so years ago, that is how I came across the UTM.

Ian