topic Re: FILTERING URL with CAPTIVE PORTAL on a GUEST network. in Firewall and Security Management

FILTERING URL with CAPTIVE PORTAL on a GUEST network.

wislley — Wed, 25 Mar 2020 20:32:47 GMT

Hello. I would like help with best practices in using the URL FILTERING blade using CAPTIVE PORTAL on a GUEST network.

My goal is to create a GUEST network for internet access, but using the URL FILTERING blade to block pornographic sites for example.

Visitors' machines will participate in VLAN 13 (172.16.13.0/24).

In the rule called VLAN 13> INTERNET i created an ACCESS ROLE with permission for UNAUTHENTICATED GUEST. Internet access is normal and YOUTUBE blocking is normal.

The problem is occurring only in rule 28.3 called PROXY VLAN 13.

I created the rules according to the image but the rule called PROXY VLAN 13 does not work. For some reason the package does not MATCH the rule. The rule called TEST YOUTUBE that uses the APPLICATION CONTROL blade is working normally.

Re: FILTERING URL with CAPTIVE PORTAL on a GUEST network.

PhoneBoy — Thu, 26 Mar 2020 00:32:16 GMT

Gateway/Management Version?
Is Categorize HTTPS Sites enabled?
Is HTTPS Inspection enabled at all (in general, not for guest VLAN)?

To properly see a lot of HTTPS sites without full HTTPS Inspection, you really need to be on a release with SNI support (in addition to having Categorize HTTPS Websites enabled).
This would include R80.20 with most recent GA JHF, R80.30 with most recent GA JHF, or R80.40.
In addition, HTTPS Inspection must be enabled (can be just an "any any bypass" rule) for Verified SNI to work prior to R80.40.

Re: FILTERING URL with CAPTIVE PORTAL on a GUEST network.

wislley — Sun, 29 Mar 2020 01:34:30 GMT

Thanks.

Gateway/Management Version = R80.10 (take 259)
Is Categorize HTTPS Sites enabled = No
Is HTTPS Inspection enabled at all (in general, not for guest VLAN)? = No

In that case it would be enough to enable CATEGORIZE HTTPS WEBSITES and enable HTTPS INSPECTION by creating a simple BYPASS rule?

Re: FILTERING URL with CAPTIVE PORTAL on a GUEST network.

PhoneBoy — Sun, 29 Mar 2020 01:48:19 GMT

First, you need to enable Categorize HTTPS Sites.
That will definitely help.
For Categorize HTTPS Sites to work better, you will need to upgrade to one of the releases I mentioned previously.
If not R80.40, then you will also need to enable HTTPS Inspection.

Re: FILTERING URL with CAPTIVE PORTAL on a GUEST network.

Dilian_Chernev — Mon, 30 Mar 2020 15:05:44 GMT

@wislley Put Internet object in the Destination column!

Re: FILTERING URL with CAPTIVE PORTAL on a GUEST network.

wislley — Sat, 04 Apr 2020 20:48:22 GMT

@PhoneBoy, thank you very much for your help. When i enabled only CATEGORIZE HTTPS WEBSITES the URL FILTERING rule worked perfectly, however the USER CHECK screen was not being displayed. So i disabled the CATEGORIZE HTTPS WEBSITES and enabled the HTTPS INSPECTION with a general rule making BYPASS on everything. Again the FILTERING URL rule stopped working. So i removed the general BYPASS rule by adding a BYPASS rule for only one public IP of a given website and now the URL FILTERING rule is working fine and the USER CHECK screen is displayed. I will only search for a certificate error when the USER CHECK screen is displayed. Thank you again.

Re: FILTERING URL with CAPTIVE PORTAL on a GUEST network.

PhoneBoy — Sat, 04 Apr 2020 23:14:44 GMT

Block pages cannot display for HTTPS sites unless HTTPS Inspection is enabled.
No version of the R80.10 JHF has improved support for SNI, you need to upgrade to a later release for that.
R80.30 is considered the widely recommended release at this point.