Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
wislley
Participant
Jump to solution

FILTERING URL with CAPTIVE PORTAL on a GUEST network.

Hello. I would like help with best practices in using the URL FILTERING blade using CAPTIVE PORTAL on a GUEST network.

My goal is to create a GUEST network for internet access, but using the URL FILTERING blade to block pornographic sites for example.

Visitors' machines will participate in VLAN 13 (172.16.13.0/24).

In the rule called VLAN 13> INTERNET i created an ACCESS ROLE with permission for UNAUTHENTICATED GUEST. Internet access is normal and YOUTUBE blocking is normal.

The problem is occurring only in rule 28.3 called PROXY VLAN 13.

I created the rules according to the image but the rule called PROXY VLAN 13 does not work. For some reason the package does not MATCH the rule. The rule called TEST YOUTUBE that uses the APPLICATION CONTROL blade is working normally.

1.jpg

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
First, you need to enable Categorize HTTPS Sites.
That will definitely help.
For Categorize HTTPS Sites to work better, you will need to upgrade to one of the releases I mentioned previously.
If not R80.40, then you will also need to enable HTTPS Inspection.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
Gateway/Management Version?
Is Categorize HTTPS Sites enabled?
Is HTTPS Inspection enabled at all (in general, not for guest VLAN)?

To properly see a lot of HTTPS sites without full HTTPS Inspection, you really need to be on a release with SNI support (in addition to having Categorize HTTPS Websites enabled).
This would include R80.20 with most recent GA JHF, R80.30 with most recent GA JHF, or R80.40.
In addition, HTTPS Inspection must be enabled (can be just an "any any bypass" rule) for Verified SNI to work prior to R80.40.
wislley
Participant

Thanks.

Gateway/Management Version = R80.10 (take 259)
Is Categorize HTTPS Sites enabled = No
Is HTTPS Inspection enabled at all (in general, not for guest VLAN)? = No

In that case it would be enough to enable CATEGORIZE HTTPS WEBSITES and enable HTTPS INSPECTION by creating a simple BYPASS rule?

 

0 Kudos
PhoneBoy
Admin
Admin
First, you need to enable Categorize HTTPS Sites.
That will definitely help.
For Categorize HTTPS Sites to work better, you will need to upgrade to one of the releases I mentioned previously.
If not R80.40, then you will also need to enable HTTPS Inspection.
wislley
Participant

@PhoneBoy, thank you very much for your help. When i enabled only CATEGORIZE HTTPS WEBSITES the URL FILTERING rule worked perfectly, however the USER CHECK screen was not being displayed. So i disabled the CATEGORIZE HTTPS WEBSITES and enabled the HTTPS INSPECTION with a general rule making BYPASS on everything. Again the FILTERING URL rule stopped working. So i removed the general BYPASS rule by adding a BYPASS rule for only one public IP of a given website and now the URL FILTERING rule is working fine and the USER CHECK screen is displayed. I will only search for a certificate error when the USER CHECK screen is displayed. Thank you again.

10.jpg

0 Kudos
PhoneBoy
Admin
Admin
Block pages cannot display for HTTPS sites unless HTTPS Inspection is enabled.
No version of the R80.10 JHF has improved support for SNI, you need to upgrade to a later release for that.
R80.30 is considered the widely recommended release at this point.
Dilian_Chernev
Collaborator

@wislley  Put Internet object in the Destination column!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events