[NEBULA] Mobile APP management

royroy Member Posts: 19  Freshman Member
edited June 2, 2020 4:50PM in Nebula Security Gateway
I evaluated the NSG50 had the function of mobile APP traffic management, so I made decision and bought it.

When I installed it, it was completed different with my firewall installation experience. The system was moved to NCC platform. 

I have been studying this for days, but couldn't get it, so confusing!

The firewall gateway was not flexible compared to normal firewall USG20-VPN, and the most important thing is I couldn't find where I can manage the mobile APP traffic.

I hoped I didn't get how to set this. Is there any experts telling me how to do it or where I can have docs telling me how?
«1

Comments

  • IwannaquitthegymIwannaquitthegym Member Posts: 23  Freshman Member
    I'm not sure if by mobile app traffic you meant applications traffic like youtube, facebook, etc...
    If so, I feel the application traffic is easier to configure compared to the USG series. For some things I could agree there's not much flexibility but it's the price for an easier interface.

    The options for application patrol are in the Firewall settings.
  • royroy Member Posts: 19  Freshman Member
    Thank you very much!

    There are several controls in NSG, firewall rules, application patrol and content filtering, what is the flow of priorities?

    I set an application patrol for instant messengers in "add application window and action "drop" for such as yahoo message or something else, does it  mean it works dropping desired instant messengers traffic already or I still have to enable it in the firewall rules?


  • IwannaquitthegymIwannaquitthegym Member Posts: 23  Freshman Member
    Once you created and saved the application patrol profile with the desired action, you need to apply it in the outbound rules. The profile name should appear in the Policy list and then you only need to use a source IP and network to which you want to apply that profile.

    Let me know how it goes :) 
  • royroy Member Posts: 19  Freshman Member
    Should I fill in source and destination port, or just leave them "any"? 

    Could you advise the security flows priority? If I wanted to disable everything but only allowed some specific web sites, then I set deny everything from every source computer at all time and set white list in content filter, is it the right way for my purpose? 


  • IwannaquitthegymIwannaquitthegym Member Posts: 23  Freshman Member
    You can leave them as any.

    As long as I know, if you set a deny "any" in the outbound rules it will also block your L3 local traffic. If you want to disable the access to websites only, I suggest you can use tick all the categories in content filtering and use the whitelist for those specific websites you want to allow.
    I'm not sure if all the websites are included within that categories tho....But you could try it.
  • royroy Member Posts: 19  Freshman Member
    Thank you very much!

    I tried allow all in the firewall rule and made one web address: *.facebook.com as black list, but I am still able to access the facebook page.

    Did I need to tick all the categories before making the black list effective?


  • IwannaquitthegymIwannaquitthegym Member Posts: 23  Freshman Member
    I don't think so. I just tried it myself and it worked without any category.
    Looks like your content filtering is not working. Make sure the device is running the latest firmware and the configuration is up to date.

  • royroy Member Posts: 19  Freshman Member
    Hello~
    I set application patrol to drop some application like facebook etc, and made source/destination port/address, schedule as any. 

    Following an application patrol in firewall, I set deny some ip address from accessing internet in certain period of time.

    Then the test started and result was:
    The ip couldn't access the application, the application patrol worked. But the ip address still able to access the internet though it was blocked in the period of time. I tried to set deny all the time, but ip was still able to access anything except the applications.

    The first application patrol in firewall judged the access was not those I dropped the apps, shouldn't it pass to next rule that I deny in the period of time?

    Could you advise if this is correct?

    I want to block some applications at all time and would like to open access in certain period of time. How should I do to implement the firewall rues and application patrol?


  • WebberITWebberIT Member Posts: 52  Ally Member
    Did you put the 2 rules as any to any on top of each other?
    something like
    rule1 , app_deny; protocol:any ; src:any , dst:any ; 
    rule2,        deny ;  protocol:any ; src:someIP , dst:any ;

    If thats the case, every traffic will hit rule1 first since you have it as any to any, rule 2 will never hit.
    I suggest you give higher priority for rules that apply to specific IPs or ones have more detailed rules.


  • royroy Member Posts: 19  Freshman Member
    The rules were as below:
    rule1 , app_deny; protocol:any ; src:any , dst:any ; ALWAYS
    rule2,        deny ;  protocol:any ; src:someIP , dst:any ; SPECIFIC_PERIOD

    The rule1 worked and blocked some apps traffics as I wanted, but passed all the traffics though I denied them in specific period of time in next rule.

    Does the application patrol only have judgments, which did the wanting behaviors: forward, drop reject, but not pass to next rules if the applications traffics were not matched?

    Thank you for all the efforts you are helping out!

Sign In to comment.