[NEBULA] Can NSG100 block user access to certain website?

JINHANG
JINHANG Posts: 10  ZCNE Certified
ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019 First Anniversary First Comment
edited April 2021 in Nebula
Can NSG100 block user access to certain website eg facebook?

Comments

  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi JINHANG!
    Yes, you can block the access for defined IP addresses. Similar as in the other thread, once you have identified the IP address or network that you want to block, you can create an application profile for the Facebook category with action Drop/Reject and create the outbound rule with the specific source IP address. In case you have more outbound rules, be sure to place this outbound rule on top of others that allow traffic from any source.
  • newtype
    newtype Posts: 29  Freshman Member
    First Anniversary SurveyFeedback-2022-Mar Nebula Gratitude Friend Collector
    can i block the website by domain name ? cause nowadays a website can end up with many IP addresses.
  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @newtype
    For security reasons, blocking using domain name is not available. If someone could change your DNS it would suddenly open gaping holes in your firewall to stuff you didn't want accessible, and since a lot of people don't treat DNS servers as a very 'securable' system, it is a low-hanging fruit.

    To address the many IP addresses issue in a more secure way, the NSG uses application patrol which also simplify settings by updating signatures every day.
  • newtype
    newtype Posts: 29  Freshman Member
    First Anniversary SurveyFeedback-2022-Mar Nebula Gratitude Friend Collector
    @Nebula_Bayardo
    I don't quite get your saying about security reasons ..
    in your USG today, you have walled garden, so it's just turned that around to become black list. then you can be more friendly to achieve "block user to certain website". please consider it ~
  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @newtype the walled garden limit the access to those web sites listed, prior to an authentication process (Captive portal), but does not block access by user as specified by JINHANG. It would work when you want to limit the access for certain users connected to a specific interface, but once the users have logged in, the walled garden doesn't take effect anymore.

    BTW, here's a sneak peek :smiley: , our NSG100 will be able to configure walled garden in Phase II launching in May this year!
  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    hey @newtype I've read your comment again and got your point! Yes, it's sounds like a good idea to reverse the walled garden function to become a "black list".
    Would you mind to re-post this fantastic suggestion to "Ideas" category where other users can support you by giving your post a Like :+1: ? I can do it for you if you are agree!
  • newtype
    newtype Posts: 29  Freshman Member
    First Anniversary SurveyFeedback-2022-Mar Nebula Gratitude Friend Collector
    Sounds cool! Please go ahead ~
  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @newtype I have posted your idea, go and give it a Like! :smiley:
    Thanks for your support to make Nebula even better!

Nebula Tips & Tricks