Improve policy control for UTM Profile application patrol.

PeterUKPeterUK Member Posts: 590 ✭✭✭✭✭

Just activated the IDP/AppPatrol Signature Service on my USG40 and found a problem.

So basically when you check a UTM Profile like application patrol the policy control need to ignore settings above source, destination, service and action and heres why.

Say you have a network setup for DMZ to WAN with the following rules in policy control

from DMZ to WAN HTTP allow

from DMZ to WAN HTTPS allow

from DMZ to WAN DNS allow

You then want to block Facebook by UTM Profile application that you make and you add a policy control top rule for that application patrol.

Well it blocks Facebook yes but it allows any thing from DMZ to WAN at the same time!


  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 716  mod
    In current design, the UTM services will scan packet content when traffic is “allowed” in policy control rule.
    If you would like to allow/block known website you can use “FQDN” object in your rule.
    It can prevent unexpected traffic is allowed by rule.

  • PeterUKPeterUK Member Posts: 590 ✭✭✭✭✭

    Ok but what if you what to block something like WhatsApp where you can't block by FQDN what then?

    In order to block WhatsApp you have to allow any ports in order to block WhatsApp by UTM services.

    Surely there is a way for UTM services to allow the traffic for checking for a match then blocks and goes to the next policy control rule.

  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 716  mod
    As your scenario it should add a service group which include service ports that you allow first.
    And attaches AppPatrol rule those you would like to block in the same rule.
    This rule will only allow specific service port, and also block Application you configured.

  • PeterUKPeterUK Member Posts: 590 ✭✭✭✭✭

    Yes that would work but what if you want to allow WhatsApp by UTM services then only HTTP, HTTPS or DNS? You would have to allow all if you don't know the ports used by WhatsApp.

  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 716  mod
    edited June 4, 2020 6:19PM

    Hi @PeterUK

    In current design, policy control function can only drop specific applications and allow others in the rule.

    It is unable to: Allow specific Applications service but drop others.


    I would like to add this topic as idea.

  • PeterUKPeterUK Member Posts: 590 ✭✭✭✭✭
    edited June 5, 2020 4:31AM
    Ok I guess its tricky you would have to start allowing the traffic to match for Applications if no match check other policy control rules to then drop it.   
Sign In to comment.