Blocking access to web sites

Dovetail_MD
Dovetail_MD Posts: 81  Ally Member
First Anniversary First Comment
edited April 2021 in Security
Our USG 60 W blocks access to certain websites we use when we have set no limitations in the set up of the box.

The log seems to tell me nothing about what is going on.

Can somebody tell me what I should be looking for, how I can make an exception for 1 or 2 particular URLs?

Best Answers

  • Dovetail_MD
    Dovetail_MD Posts: 81  Ally Member
    First Anniversary First Comment
    Answer ✓
    now dealt with
«1

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    HI @Dovetail_MD

    I suggest to watch the following video, it will show to you how to do it

    https://www.youtube.com/watch?v=JOAY4fzoX_E

    Best regards
  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi @Dovetail_MD this is pretty easy to do in all current USG models.

    One assumes you would like to do all of the following:

    1. block specific websites hosts by FQDN
    2. block a generic (wildcard/mask) of websites | hosts by partial DN's
    3. log some event that it happens so you can see the triggers

    The above if very straighforward in the Web UI with V4.33 firmware and to a lesser extent with previous versions of firmware.

    what you need:

    • administrator access ot the USG appliance as expected via the WEB UI.
    • be at firmware V4.33 to use DN wildcard mask to add to an Address Group

    Suggested approach:

    1. use an Address Group with all your host DN and FQDN in it
    2. set up a Security Policy that DENY's and logs the event to and from your WAN(s) or LAN(s)

    Before you start:

    Consider pushing the USG60W logs to an external server (syslog or syslog-ng for example ). That way you can look (grep) these at your leisure.

    Procedure: 

    This works for us: using Configuration / Object / Address GEO IP and Security Policy

    We've found the addition of wilcards DN Addresses  to Address Group in Firmware V4.33 (??) 

    1. for each restricted domain  as a FQDN  or wildcard DN make an Address Object entry
    2. here's an example of one with a FQDN host name using the FQDN listbox item:
    3.  
    4. you can TEST the  Name server look up using the TEST button .. (cute):
    5. also do these for IPV6 if you access these .
    6. Also create a WILDCARD address object using partial name & asterisk for all of a particular D/Name 
    7. Repeat  steps 2 to 5 for all the FQDN hosts or DN's that you wish to block 
    8. Now CREATE an Address Group to use for blocking all of these in one go 
    9. configure the address your name and then add the Address Object from above 
    10. After "OK",  it will needed to be added to the Configuration / Security Policy.
    11. Create new Security Policy: In the following example this is at Security Policy:3 (Priority:3). In this example it simply restricted access FROM: LAN1 .. to can do ALL as well. .. experiment  B)
    12. Optionally: enable "Log denied Traffic" to log or Log alert to test and log to your logger 
    13. Confirm "OK" this and make sure its enabled.
    14. Yes this with a curl or browser of choice...
    15. (TIP: installations we use external loggers for each router to keep logs for two weeks then age them out.) Below ... Here's an access to one of these scum bogus fake sites from a web page, logs this stuff out.
    16. Using a simple grep for something (e.g., anything from priority:3 or some other search ) yields a log...
    <div>macmini-07-server:~ warwick$ tail -f &nbsp; /Library/Logs/msf-usg60-01.log | grep -i "priority:3"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55537" dst="198.134.112.242:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55538" dst="198.134.112.243:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55539" dst="198.134.112.244:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div><div>Mar 24 16:12:40 usg60 src="10.201.99.18: 55540" dst="198.134.112.241:443" msg="priority:3, from ANY to WAN, TCP, service others, REJECT" note="ACCESS BLOCK" user="unknown" devID="ffffffffffffffff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:WAN" protoID=6 proto="others"</div>

    Hope that helps


    Warwick

    Hong Kong.

  • Dovetail_MD
    Dovetail_MD Posts: 81  Ally Member
    First Anniversary First Comment
    Hello there

    Thank you for telling me where the log is
    ...........................
    One assumes you would like to do all of the following:

    block specific websites hosts by FQDN
    block a generic (wildcard/mask) of websites | hosts by partial DN's
    log some event that it happens so you can see the triggers
    ..............................

    In fact, the problem I am having is the reverse of that - I want to get into a particular website and cannot because the USG 60 W blocking it and I cannot work out why

    I have added the particular website to the relevant filter - I am using "office" - and then making sure that the particular LAN connection is using that particular filter.

    However that still has not solved the problem

    Best

    Andy
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited March 2019
    @Dovetail_MD
    When the issue occur, you can go to monitor>Log, and message may appear which feature and profile block you PC to access particular website. Base on this clue, you can modify the rule correctly.
    Charlie
  • Dovetail_MD
    Dovetail_MD Posts: 81  Ally Member
    First Anniversary First Comment
    Good morning,

    Thank you!

    So what does this mean....(xxxx replaces real url) 

    xxxx.com : unrated, Rule_id=1 (HTTPS Domain Filter)

    This is an https site and I certainly have the "Enable HTTPS Domain Filter for HTTPS traffic" box ticked

    bw

    Andy

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @Dovetail_MD
    The message display "unrated" which means this URL does not record in database yet due to limited information was collected.
    Can you share the screenshot and what URL did you check?

    Charlie

  • Dovetail_MD
    Dovetail_MD Posts: 81  Ally Member
    First Anniversary First Comment
    Okay, here is a screenshot - and the URL was https://cp.sobase.uk
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited April 2019
    @Dovetail_MD
    From your screenshot, 
    since https://cp.sobase.uk is the unrate URL, and  you configured the Action for Unrate Web page: Warn. Therefore, there is warn notice on the log message.

    Regarding to the log message, it's warning message and client will not be blocked via this rule.
    Could you private message configuration for check further?
    Charlie
  • Dovetail_MD
    Dovetail_MD Posts: 81  Ally Member
    First Anniversary First Comment
    Good afternoon,  

    Okay will do, but….

    Could you remind me how to download the configuration file?

    Thank you
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @Dovetail_MD
    Here is the steps to download the configuration.
    Go to Maintenance>File manager>Configuration file>Startup-config.conf>Download

    Charlie

Security Highlight