Ask : LAN to Internet restricted to one destination

papapuff · ‎04-19-2019

Hi there,

need advise.

I want to make sure, clients only can access internet to single website.

can't browse to other website or use internet for other purpose.

this website like vforum. is it correct, I just need to :

- make IPv4 policy, that only allow port 80 and 443 to that website

- make new web filter, and only to pointed to that website.

need advice please. thank you

Toshi_Esumi · ‎04-19-2019

I would define an FQDN address for the website host, and allow HTTP and HTTPS to the address in the first policy then deny all other destinations for HTTP and HTTPS in the second policy.

papapuff · ‎04-20-2019

hi Toshi,

thank you for reply.

is that working properly?

I mean there is no chance clients can access to other website(s)?

using apps or like free proxy

Toshi_Esumi · ‎04-20-2019

What it would do is all HTTP/HTTPS access from the source interface is allowed only for the host/FQDN. Of course if there are other policies to allow another source interface toward the internet, you have to create another policy to block them too.... in other words, you have to check through all paths to the internet and control all policies. Then if you overlooked any of them you'll need to troubleshoot and shut them down.

ede_pfau · ‎04-21-2019

There are a lot of evasion techniques out there. For example, tunneling any sort of traffic via DNS port 53. What you can do is apply an application control sensor (filter) to the outbound policy which suppresses the most common services like peer-to-peer, DNS tunneling etc.

I bet you'd thought this was easy.

Ede Kernel panic: Aiee, killing interrupt handler!

Ask : LAN to Internet restricted to one destination

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website