URL filter didn't work due to misunderstanding the trust and untrust zone

Publication Date:  2013-08-23 Views:  359 Downloads:  0
Issue Description
A customer wanted to use the URL-filter feature of Eudemon1000E-X3. The firewall is deployed in the current network in switch mode, for the customer didn’t want to change the current network topology. After the configuration of Euemon1000E-X3, he told to us that the URL-filter didn’t work. The topology from the customer is as follows.


The customer wanted to block the cnn.com and bbc.com, but after configuration, he can still access these two website.
In the configuration file, the configuration  related with URL filter is as following.
#
pattern-group block_url type url
pattern any cnn.com
pattern any bbc.com
#
url-filter policy urlpolicy1
blacklist group block_url
#
#
web-filter policy webpolicy1
policy url-filter urlpolicy1
#

policy interzone trust untrust outbound
policy 35
  action permit
  policy service service-set ip
  policy source 103.245.xx.0 0.0.1.255
  policy web-filter webpolicy1
#
Alarm Information
none
Handling Process
From the history command, we saw that the url-filter is enabled.
07/28/2013 20:37:48  vt0   103.245.xxx.232 admin                             
  Cmd:url-filter enable

2. We ask the customer input this command “pattern configure commit”.  After that, the customer from the LAN 103.245.xx.232 can still access bbc.com.
3. While accessing www.cnn.com, check if the data packet pass though from trust zone to untrust zone.
[ABIR_EU1000E-X3-DPI]display policy interzone trust untrust outbound
15:12:18 2013/08/05
policy interzone trust untrust outbound
policy 35(0 times matched)
  action permit
  policy service service-set ip
  policy source 103.245.xx.0 0.0.1.255
  policy web-filter webpolicy1 
 
[ABIR_EU1000E-X3-DPI]display policy interzone trust untrust inbound
15:13:23 2013/08/05
policy interzone trust untrust inbound
policy 50(98574859 times matched)
description permission-trust-untrust-common
  action permit
  policy service service-set ip
  policy source any
  policy destination any
  policy dpi network_control
  we found that no data packet passed from trust zone to unsturst zone, but the times matched from untrust zone to trust zone continually increased.
Check the ip of www.cnn.com, we found that the ip is 157.166.249.10.

From the session table ,we found that the PC 103.245.178.232 is in untrust zone, and www.cnn.com  157.166.249.10 is in the trust zone.

This was the root cause that the customer misunderstood the trust zone and the untrust zone.
After apply an policy in untrust->trust, the URL filter worked.
policy interzone trust untrust inbound
policy 35
  action permit
  policy service service-set ip
  policy source 103.245.xx.0 0.0.1.255
      policy web-filter webpolicy1

Root Cause
1. The URL filter function is not enabled..
2. The configuration is not committed.
3. The web filter policy was not applied in the right interzones or the right direction.
Suggestions
When configuring URL filter, make sure the web filter policy is applied in the right direction between two zones.

END