Reputation Filter
Overview
Use the Reputation Filter screens to configure settings forURL Threat filtering.
What You Need to Know
URL Threat Filter
URL filtering compares access to specific URLs against a database of blocked or allowed sites. Sites on the database are sorted into categories such as:
• Anonymizers | • Browser Exploits | • Malicious Downloads |
• Malicious Sites | • Phishing | • Spam URLs |
• Spyware Adware Keyloggers | • | • |
URL Threat Filter Screen
When you enable the URL Threat filtering service, your Zyxel Device will access an external database, Cloud Query, that has millions of web sites categorized based on content. You can have the Zyxel Device allow, block, warn and/or log access to web sites or hosts based on selected categories.
The priority for URL Threat checking is as follows:
1 White List
2 Black List
3 Cloud Query Cache
4 Cloud Query
Use this screen to enable URL Threat filtering and specify the action the Zyxel Device takes when it detects a suspicious activity or a connection attempt to or from a site in a selected category.
Click the URL Threat Filter icon for more information on the Zyxel Device’s security features.
The following table describes the labels in this screen.
label | description |
|---|---|
URL Blocking | |
Enable | Select this option to turn on URL blocking on the Zyxel Device. |
Action | Set what action the Zyxel Device takes when it detects a connection attempt to or from the web pages of the specified categories. block: Select this action to have the Zyxel Device block access to the web pages that match the categories that you select above. warn: Select this action to have the Zyxel Device display a warning message to the access requesters for the web pages before allowing users to access web pages that match the categories that you select above. pass: Select this action to have the Zyxel Device allow access to the web pages that match the categories that you select above. |
Log | These are the log options: • no: Do not create a log when it detects a connection attempt to or from the web pages of the specified categories. • log: Create a log on the Zyxel Device when it detects a connection attempt to or from the web pages of the specified categories. • log alert: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a connection matches web pages of the specified categories. |
Message to display when a site is blocked | |
Denied Access Message | Enter a message to be displayed when the URL Threat filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”. It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the URL Threat filter blocks access to a web page, the Zyxel Device just opens the web page you specified without showing a denied access message. |
Redirect URL | Enter the URL of the web page to which you want to send users when their web access is blocked by the URL Threat filter. The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access. |
Security Threat Categories | Select the categories of web pages that may pose a security threat to network devices behind the Zyxel Device. |
Anonymizers | Sites and proxies that act as an intermediary for surfing to other Web sites in an anonymous fashion, whether to circumvent Web filtering or for other reasons. |
Browser Exploits | Sites that contain browser exploits. A browser exploit is any content that forces a web browser to perform operations that you do not explicitly intend. |
Malicious Downloads | Sites that have been identified as containing malicious downloads or malware harmful to a user's computer. |
Malicious Sites | Sites that install unwanted software on a user's computer with the intent to enable third-party monitoring or make system changes without the user's consent. |
Phishing | Sites that are used for deceptive or fraudulent purposes, such as stealing financial or other user account information. These sites are most often designed to appear as legitimate sites in order to mislead users into entering their credentials. |
Spam URLs | Sites that have been promoted through spam techniques. |
Spyware Adware Keyloggers | Sites that contain spyware, adware or keyloggers. • Spyware is a program installed on your computer, usually without your explicit knowledge, that captures and transmits personal information or Internet browsing habits and details to companies. Companies use this information to analyze browsing habits, to gather marketing data, and to sell your information to others. • Key logger programs try to capture and steal your passwords and watch and record everything you do on your computer. • Adware programs typically display blinking advertisements or pop-up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it. |
Test URL Threat Category | |
URL to test | Enter a URL using http://domain or https://domain and click the Query button to check if the domain belongs to a URL threat category. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
URL Threat Filter White List Screen
Use this screen to create white list entries. The Zyxel Device will allow incoming packets from the listed IPv4 addresses and URLs.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable White List | Select this to bypass checking by this feature (if enabled) and automatically allow packets from the listed IPv4 addresses and URLs. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This is the entry’s index number in the list. |
White List | This field displays the URL of this entry. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
URL Threat Filter Black List Screen
Use this screen to create black list entries. The Zyxel Device will block incoming packets from the listed IPv4 addresses and URLs.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable Black List | Select this to bypass checking by this feature (if enabled) and automatically block packets from the listed IPv4 addresses and URLs. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This is the entry’s index number in the list. |
Black List | This field displays the URL of this entry. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
URL Threat Filter External Black List Screen
Use this screen to use black list entries stored in a file on a web server that supports HTTP or HTTPS. The Zyxel Device will block incoming and outgoing packets from the black list entries in this file.
• The external black list file must be in text format (*.txt) with each entry separated by a new line.External black list entries can consist of a complete URL or a hostname and may contain wildcards. There are some examples for your reference only:
• https://www.zyxel.com/products_services/smb.shtml?t=s (complete URL)
• www.zyxel.com (hostname)
• *.zyxel.* (hostname with wildcards)
• If the external blacklist file contains any invalid entries, the Zyxel Device will not use the file.
• The external black list file can contain up to 50,000 entries. A warning message displays when the maximum is reached.
The following table describes the labels in this screen.
Label | Description |
|---|---|
URL Blocking For External DB | |
Enable URL Blocking For External DB | Select this check box to have the Zyxel Device bypass checking by this feature (if enabled) and automatically block packets that come from the listed addresses in the black list file on the server.  Select Enable under URL Blocking in the Configuration > Security Service > Reputation Filter > URL Threat Filter > General screen for the black list to take effect. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This is the entry’s index number in the list. |
Name | Enter an identifying name for the black list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. |
Source | Enter the exact file name, path and IP address of the server containing the black list file. For example, http://172.16.107.20/blacklist-files/myip-ebl.txt The server must be reachable from the Zyxel Device. |
Description | Enter a description of the black list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. |
New IP reputation signatures can be downloaded to the Zyxel Device periodically if you have subscribed for the IP reputation signatures service. You need to create an account at myZyxel, register your Zyxel Device and then subscribe for IP reputation service in order to be able to download new signatures from myZyxel (see the Registration screens). Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. | |
Update Now | Click this to have the Zyxel Device immediately check for new signatures at myZyxel. If new signatures are found, they are then downloaded to the Zyxel Device. |
Auto Update | Click this to have the Zyxel Device automatically check for new signatures regularly at the time and day specified. You should select a time when your network is not busy for minimal interruption. |
Daily | Select this to have the Zyxel Device check for new signatures every day at the specified time. The time format is the 24 hour clock, so ‘23’ means 11 PM for example. |
Weekly | Select this option to have the Zyxel Device check for new signatures once a week on the day and at the time specified. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
URL Threat Filter Profile
To use multiple profiles for this feature, run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style advance Router(config)# show secure-policy-style status secure-policy-style: advance |
After you run these command, go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
After you log in again, you will see the new profile screen for this feature.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | Select an entry and click Remove to delete the selected entry. |
# | This field is a sequential value showing the number of the profile. The profile order is not important. |
Name | This displays the name of the profile created. |
Description | This displays the description of the profile. |
Add or Edit a URL Threat Filter Profile
Click Add to create a new entry or select an existing entry and click Edit to open the following screen where you can create or modify the entry’s settings.
The following table describes the labels in this screen.
label | description |
|---|---|
Configuration | |
Profile Name | Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 |
Description | Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional. |
Action | Set what action the Zyxel Device takes when it detects a connection attempt to or from the web pages of the specified categories. block: Select this action to have the Zyxel Device block access to the web pages that match the categories that you select above. warn: Select this action to have the Zyxel Device display a warning message to the access requesters for the web pages before allowing users to access web pages that match the categories that you select above. pass: Select this action to have the Zyxel Device allow access to the web pages that match the categories that you select above. |
Log | These are the log options: • no: Do not create a log when it detects a connection attempt to or from the web pages of the specified categories. • log: Create a log on the Zyxel Device when it detects a connection attempt to or from the web pages of the specified categories. • log alert: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a connection matches web pages of the specified categories. |
Scan Options | |
Check White List | Select this check box to have the Zyxel Device not perform the URL Threat filter check on URLs that match the white list entries. |
Check Black List | Select this check box to have the Zyxel Device perform the URL Threat filter check on URLs that match the black list entries. |
Check External Black List | Select this check box to have the Zyxel Device perform the URL Threat filter check on URLs that match the external black list entries. |
Security Threat Categories | Select the categories of FQDNs that may pose a security threat to network devices behind the Zyxel Device. |
Anonymizers | Sites and proxies that act as an intermediary for surfing to other Web sites in an anonymous fashion, whether to circumvent Web filtering or for other reasons. |
Browser Exploits | Sites that contain browser exploits. A browser exploit is any content that forces a web browser to perform operations that you do not explicitly intend. |
Malicious Downloads | Sites that have been identified as containing malicious downloads or malware harmful to a user's computer. |
Malicious Sites | Sites that install unwanted software on a user's computer with the intent to enable third-party monitoring or make system changes without the user's consent. |
Phishing | Sites that are used for deceptive or fraudulent purposes, such as stealing financial or other user account information. These sites are most often designed to appear as legitimate sites in order to mislead users into entering their credentials. |
Spam URLs | Sites that have been promoted through spam techniques. |
Spyware Adware Keyloggers | Sites that contain spyware, adware or keyloggers. • Spyware is a program installed on your computer, usually without your explicit knowledge, that captures and transmits personal information or Internet browsing habits and details to companies. Companies use this information to analyze browsing habits, to gather marketing data, and to sell your information to others. • Key logger programs try to capture and steal your passwords and watch and record everything you do on your computer. • Adware programs typically display blinking advertisements or pop-up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Link a Profile
To link a profile to a policy, go to the Configuration > Security Policy > Policy Control screen, select a policy, and then click Edit. In the Edit Policy screen under Profile, select which profile you want to use for each security service.
URL Threat Filter Advance Screen
The Configuration > Security Service > Reputation Filter > URL Threat Filter screen also changes when using profiles.
The following table describes the labels in this screen.
label | description |
|---|---|
URL Blocking | |
Enable | Select this option to turn on URL blocking on the Zyxel Device. |
Inspect all traffic, setting: | Select this to have all traffic inspected by the default_profile. You cannot rename or delete the default_profile profile, but you can edit it by clicking the link here. |
Inspect by policy | If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Security Policy > Policy Control. |
Message to display when a site is blocked | |
Denied Access Message | Enter a message to be displayed when the URL Threat filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”. It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the URL Threat filter blocks access to a web page, the Zyxel Device just opens the web page you specified without showing a denied access message. |
Redirect URL | Enter the URL of the web page to which you want to send users when their web access is blocked by the URL Threat filter. The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access. |
Test URL Threat Category | |
URL to test | Enter a URL using http://domain or https://domain and click the Query button to check if the domain belongs to a URL threat category. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
Remove Profiles
To remove profiles and revert to the default general security policy style, you must first make sure to change Inspect by policy to Inspect all traffic in the following security services: Anti-Malware, DNS Threat Filter, URL Threat Filter, IDP, Email Security.
Note: All profiles that you created will be removed from Security Policy > Policy Control.
Run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style general Router(config)# show secure-policy-style status secure-policy-style: general |
Wait a minute and then go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
After you log in again, you will not see the profile screen for this feature.