Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Mar 2020
    Posts
    37

    Default Policy Manager logic

    Based on the Policy Manager being the centre for defining rules etc. I have created a Policy for my SkyHD box, the main reason was the web filter was breaking the OnDemand downloads etc.

    So the Web Filter is setup to bypass *.sky.com in the pass sites area and the Policy Manager has a rule that applies it to the Sky HD box via a tag at present.

    To expand on this I am then looking at adding a firewall rule within the firewall app, with an explicit deny at the bottom.

    Up for the deny rule I am going to add a rule for allowing TCP/80 and UDP/3700 as these are the ports that are showing within the sessions and report logs.

    It this logic the way of building the rules based on Policy Manager?

    I'm used to more traditional firewall devices such as pfsense and Sophos XG

    I can see there being more Policy Manager defined rules based on the device etc. I had originally planned to just have an IOT based rule and leave it at that, but part of me doesn't want to whitelist web domains for devices that don't need to have them white listed, so therefore create separate policies. However this potentially creates a whole heap of admin.

  2. #2
    Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    58

    Default

    I have a similar thing setup and I'm probably not as locked-down as you are in terms of an implicit deny at the bottom of the pile, but how I've done things is tag each device with a unique name name and use that to shunt them over into the IoT policy. Within Firewall and Application Control you can then create rules to hit the device with that tag. For example, under the App Control for the IoT Policy, I have a rule that blocks YouTube from just the Set-Top-Box. Reason being, is that I don't want the kids browsing YouTube from that app and rather they did that from the Smart TV which also has YouTube on it - difference being, the TV lets me put a PIN code to open the app, so they can't just watch whatever, whenever.

    I guess you can also do the reverse and pass certain apps/sites for devices if you're blocking everything below. What I haven't tried yet and perhaps someone here will answer... A device can have multiple tags; so in my example above that would be a tag of 'STB' and also 'IoT Devices'. If I use 'IoT Devices' in a rule, would that apply to all hosts with that tag?

    Sorry if I've misunderstood your question and not helped at all!
    Last edited by Armshouse; 06-01-2020 at 05:28 AM.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    You need to separate things in your head. Policies have nothing to do with Firewall rules.

    You have a policy, which contains apps, and those apps have settings to define a security context.
    Policy rules shove traffic into the policies.

    So based on policy rules you could have different firewall settings apply at different times a day for example. To do this you'd have two different policies, each with their own firewall app, each firewall app configured separately.

    The configuration is a little mind numbing at first, but once you get your head around it you'll find you can do just about anything with this system.

    Tags are a great way to identify specific systems so they are subject to specific policy rules configured based on them. You can also save a username to a device, and use those too.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Mar 2020
    Posts
    37

    Default

    Quote Originally Posted by sky-knight View Post
    You need to separate things in your head. Policies have nothing to do with Firewall rules.

    You have a policy, which contains apps, and those apps have settings to define a security context.
    Policy rules shove traffic into the policies.

    So based on policy rules you could have different firewall settings apply at different times a day for example. To do this you'd have two different policies, each with their own firewall app, each firewall app configured separately.

    The configuration is a little mind numbing at first, but once you get your head around it you'll find you can do just about anything with this system.

    Tags are a great way to identify specific systems so they are subject to specific policy rules configured based on them. You can also save a username to a device, and use those too.
    All makes sense and what I was mapping out in my mind, I probably didn't describe it particularly well in my post.

    I have a bunch of IOT kit that I'll start to lock down with the approach above, but firewall port usage is the first port of call.
    IOT devices kicking around are:
    Ring
    Nest
    Amazon Alexa
    Phillips Hue
    Ikea
    Car
    Kitchen Appliances..

    So I may Create an IOT Parent policy and then do child policies for the different devices / vendors etc.

  5. #5
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,029

    Default

    Another way to think about Policy Manager is to think of it as an exception manager (alluded to in sky-nights post). But before getting into all that let me note that anything that can be done in Config->Network is more efficient from a resources point of view.

    For example, I want to bypass all Amazon Kindles on my network. As background, from old thought habits I manually (on paper) segment my network address space. Kindles get a fixed block of addresses, and using Untangle's DHCP server, I assign static addresses to the Kindles from that block.

    Now I can use addresses in rules just because of old habits. And in the case of the Kindles, since I want to bypass all the Kindles equally, without exception, I crafted a source address-based Bypass Rule in Config->Network.

    Attachment 10253

    Kindles can come and go, but because of my DHCP habit, the bypass rule will just work.

    But there are times when I want or need to create an exception to my default app selection or my default app configuration. That's a place where I'd call on Policy Manager. So, for example, my default policy includes an instance of SSL Inspector. I have two exception cases to that default default policy for SSL inspection, but I'll illustrate my point with just one of those exceptions. I don't wish to inspect SSL traffic on my guest network, so I create a policy based on the internal interface in use. I then install SSL Inspector in that policy and power it off. Now any sessions on my interface labeled Guest do not use SSL Inspector, but all other apps and app configurations in my default policy are applied to those sessions.

    Is that logical? To me it is, but that's just me. Others can and do approach the same scenario differently.
    Last edited by Sam Graf; 06-01-2020 at 07:59 AM.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Quote Originally Posted by mikeyscott View Post
    All makes sense and what I was mapping out in my mind, I probably didn't describe it particularly well in my post.

    I have a bunch of IOT kit that I'll start to lock down with the approach above, but firewall port usage is the first port of call.
    IOT devices kicking around are:
    Ring
    Nest
    Amazon Alexa
    Phillips Hue
    Ikea
    Car
    Kitchen Appliances..

    So I may Create an IOT Parent policy and then do child policies for the different devices / vendors etc.
    You certainly could! How the devices are handled in your policy rules is the only logical hangup. And the more policies you have, the more stuff there is to maintain.

    Just remember that all rules in Untangle work the same way... each flag added to the rule is connected via a logical AND, and the rules themselves operate as first rule matching wins. So you want your policy rules to get more broad as you go down the list, keep the specific stuff at the top.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    58

    Default

    There's a Policy Manager Youtube vid here: https://www.youtube.com/watch?v=PhLxWSxiFA0
    Jim.Alles likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2