IMFirewall Blog

How to set a redirect denial page in WFilter?

Administrator — Mon, 23 Apr 2012 05:06:00 GMT

Sometimes you might want to redirect blocked websites to a new URL. To do this, you need to edit WFilter denial page in source mode.

This tutorial will guide you to configure a redirect denial page in WFilter.

First, edit a blocking level

Edit a blocking level and new a denial page. Please don't forget to list your new URL in the exception list.

Second, edit the denial page in source mode.

A javascript code is required:

Third, uncheck "view source" and click "Save" to save the settings.

Please notice, click "save" after unchecking "view source".

Done, now all blocked web request will be redirected to the new url.

More information, please check "WFilter Enterprise".

When shall you use two network cards for monitoring and blocking?

Administrator — Tue, 03 Apr 2012 03:40:46 GMT

In "pass-by" filtering mode(WFilter works on a mirroring port), WFilter sends RST packets to block TCP connections. However, if outgoing traffic is limited on the blocking adapter, blocking feature of WFilter might not be working.

The default settings of WFilter use a same adapter for monitoring and blocking. However, it will not work if a following condition is met.

The monitoring switch does not allow outgoing traffic on the mirroring port. You can check this by "ping" other computers in the monitoring computer. This problem can be solved by changing switch settings(if supported) or adding a separated blocking adapter. Cisco switches have a parameter "ingress" to enable outgoing traffic on the mirroring port.
The monitoring adapter is too busy of receiving mirrored packets. We recommend you to use another NIC for blocking when you have 50+ computers. To check this issue, you can run "System Settings"->"Check Settings" to perform a checking on the blocking adapter.

Steps to add a blocking adapter

1. Add a physical network card and connect this NIC to a normal port in your switch. If you have multiple VLANs, the blocking adapter shall be in a VLAN which can reach other VLANs.

2. Assign an available ip address and gateway settings to the new NIC.

3. If WFilter does not detect the new card in "System Settings"->"Monitoring Settings", please click "Start"->"IMFirewall WFilter"->"Tools"->"Restart WFilter Service" to reload the adapters list.

4. Choose the new network card as the "blocking adapter" in "System Settings"->"Monitoring Settings"->"Monitoring Device Settings".

5. Run "System Settings"->"Check Settings" to check.

6. Sometimes windows can not choose the correct network card for communicate, in that case, please check this topic to set "Metric": Blocking adapter doesn't work when using two network cards

How to block VNC traffic of network computers with WFilter?

Administrator — Mon, 02 Apr 2012 07:01:30 GMT

VNC® provides secure remote access computers from any location for your home and organization. RFB is the protocol used in VNC and its derivatives.

This tutorial will guide you to block VNC with "WFilter Enterprise 4.0". Because blocking of VNC is not supported by default in WFilter, in this example, we uses "Customize Protocols" feature of WFilter to define the VNC protocol.

First, Add "VNC" Protocol in "Customize Protocols".

In "Customize Protocols", new a protocol named "vnc".

VNC has a pattern:
"vnc_tcp":
Type--"TCP ALL"
Format--"0"
Pattern Content--"^\x52\x46\x42\x20\x30\x30"

Second, Enable blocking of VNC in certain blocking levels.

And apply this blocking policy to certain computers.

Now, VNC will be blocked.

WFilter blocking events:

Failure connection of VNC.

WFilter deployment with RouterOS's port streaming feature.

Administrator — Fri, 02 Mar 2012 08:22:40 GMT

Installed on a personal computer or server computer, RouterOS turns the computer into a network router, implementing features such as firewall rules, virtual private network (VPN) server and client, bandwidth shaping and quality of service, wireless access point functions and other commonly used features for routing and interconnecting networks.

To implement internet monitoring and more powerful internet filtering features with your RouterOS, you can enable RouterOS's "port streaming" feature to mirror all internet packets to WFilter for monitoring and filtering.

This tutorial will guide you to configure RouterOS to work together with WFilter.

Enable Packet Streaming

Enable Packet Streaming in "Tools"->"Packet Sniffer", choose the lan interface as the sniffer interface.

Set the WFilter server ip as the streaming server

Set the WFilter server ip address as the streaming server

Done, now you're able to monitor all network computers in WFilter.

More information, please check "WFilter Enterprise".

Modify ESET personal firewall settings to make WFilter work.

Administrator — Thu, 16 Feb 2012 09:02:52 GMT

All internet packets are required for WFilter to parse network activities. However, the ESET personal firewall blocks non-local computer network packets by default. Therefore, when the ESET personal firewall is enabled, WFilter can not monitor itself computer because other computer's network packets are all blocked by ESET.

To make WFilter work with ESET personal firewall, you need to adjust the firewall settings.

The following example demonstrates how to configure ESET Smart Security 5.0:

1. Click "Setup" -> "Network" in ESET.

2. The filtering mode shall be "interactive filtering mode".

3. Click "Configure rules and zones..." to set the rules.

In "Toggle detailed view of all rules" view, click "new" to creat a new rule.

The new rule is set to allow all TCP&UDP traffic. All other rules shall be disabled.

Direction: Both
Action: Allow
Protocol: TCP & UDP
Profile: For every

4. In "Advanced Personal firewall setup..."

Uncheck "Check TCP connection status" in "Packet inspection" section of "IDS and advanced options".

Now your WFilter shall be able to work.

More information of disable ESET firewall, please check: http://kb.eset.com/esetkb/index?page=content&id=SOLN2113

WFilter adds solution for monitoring terminal server users.

Administrator — Wed, 15 Feb 2012 13:51:08 GMT

Terminal Services allows IT departments to install applications on a central server. For example, instead of deploying database or accounting software on all desktops, the applications can simply be installed on a server and remote users can log on and use them via the network. This centralization makes upgrading, troubleshooting, and software management much easier.

However, since all terminal clients share the server's network, it becomes difficult to monitor/filter individual users internet usage because most internet monitoring/filtering products only monitor/filter internet activities based on ip addresses or MAC addresses.

From WFilter en.3.3.148 version, with WFilter proxy's "user authentication" feature, you are able to monitor terminal client users and set differnet internet policy for each user.

Please check details of this solution at: How to monitor terminal server users?

How to block google mail (gmail) access of network computers?

WFilter — Tue, 07 Feb 2012 13:08:28 GMT

Sometimes you might want to block google mail(gmail) access in your network. This tutorial will guide to block gmail with WFilter.

Google mail( gmail ) supports vary kinds of access, including:

Web access via HTTPs protocol.
SMTP over SSL for sending emails.
POP over SSL for receiving emails.
IMAP over SSL for receiving emails.

So for complete blocking of gmail, you need to enable blocking of certain email protocols, and also need to enable "HTTPS black list" to block gmail web access.

1. Block SMTP/POP/IMAP over SSL

Enable blocking of "SMTP over SSL", "POP over SSL" and "IMAP over SSL" in certain blocking policy. These settings will block gmail access from email client programs.

2. Block gmail web access.

Enable "HTTPS black/white list", and choose "New" to new a list.

Add "mail.google.com" into the new HTTPs black list.

New gmail web access is also blocked.

Please notice: if gmail web page is already open before enabing of HTTPs black list, the current https session can not be blocked until restarting of your browser.

More information, please check "WFilter Enterprise".

Does port mirroring influence my network speed?

Administrator — Wed, 02 Nov 2011 14:25:56 GMT

For pass-by monitoring and filtering, you need to setup a mirroring port in your switch. When port mirroring feature is enabled, the switch will replicate data from other ports onto a single port for monitoring purpose. Since the original packets will not be hold or delayed, port mirroring does not affect your network speed theoretically.

However, inproper port mirroring settings will cause heavy load in your switch and even cause packet loss.

So please consider the following points when configuring a mirroring port:

Do not mirror multiple ports to one port until necessary.
If it is required to mirror multiple ports, please make sure the total mirrored ports throughput will not exceeds the mirroring port throughput limit.
For WFilter, mirroring the internet port is enough. Usually, only the router/firewall port needs to be mirrored.
If your switch does not allow outgoing traffic on the mirroring port, or you're using WFilter to filter internet access for more than 50 computers, it is recommended to use two network adapters: one is for monitoring only, another one is for filtering.

How to check whether port mirroring settings are correct?
How to check whether a switch supports port mirroring?
Why a port mirroring switch is required to monitor my network?

How to filter the internet access for business network?

Administrator — Sun, 30 Oct 2011 13:26:58 GMT

The internet has been turned to an invaluable tool in business. However, the availability of internet currently has given an important risk factor to the employer liability and at the same time consumes the employers 90% of hours in productivity.

Therefore internet access shall be filtered and restricted to keep the working productivity of your employees.

There have several ways to filter internet access:

1. Setup an network internet filtering program. With a filtering program, you will be able to filter internet access of all computers in your network from ONE computer only. There have a lot such products in the market. For example, WFilter Enterprise, or Websense Enterprise are very helpful for you to filter internet access of network computers.

Passby internet filtering products usually require you to setup a mirroring port in a manageable switch. Setting up a mirroring port does no change to your network toplogly and it will not influence your network performance.

2. Setup ACL policy in your Router/Firewall/UTM. Firewall devices can enable you to block websites/ports/ip addresses. So you also can setup ACL rules in your firewall to block certain traffic. For more information about UTM solution, please visit http://www.astaro.com

3. Filter websites from the dns server. You may try "opendns" solution. Opendns solution is simple and easy to setup. However, with this solution, there can only have one policy for your entire network.

WFilter 4.0 is coming.

Administrator — Fri, 30 Sep 2011 09:34:17 GMT

WFilter 4.0 version will be released soon after nearly two years development.

The new version made a lot improvement and optimization of current features. Also a series of new features are added, such as "WFilter Dashboard", "Central Management of WFilter servers", "WFilter Local Account", "Multi-adapter Monitoring", and several new alert types. Below is a brief introduction to these new features:

1. WFilter Dashboard

WFilter Dashboard allow you to check the monitoring status, log storage status, system warnings from a central dashboard.

2. WFilter Servers Management

This feature enables you to manage several WFilter servers from a central localtion.

3. Default IP Policy

The "Default IP Policy" feature enables you to set different policies to different ip ranges, when a new computer found it's default ip policy will be applied.

4. Search of Network Computers

You can use the "Search Computers" feature to search computers in your network. It's more convenient than the passive computer finding in the old version.

5. More Alert Types

More alert types are added: disk space alert, new computer alert, ip address changing alert...

6. More Powerful Account Monitoring

WFilter's "account monitoring" feature can integrate WFilter with your active directory. So you can deploy monitoring based on user accounts. The new version added "WFilter local accounts" feature. When you don't have an available active directory, you also can use "WFilter local account" feature to monitor/filter by user accounts.

6.1 Integrate Active Directory

6.2 WFilter local account

7. Multi-adapters Monitoring

WFilter 4.0 can support monitoring on multiple adapters to support complicated networkings.