info_i_25x25.png See important information about Ubiquiti Devices and KRACK Vulnerability in this article. We will update this document as more information becomes available.

EdgeRouter - Create a Firewall Rule using Deep Packet Inspection (DPI)

Overview


This guide will show users how to setup a firewall rule to block specific application categories or sites such as Social-Network or Facebook.

Table of Contents


1. Enable DPI

2. Create Ruleset with Rules

3. Configure Custom Category (optional)

4. Apply Ruleset to LAN Interface

Additional Information

Related Articles 

 

Step 1 - Enable DPI


Back to Top

If the DPI engine is not already enabled you will need to enable by issuing these commands.

Note: as of version 1.8.5, DPI is supported on the ER-X platform for non-offloaded traffic.

Note: the commands in this article will be issued in the configuration mode. Once you have access to the CLI, type “configure” to enter configuration mode. It is important to “commit” changes to make them active and “save” to save these changes to memory so they will persist after reboot. To exit configuration mode and return to operational mode type “exit”.

configure
set system traffic-analysis dpi enable
set system traffic-analysis export enable
commit

GUI: Traffic Analysis

TrafficAnalysisEnable.png

Step 2 - Create Ruleset with Rules


Back to Top

It is possible to use the DPI engine to classify websites by categories such as Social-Network or Streaming-Media. You can add these classifications to firewall rules using the example below.

configure
set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES rule 10 application category Social-Network
set firewall name DROP_SITES rule 10 action drop

Note: (Optional) If you would like to limit this rule to a specific IP or Address Group you can add a source address to firewall rule, as in the following example, replace the part in bold with your information:

set firewall name DROP_SITES rule 10 source address <IP of computer>

Or

set firewall name DropSites rule 10 source address-group <AddressGroupName>
commit

 GUI: Firewall/NAT > Firewall Policies > Add Ruleset

TARuleset.png

 GUI: Firewall/NAT > Firewall Policies > DropSites > Actions > Edit Ruleset > Add New Rule > Basic

TAAddRule.png

GUI: Firewall/NAT > Firewall Policies > DropSites > Actions > Edit Ruleset > Add New Rule > Advanced

TAAddRule2.png

Step 3 - Configure Custom Category (optional)


Back to Top

If you would like to create a custom category to block a specific site such as Facebook, you will create a custom category for this site and then apply to the ruleset. For example:

Note: Only one category or custom category can be applied to one rule.

configure
set system traffic-analysis custom-category DROP_FB name Facebook
commit
set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES rule 10 application custom-category DROP_FB
set firewall name DROP_SITES rule 10 action drop
commit

GUI: Traffic Analysis > Add Category

CategoryConfig.png

Step 4 - Apply Ruleset to LAN Interface


Back to Top

configure
set interfaces ethernet eth<X> firewall in name DROP_SITES
commit
save
exit

GUI: Firewall/NAT > Firewall Policies > DropSites > Actions > Interfaces

TAApplyLANInterface.png

Additional Information


Back to Top

List of currently available application categories:

ubnt@ubnt# set firewall name DropSites rule 10 application category

Type in the command above and hit tab consecutively to see available options.

Business
Bypass-Proxies-and-Tunnels
File-Transfer
Games
Instant-Messaging
Mail-and-Collaboration
P2P
Remote-Access-Terminals
Security-Update
Social-Network
Stock-Market
Streaming-Media
TopSites-Adult
TopSites-Arts
TopSites-Business
TopSites-Computers 
TopSites-Games
TopSites-Health
TopSites-Home
TopSites-KidsnTeens
TopSites-News
TopSites-Recreation
TopSites-Reference
TopSites-Regional
TopSites-Science
TopSites-Shopping
TopSites-Society
TopSites-Sports
Voice-over-IP
Web
Web-IM

To view all sites listed under a category:

ubnt@ubnt $ /usr/sbin/ubnt-dpi-util show-cat-apps Streaming-Media
Applications in category [Streaming-Media]
========================
56.com
6.cn
adnstream
adobe-flash
afreecatv
airplay
amazon-instant-video
amazon-prime-music
apple-music
....

To view which category a specific site is categorized under:

ubnt@ubnt$ /usr/sbin/ubnt-dpi-util search-app amazon
Applications
Category
amazon
amazon-cloudfront
amazon-instant-video
amazon-prime-music
amazon.co.jp
amazon.co.uk
Web
Web
Streaming-Media
Streaming-Media
TopSites-Regional
TopSites-Regional 

To view all application categories from the CLI:

In configuration mode type:

set firewall name DropSites rule 10 application category 

Then press tab to show all possible completions. This functionality works throughout the CLI, just press tab to see completions and tab twice to see a more detailed description. 

Related Articles


Back to Top