info_i_25x25.png Due to unforeseen weather conditions we are experiencing higher chat wait times. Remember you can also submit a ticket and one of our support representatives will get back to you as soon as possible. We apologize for the inconvenience.

EdgeRouter - Create a Firewall Rule using Deep Packet Inspection (DPI)


Overview


This guide will show users how to setup a firewall rule to block specific application categories or sites such as Social-Network or Facebook using the Deep Packet Inspection Engine in EdgeOS.

NOTES & REQUIREMENTS:
  • This article was written using an EdgeRouter 6P on firmware 1.10.3; and applies to the latest EdgeOS firmware on all EdgeRouter models.
  • As of version 1.8.5, DPI is supported on the ER-X platform for non-offloaded traffic.
  • More information about how the EdgeOS DPI engine works, see this article:EdgeMAX - Deep Packet Inspection Engine for EdgeRouter

Table of Contents


  1. GUI Steps: How to Create a Firewall Rule using DPI
  2. CLI Steps: How to Create a Firewall Rule using DPI
  3. Commands for Viewing Categories, Sites and Applications
  4. Related Articles

GUI Steps: How to Create a Firewall Rule using DPI


Back to Top

GUI: Access the Graphical User Interface (GUI).

1. Enable DPI. Navigate to Traffic Analysis > Operational Status and enable DPI. Take the following into consideration:

  • Enabled: Deep Packet Inspection Engine is actively analyzing traffic
  • Hosts Only: Traffic bandwidth is obtained without using DPI

2. Create Firewall Ruleset with Rules. It is possible to use the DPI engine to classify websites by categories such as Social-Network or Streaming-Media. You can add these classifications to firewall rules by following these steps:

NOTE: The following configuration is an example. Please use your own data that applies to your deployment.

2.1 Go to Firewall/NAT > Firewall Policies > Add Ruleset. Name the ruleset to your convenience and add a description that will make it easy to identify by any current or future admin. Select the default action you wish this ruleset to perform and click save.

Screen_Shot_2018-06-08_at_4.10.47_PM.png

2.2 Go to Firewall/NAT > Firewall Policies > DropSites > Actions > Edit Ruleset > Add New Rule > Basic and make the appropriate selections. For this example, the Action selected will be Drop, and the protocol will be set to All protocols.

Screen_Shot_2018-06-08_at_4.13.16_PM.png

2.3 Go to Firewall/NAT > Firewall Policies > DropSites > Actions > Edit Ruleset > Add New Rule > Advanced and select what application this should apply to. In this example Social-Network is selected.

Screen_Shot_2018-06-08_at_4.27.48_PM.png

3.  Configure Custom Category. A specific site can be blocked by creating a custom category and applying it to the ruleset. For example:

3.1 Go to Traffic Analysis > Add Category to create a new category. Name it and add the Apps that will make part of this custom category. Only one category or custom category can be applied to each rule.

Screen_Shot_2018-06-08_at_4.37.28_PM.png

4. Apply Ruleset to LAN Interface.

4.1 Go to Firewall/NAT > Firewall Policies > DropSites > Actions > Interfaces and select the interface and the direction in which it will apply. You may add more interfaces at this time.

Screen_Shot_2018-06-08_at_4.40.14_PM.png


CLI Steps: How to Create a Firewall Rule using DPI


Back to Top

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enable DPI.

set system traffic-analysis dpi enable
set system traffic-analysis export enable

2. Create Firewall Ruleset with Rules.

set firewall name DROP_SITES default-action accept traffic-analysis dpi enable
set firewall name DROP_SITES rule 10 application category Social-Network
set firewall name DROP_SITES rule 10 action drop

3.  Configure Custom Category.

set system traffic-analysis custom-category DROP_FB name Facebook
commit
set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES rule 10 application custom-category DROP_FB
set firewall name DROP_SITES rule 10 action drop
commit

4. Apply Ruleset to Interface

set interfaces ethernet eth1 firewall in name DROP_SITES
commit; save; exit

Commands for Viewing Categories, Sites and Applications


Back to Top

To view currently available application categories:

set firewall name DropSites rule 10 application category ?

Type in the command above and hit tab consecutively to see available options. Output could be something like this:

Business
Bypass-Proxies-and-Tunnels
File-Transfer
Games
Instant-Messaging
Mail-and-Collaboration
P2P
Remote-Access-Terminals
Security-Update
Social-Network
Stock-Market
Streaming-Media
TopSites-Adult
TopSites-Arts
TopSites-Business
TopSites-Computers 
TopSites-Games
TopSites-Health
TopSites-Home
TopSites-KidsnTeens
TopSites-News
TopSites-Recreation
TopSites-Reference
TopSites-Regional
TopSites-Science
TopSites-Shopping
TopSites-Society
TopSites-Sports
Voice-over-IP
Web
Web-IM

To view all sites listed under a category:

[email protected] $ /usr/sbin/ubnt-dpi-util show-cat-apps Streaming-Media
Applications in category [Streaming-Media]
========================
56.com
6.cn
adnstream
adobe-flash
afreecatv
airplay
amazon-instant-video
amazon-prime-music
apple-music
....

To view which category a specific site is categorized under:

[email protected]$ /usr/sbin/ubnt-dpi-util search-app amazon

Output will be something similar to this:

 Applications Category
amazon
amazon-cloudfront
amazon-instant-video
amazon-prime-music
amazon.co.jp
amazon.co.uk
Web
Web
Streaming-Media
Streaming-Media
TopSites-Regional
TopSites-Regional 

To view all application categories from the CLI:

In configuration mode type:

set firewall name DropSites rule 10 application category ?

Related Articles


Back to Top

EdgeRouter - Beginners Guide to EdgeRouter

Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - Deep Packet Inspection Engine for EdgeRouter