ER7206 URL Filtering configuration

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER7206 URL Filtering configuration

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER7206 URL Filtering configuration
ER7206 URL Filtering configuration
2023-02-18 16:27:49 - last edited 2023-02-18 16:29:43
Tags: #filtering
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.3 Build 20221104 Rel.41500

I'm looking for advice on how to DENY access to specific Web pages and not Web sites.  Right now, I have several bit[dot]ly URLs I want to Deny access to.

 

Here is the configuration page :

 

Behavior Control -> Web Filtering -> URL filtering

 

Settings :

 

IP GROUP : IPGROUP_ANY
POLICY : Deny

 

Here is where I seeking advice/knowledge on what these do and how to use them ( if possible ) to Dent access

 

MODE : URL Path
MODE : Keywords

FILTERING CONTENT :

 

I have not been able to get any specific webpage to be blocked.  I've tried both MODE options.  I have used test cases rather than the actual Malware sites I'm trying to block access to.

 

I don't see anything in the way of documentation on this subject anywhere.

 

I do have a Support case that I opened 2 days ago.

 

**  I am not using the Omanda.  I logon to the ER7206 directly to configure.

**  I am able to deny access to a Website, by using the WEB GROUP and WEB GROUP FILTERING configurations.  Works perfectly for me.

 

 

 


 

  0      
  0      
#1
Options
6 Reply
Re:ER7206 URL Filtering configuration
2023-02-19 15:26:14
To accomplish this you would use URL Path Mode. The PATHs you specify need to match exactly to what is shown in the browser in order to work. More Information: https://www.tp-link.com/us/configuration-guides/configuring_behavior_control/?configurationId=18570#_idTextAnchor000
  0  
  0  
#2
Options
Re:ER7206 URL Filtering configuration
2023-02-19 16:06:00

  @HellBent 

 

Thanks HB for your time.

 

I found one sentence in the document, related to what I think should work for me:

 

   URL Path: If a website address is the same as any of the entire URLs, the policy will be applied to this website.

 

So I tried three different test URLs ( I put the entire URL in the [Filtering Content] box ), and none were blocked :

 

https://www.tp-link.com/us/business-networking/omada-sdn-router/

https://www.tp-link.com/us/support/

https://www[dot]wsj[dot]com/?mod=nav_top_section

 

* note : The "https://" and the last "/" gets stripped from the [Filtering Content] box.

 

I think I need an example of what works from anyone.

 

Thanks in advance.

  0  
  0  
#3
Options
Re:ER7206 URL Filtering configuration
2023-02-19 16:48:46

  @TCrain 

 

In a URL like https://community.tp-link.com/en/

 

https:// = Protocol

community = Sub-Domain

tp-link.com = Domain Name

en = Path

/ = Root Directory of the Path (Web Browsers work with or without the trailing slash and it all depends on how the web developer formatted their hyperlinks)

 

https:// and / get striped because URL filtering matches text and does not need the Protocol or the trailing /

 

Test using a HTTP site if you can find one. If that works then it means the ER7206 cannot analyze encrypted HTTPS traffic

  0  
  0  
#4
Options
Re:ER7206 URL Filtering configuration
2023-02-19 20:33:48 - last edited 2023-02-19 20:35:16

  @TCrain 

 Well HB, you nailed it! 

 

I tried http://www [dot] testingmcafeesites [dot] com/testcat_an.html and it was blocked!  I'd always thought with HTTPS, the "GET <URL>" command was sent and the results where encrypted.  Because that's what's in the WireShark packet trace.

 

Yet for the documentation, it should be updated to include this inability to function as advertised when HTTPS is involved.

 

Yet for me, BTF what's next.   

  0  
  0  
#5
Options
Re:ER7206 URL Filtering configuration
2023-02-19 21:53:42

  @TCrain 

 

In most Content/Web Filters, HTTP sites are blocked by examining the Host field of the GET request. HTTPS sites are blocked by examining the Server Extensions field in the Client Hello message and/or the CN in the Server Hello message. I have also found most Content/Web Filters can block HTTP by default, but HTTPS blocking has to be enabled manually if the feature exists. You are going to have to wait and see if they add support for HTTPS.

 

With that said, I find TP-Link equipment is not released "Full-Featured" to the market. You need to wait for the slow firmware releases. Their business routers are meant for Basic Small business needs. If you have any cybersecurity compliance requirements, I would recommend upgrading to an Enterprise Grade Router/Firewall like a SonicWALL. You can also try other 3rd party content filters. Some managed Anti-Virus applications allow you to block content as well.

  0  
  0  
#6
Options
Re:ER7206 URL Filtering configuration
2023-02-20 01:14:31

  @HellBent 

 

I bought this thing in January just to filter out Websites and URLs.  Mostly because of the purchase price and annual support costs of a real firewall.

 

So I'll start looking elsewhere and at other devices.

 

Thanks HB for sharing your Knowledge!

  0  
  0  
#7
Options