Author Archives: WFilter

WFilter ICF vs. dns internet filtering solutions

DNS internet filtering solution provides you a configurable dns server. Dns query to a blocked domain will be redirected to a denial page. This solution has below advantages and disadvantages.

Advantages:

  1. Easier to be deployed. You only need to change your dns server to get filtered.
  2. Can filter domains via a black list or url category.
  3. Can provide usage history and reports.

Disadvantages:

  1. The filtering dns server may not be as fast as public domain servers.
  2. Clients can break filtering by modifying dns servers.
  3. All clients can only share a same blocking policy.
  4. Can not block applications.
  5. Can only record dns query quest. No bandwidth reports or visited url reports.

Comparison

Compared to this internet filtering solutions, WFilter ICF is more difficult to be deployed. However, WFilter is much more powerful:

  1. When pass-by deployed, WFilter has no influence to your network performance.
  2. Client can not bypass filtering because WFilter inspects all network packets.
  3. You can set individual blocking policy for each client.
  4. More filtering features, including web filtering, web downloading blacklist, url keywords filtering, application control, ip-mac binding…
  5. More monitoring features and reports. WFilter can record visited domains, url, bandwidth… You can get various reports and statistics.

So if you only need to filter some domains or categories for the whole network, dns filtering would be a good choice. If you need more detailed reports or more dedicated blocking policy, WFilter ICF can be more helpful.

 

 

WFilter ICF vs. client & browser plugin internet filtering solutions

Client or browser plugin internet filtering solutions require you to install a client agent or browser plugin in client pc to filter websites. This solution has below advantages and disadvantages.

Advantages:

  1. Easier to be deployed. You can install client agent or plugin instantly.
  2. Can block domains or filter websites via cloud-based url category database.

Disadvantages:

  1. Can not filter smart phones internet access.
  2. Need to be installed in every client pc.
  3. Clients can break filtering by changing browser, or killing the agent process.

Comparison

Compared to this internet filtering solutions, WFilter ICF is more difficult to be deployed. However, WFilter is more powerful and easier for maintaince:

  1. WFilter can filter the whole network by one installation.
  2. All type of clients can be filtered, including smartphone, andriod, mac, windows, linux.
  3. No client installation is required.
  4. More features: internet usage monitoring and reporting, application control, web filter…

So, for personal/family usage, client & browser plugin web filtering solution might be a good choice. But when you need to manage a business network, WFilter ICF provides a better solution.

Comparison of WFilter ICF and other internet filtering solutions

WFilter internet content filter(ICF) is a windows software internet filtering solution for business networks. As an IT administrator, you may face several choices when deploying internet filtering in your network. In this topic, I will try to provide a comparison of WFilter ICF and other solutions.

As we have highlighted in WFilter homepage, WFilter can be deployed in pass-by mode, with minimal change to network topology. It requires no client installation. Please also check:

1. WFilter ICF vs. client & browser plugin internet filtering solutions.

2. WFilter ICF vs. dns internet filtering solutions.

3. WFilter ICF vs. internet filtering appliances.

4. WFilter ICF vs. proxy-based internet filtering solutions.

5. WFilter ICF vs. WFilter NG firewall.

WFilter is also very cost-effective, please check: WFilter price list.

How to block online file storage websites and file transfer applications?

Online storage solutions provide client applications and webpages for uploading and downloading files to and from their service. To stop business sensitive data being uploaded, you may want to block file storage websites and certain kind of applications.

In this post, I will try to explain the detailed steps with WFilter Enterprise.

First you need to install WFilter and make a correct deployment. Then you can add blocking policies.

1. Block online storage websites.

To block websites by categories, you need to enable “Block webpages by categories” and click “New…” in the dropdown list to create a category filtering rule. Then set “online storage” to “Deny”.

This option enables you to block most online storage websites, including both http and https sites.(ie: wetransfer.com)

block_filestorage01 block_filestorage02

2. Block file transfer applications.

To block file transfer applications, please click “edit” in “Applications” of your blocking policy. Then set certain protocols in “File transfers” to “Deny”. This option blocks pc and mobile applications clients. A supported protocol list can be found at WFilter supported protocols list.

block_filestorage03

Please note that the supported protocols and websites of WFilter can not cover all file transfer types.  If you want to block an application not in the supported list, please feel free to contact us. We will add it for you by free.

Also, for complete blocking of file transfers, you’re recommended to enable “website whitelist” of WFilter, so only work related websites can be accessed. And you also need to forbid usb and bluetooth devices.

 

 

 

How to block non-domain devices to access internet in network?

Some users asked about how to prevent non-domain devices to have internet access in business network. So this is the guide, using WFilter Enterprise.

As you know,  WFilter can be integrated with microsoft active directory. So you can monitor and filter internet usage by domain usernames. For details, please check: Active directory Integration of WFilter

To stop non-domain devices, please follow below steps:

1. Set a restricted policy to devices in “Default IP Policy” of “user-device list”.

So devices will only have restricted internet access.

block_non_domain01_en

2. Set real policy to domain users in “Users” of “user-device list”.block_non_domain02_en

3. Modify the “Policy Apply” option.

In “Advanced Settings” of “Account Monitoring Settings”, you need to set “Policy Apply” to “User Policy First”. So user policy will overwrite device policy.

block_non_domain03_en

 

Following upbove steps,  non-domain devices have restricted internet access only. When logged with a domain user, user policy will be applied.

 

WFilter Pass-by deployment for multiple VLANs network.

WFilter Enterprise( WFilter internet content filter) supports monitoring and filtering of multiple VLANs clients from a central WFilter pc.

Below is the deployment diagram:wfilter-vlan

Please note:

  1. The WFilter pc shall have two network cards.
  2. NIC1 shall be connected to the mirroring port.
  3. NIC2 shall be connected to the management VLAN, which can communicate with other VLANs.
  4. The mirroring port shall be configure to monitor the uplink port. (Connected to the up-layer router or firewall)

In WFilter, you also need to setup the “mirroring adapter” and “blocking adapter” in “System Settings”->”Monitoring Settings”. The mirroring adapter shall be the adapter connected to the mirroring port, while the blocking adapter shall be connected to the management VLAN.

 

How to block facebook videos streaming with WFilter NG firewall?

Sometimes, you might want to block facebook video streaming to save your bandwidth. There is predefined protocol named “facebook videos” in WFilter, which can help you to block facebook video by a few clicks. Here is the protocol description: facebook videos protocol and ports.

In another post, I’ve demonstrated how to block facebook videos with WFilter Enterprise. In this post, I will guide you to block facebook videos with “WFilter NG firewall”, which is a linux NG firewall designed for business networks.

1. New a block facebook policy in “App Control”.blockfb_video01

2. Set “facebook videos” to “Deny” in “streaming”.
blockfb_video02

3. That’s all. Now facebook videos will be blocked.
blockfb_video1 blockfb_video2

Please note, because short/small videos come from a same source as images, so blocking of facebook video does not short video cuts. Only medium or large size videos can be blocked.

How to block hotspot shield VPN in network with WFilter NG firewall?

Hotspot shield is a popular VPN service, with free version available.  When launched, it will try to connect a lot TLS sites for traffic relaying. If you do packet sniffer with wireshark, you will see  traffic  from famous sites like “google.com, baidu.com…”. But in fact, it’s hotspot vpn traffic in the camouflage of normal TLS.

Anyway, our team has worked out a protocol pattern to block Hotspot shield traffic completely in your network. WFilter identifies Hotspot via signature matching, so no matter in which transfer type or client version, all Hotspot traffic can be blocked. Here is a protocol description of hotspot shield VPN: protocol and port range of Hotspot shield.

Below are the steps with WFilter NG firewall:

1. New a “block hotspot” app control policy.

block_hotspot_01

2. Set “Hotspot shield” to “Deny”.block_hotspot_02

3. That’s all. Now hotspot shield will never be able to connect.

hotspot_blocked

4. The blocking event in WFilter NG firewall.

block_hotspot_03

Please note: all WFilter products can support blocking of hotspot shield, including WFilter NG firewall and WFilter Enterprise.

Integrate paypal payment with your ISP service.

The ISP module of WFilter NG firewall provides a total solution of bandwidth rate limiting, cap limiting and reporting of ISP users.  In this topic, I would like to introduce a paypal integration solution for your ISP service to run automatically. It works like this:

  1. Users get email/web portal notification of ISP account expire date.
  2. Users can click “renew” to make payment online via paypal.
  3. Upon receiving of a payment, payal will call a callback script to extend users’ expire date.

The whole process can all be done automatically. Below is a demonstration of certain steps:

The first, you need create payment buttons in your paypal business account.

paypal1 paypal2 paypal3

The second, you need to have an order landing page in your website.

When users click “renew” in their userportal or email notification, they will be redirected to the landing page. The landing page shall parse the “token” field to get username, expire date and current bandwidth policy. So you can calculate the costs for renewing. You can find an example of the landing page in WFilter_paypal_sdk.

paypal6.1 paypal6

The third, you need to enable “Instand payment notifications” in your paypal profile for callback.

When enabled, paypal will call the callback url for WFilter NG firewall to extend user date. paypal4 paypal5

 

The full php SDK soure code can be downloaded at here: WFilterNGF_Paypal_SDK_1_0.zip

Please note, we only provide a simple callback example. To make it work, you need to do below modifications at least:

  • Customize the landing page. For example, provide “1 month” and “2 months” choices.
  • Customize the callback php script. The default script extend this user for one month only.

For any question, please feel free to contact IMFirewall Support. We’re always will to help.

How to manage expiring and expired users in WFilter for ISP?

WFilter NG firewall has an ISP module, which is designed as a total solution for ISP management. You can check the details at this post: the ISP module of WFilter NG Firewall, a total solution for ISP management, and a online guide at: ISP management.

I would like to demonstrate how you can manage expiring and expired users in the ISP module.

1. You can add expiring and expired to different groups.

isp_expire_setting

When enabled, certain users will be added to groups automatically. So you add more policies to these groups in “Access Control” and “Bandwidth”. For example, you can:

a). Send expiring notification to expiring users with “Web Push” module. Users can renew online, and renew process can be complete automatically.

b). Restrict internet access of expired users. Please note that login is not allowed for expired PPPoE and WebAuth users.

2. Email notification to expiring users.

You can schedule email notification to expiring users at different time point(for example, 30 days before expiry).  Users also can click the “order now” link in email to renew their account. Please check below screenshots.

isp_expire_setting2 isp_expire_setting3

A sample email received:

isp_expire_setting4

 

More details can be found at here: WFilter NG Firewall ISP Module