Category Archives: Uncategorized

How to customize WFilter reports by directly querying the database?

Though WFilter already has many reports by default, there has the chance that you need other report formats or data. In this case, you can directly query the database tables to get what you need.

It’s complicated to customize reports for WFilter file-based version. So you need to install WFilter database version first. For steps to install WFilter database version, please check: WFilter Database Version Installation Guide

There has a “web surfing time report” in “Detailed Reports”->”Web Report”, you can generate this report “by name” or “by website” in WFilter user interface. Now if you need to get a report of web surfing time both “by name” and “by website”, you need to customize a sql query. The data is stored in table “webreport” with below structure:


create table webreport
(

mac char(12) NOT NULL /* MAC address */
ip varchar(20) /* ip address */
acct varchar(200) /* domain username */
happendate varchar(10) /* date */
method char(1) /* 0 – get, 1 – post */
categoryid varchar(10) /* website category id */
host varchar(100) /* website domain name*/
visitcnt varchar(20) /* visits number */
duration varchar(20) /* surfing time in seconds*/

)


1. Web surfing time report by ip address

To get a report by ip address and websites for a certain date, you can execute a sql like:

select ip, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and ip is not null group by ip, host order by ip, cnt desc

You will get such kind of data:

192.168.1.131 www.google.com 226
192.168.1.131 forum.imfirewall.us 192
192.168.1.131 ct1.addthis.com 180
192.168.1.131 l.yimg.com 180
192.168.1.131 sports.yahoo.com 153
192.168.1.20 m614.mail.qq.com 266
192.168.1.20 share.baidu.com 254
192.168.1.20 forum.imfirewall.us 200
192.168.1.20 hm.l.qq.com 180
192.168.1.20 info.iet.unipi.it 180

2. Web surfing time report by user

If you have “Account Monioring” enabled, you also can generate reports based on AD usernames. The sql will be:

select acct, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and acct is not null group by acct, host order by acct, cnt desc

You will get such kind of data:

CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com 226
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng forum.imfirewall.us 192
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng l.yimg.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng ct1.addthis.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng sports.yahoo.com 153
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng test.org.uk 96
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.yahoo.com 72
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.bc.yahoo.com 67
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.websense.com 59
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.g.doubleclick.net 34
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com.hk 31


Please notice, the “acct” column is urlencoded. You need to urldecode it to get a readable username.

Online urldecode.

When shall you use two network cards for monitoring and blocking?

In “pass-by” filtering mode(WFilter works on a mirroring port), WFilter sends RST packets to block TCP connections. However, if outgoing traffic is limited on the blocking adapter, blocking feature of WFilter might not be working.

The default settings of WFilter use a same adapter for monitoring and blocking. However, it will not work if a following condition is met.

  1. The monitoring switch does not allow outgoing traffic on the mirroring port. You can check this by “ping” other computers in the monitoring computer. This problem can be solved by changing switch settings(if supported) or adding a separated blocking adapter. Cisco switches have a parameter “ingress” to enable outgoing traffic on the mirroring port.
  2. The monitoring adapter is too busy of receiving mirrored packets. We recommend you to use another NIC for blocking when you have 50+ computers. To check this issue, you can run “System Settings”->”Check Settings” to perform a checking on the blocking adapter.

Steps to add a blocking adapter

1. Add a physical network card and connect this NIC to a normal port in your switch. If you have multiple VLANs, the blocking adapter shall be in a VLAN which can reach other VLANs.

2. Assign an available ip address and gateway settings to the new NIC.

3. If WFilter does not detect the new card in “System Settings”->”Monitoring Settings”, please click “Start”->”IMFirewall WFilter”->”Tools”->”Restart WFilter Service” to reload the adapters list.

4. Choose the new network card as the “blocking adapter” in “System Settings”->”Monitoring Settings”->”Monitoring Device Settings”.

5. Run “System Settings”->”Check Settings” to check.

6. Sometimes windows can not choose the correct network card for communicate, in that case, please check this topic to set “Metric”: Blocking adapter doesn’t work when using two network cards

Further readings:

How WFilter works to block internet connections in network?

How to block VNC traffic of network computers with WFilter?

VNC® provides secure remote access computers from any location for your home and organization. RFB is the protocol used in VNC and its derivatives.


This tutorial will guide you to block VNC with “WFilter Enterprise 4.0″. Because blocking of VNC is not supported by default in WFilter, in this example, we uses “Customize Protocols” feature of WFilter to define the VNC protocol.


First, Add “VNC” Protocol in “Customize Protocols”.


In “Customize Protocols”, new a protocol named “vnc”.



VNC has a pattern:
“vnc_tcp”:
Type–”TCP ALL”
Format–”0″
Pattern Content–”^\x52\x46\x42\x20\x30\x30″


Second, Enable blocking of VNC in certain blocking levels.


And apply this blocking policy to certain computers.


Now, VNC will be blocked.


WFilter blocking events:


Failure connection of VNC.

WFilter adds solution for monitoring terminal server users.

Terminal Services allows IT departments to install applications on a
central server.
For example, instead of deploying database or accounting software on all
desktops, the applications can simply be installed on a server and
remote users can log on and use them via the network.
This centralization makes upgrading, troubleshooting, and software
management much easier.

However, since all terminal clients share the server’s network, it
becomes difficult to monitor/filter individual users internet usage
because most internet monitoring/filtering products only monitor/filter
internet activities based on ip addresses or MAC addresses.

From WFilter en.3.3.148 version, with WFilter proxy’s “user authentication” feature, you are able to monitor terminal client users and set differnet internet policy for each user.

Please check details of this solution at: How to monitor terminal server users?

How to block proxy websites in network?

Even a content filtering product is deployed in your network, some experienced users still can bypass the content filter via proxies.

There are three kinds of proxies:

1). Proxy server

Proxy server provides proxy service for applications to access internet via proxy protocol, including HTTP, FTP., SSL and SOCKS proxy. SOCKS protocol description

2). Proxy Website

A proxy site is a web page which allows you to browse your favorite web sites – even though your access to those web sites might be blocked by a content filter.

3). VPN tunnel service

Online VPN service, for example: tor. Please check this blog for how to block tor.

In this tutorial, I will guide you to block proxy servers and proxy websites.

1. How to block proxy servers?

We can block proxy servers simply by block proxy protocol, such as HTTP, SOCKS.

2 Block proxy websites

2.1 Using website black list to block proxy sites

You can add proxy websites to a website black list to be blocked.

However, since a website black list can not contain all proxy websites, we recommend you to enable “URL keywords filtering” and “Web access rules” to block proxy websites based on our URL database and URL keywords.

2.2 Using URL keywords to block proxy sites

Add “proxy”, “unblock” to “Proxies”. So URLs with certain keywords will be blocked.

2.3 Using “Web access rules” to block proxy sites

Websites in “Proxies” category will be blocked. WFilter already has a default URL database which contains most common websites.

How to block PPStream online video in network?

Many people might eager to know how to block PPS in their network. Because their roommates or family members eat up their bandwidth by using PPS. And the reason why it is hard to block PPS is it can use any random port.


What is PPStream?


PPS (PPStream) is a Chinese peer-to-peer streaming video network software. Since the target user is in Chinese mainland, there is no official English version, and bast majority of channels are from Eastern Asia, mostly Mainland China, Korea, Japan, Hong Kong, Taiwan and Singapore. Channel varieties vary from Chinese movies to Japanese anime, sports channels, as well as American popular TV and films.


It broadcast TV programs stably and smoothly to broadband users. Compared to traditional stream media, PPStream adopts P2P-streaming technology and supports high-volume traffic with tens of thousands of users online at once.


Brief introduction of PPStream protocol


How to block PPStream with the help of WFilter?


1. You need to block to block UDP ports 1024-65534 in your router or firewall.


2. Add a blocking level and enable “Block PPS”.



3. Apply blocking level to the computers you want to block.



4. Blocking events in WFilter.



Check PPStream blocking video at: http://www.youtube.com/watch?v=U2RbOgUEaDQ


You can find how to block P2P traffic and downloading at: How to block P2P traffic and downloading?

How to block BitTorrent traffic in your network?

Some of you might find out that the speed of your network is very slow. Maybe some users were watching movies, there is also another possibility—they might be using some BitTorrent client to download movies and music and software.


A lot of people asked about how to block BitTorrent traffic. Usually when we want to block some software, we would think about block some ports. Actually this might not work in blocking BitTorrent. Because BitTorrent can use any random port.For more details about BitTorrent protocol, please check: BitTorrent protocol.


Now you can block BitTorrent easily with the help of WFilter. I will show you how to block BitTorrent step by step.



How to block BitTorrent with WFilter?



1. First you need to block UDP ports 1024-65534 in your router or firewall.


2. Add a blocking level and enable “Block BitTorrent”



3. Apply blocking level to the computers you want to block.



4. Blocking events in WFilter.



Before blocking, bittorrent had a “down speed” of “155kB/s”.



After blocking, the “down speed” and “up speed” are all ZERO.



Check bittorrent blocking video at:http://www.youtube.com/watch?v=8FFUQ4br-YA


You can find the more about how to block P2P traffic and downloading at How to block P2P traffic and downloading?


 

How to block windows update in my network?

Sometimes you might want to block automatic windows update on your network without the need to manually configure every workstation.

To block windows update, certain websites in the below list shall be blocked.

  • *.windowsupdate.com
  • *.update.microsoft.com
  • *updates.microsoft.com

You can block certain websites in your firewall to achieve that. In this tutorial, I will guide you to block windows update with “WFilter Enterprise 3.3″.

First, add a website black list and enable it in a certain blocking policy.

In the website black list, you need to add “*.windowsupdate.com” and “*.update.microsoft.com”.

 

Second, apply this blocking policy to certain computers.

 

 

Now, windows update will be completely blocked.

How to monitor a wireless network?

Wireless communication brings fundamental changes to data networking and telecommunications. Nowadays, more and more organizations and home users build up wireless networks. And in many situations, wired networks and wireless networks exist together. This topic demonstrates two solutions to monitor wireless networks internet activities.

1.  Monitoring with a manageable switch.

A typical network contains both wired and wireless networks:

Because port mirroring can not mirror wireless traffic, we need to setup port mirroring in the wired part. In this example, we add a manageable switch TL-SL2210WEB between the router and wireless AP to mirror the AP’s traffic.

“Port 1″ of the manageable switch is connected to the router, “port 2″ is connected to WFilter computer,  and “port 3″ connected to the wireless Access Point.

By setting “Port 1″ as the mirrored port and “Port 2″ as the mirroring port, we will be able to monitor all internet traffic.

By now, you can monitor all the wired and wireless computers.

2. Deployment with a proxy server.

If you don’t have an available manageable switch, you also can do monitoring in a local proxy server.

As in the below figure, by setting up a proxy server and install WFilter in the proxy server, computers using this proxy server to access internet will all be monitored.

Please refer to “Deploy WFilter with a Proxy Server” for more information.

Why a port mirroring switch is required to monitor my network? How to monitor internet usage without a manageable switch?

What is port mirroring?


Usually, a computer connected to a switch or a router can only receive its own network packets. A switch with port mirroring function allows you to monitor network packets from a mirroring port.


With port mirroring is enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.


How to monitor network without a port mirroring switch?


There’re three methods to monitor your network without a manageable switch.


1. Using a broadcasted Hub


A broadcasted hub is a data packet repeater commonly used in broadcast networks.


Most broadcasted hubs provide a uplink port to connect with a up layer device. You shall connect the up layer device to the uplink port of the hub (Note: Do not use the port next to the uplink port).


However, most broadcasted hubs only work in 10Mb speed, and all the computers connected to the hub will share the bandwidth, which is not so fast as a switch. So we recommend you use a manageable switch instead.


2. Windows Gateway, Proxy Server or Bridge


Windows Gateway


If a port mirroring switch is unavailable, you can setup a windows gateway by your network edge. With an internet monitoring/filtering product in this windows gateway,


you will be able to monitor all internet traffic of network computers.


How to configure Windows 2008 Server IP Routing?


Proxy Sever


A Proxy Sever is a computer that offers a network service to allow clients to make indirect network connections to internet.


Like the gateway solution, you also can do monitoring/filtering in the proxy server. To make things simple, some proxy servers have monitoring/filtering modules integrated,


while some monitoring/filtering programs also have a proxy module integrated.


For example, you can easily enable the proxy server service in WFilter enterprise. For more details about WFilter proxy settings, please check:


http://www.wfiltericf.com/help/doc/deploy_proxy.htm


 


Bridge


Bridges (sometimes called “Transparent bridges”) work at OSI model Layer 2. Bridges just forward data depending on the destination address in the data packet.


By deploying a bridge in your internet entrance, you can setup a monitoring product in this bridge to monitor internet activities of your whole network.


3. ARP Spoofing


ARP spoofing, also called ARP Cache poisoning, is one of the hacking methods to spoof the contents of an ARP table on a remote computer on the LAN. With ARP spoofing,


you act as a relay server between client computers and the real gateway, so you will be able to monitor their traffic. However, as a hacking technology, ARP spoofing will make your network unstable.


So I recommend you not to use it unless necessary.