Rv220w- content filtering ignoring firewall rules

Similar Messages

• RV220W - Content filtering not working (?)

  Hello, I bought a router model RV200W fw 1.0.1.0... nice toy.
  It all works very well with the exception of content filtering. The rule only works if connections are made with the HTTP protocol, but if the user connects with HTTPS, then the rule is not considered... (???)
  f.e.:
  http://facebook.com (content filtered)
  https://facebook.com (content NOT filtered)...
  What the hell ! where I'm wrong ?
  Does anyone is experiencing the same ?

  Yes, the correct title was "URL FILTERING NOT WORKING"...thanks abudef000
  I do not want be polemical, but I do not understand where I went wrong.
  Before I buy I looked @
  http://www.cisco.com/en/US/prod/collateral/routers/ps9923/ps11025/data_sheet_c78-630461.html
  Check it out.
  Could you assume that HTTPS URLs are not in the sentence "Static URL blocking, keyword blocking, approved URL" as stated in the product sheet ?

• RV220W - Content Filtering and Tivo

  After using an RV220W in the Office fdr some time I decided to upgrade my old WRVS4400N V1 with one - in line with Cisco recommendations. I am using the latest firmware 1.0.4.17.
  One problem I have is that a Tivo device will not connect to its contect servers in the outside world when any Content Filtering is active. I have tried setting up a firewall rule to give complete outbound access for the device for all services but that did not help. The only thing that allows the Tivo to connect properly is to either turn off Content filtering completely  - in which case some of the router protection is lost, or to select some other port in the HTTP port selection box (I tried port 79) - in which case content protection functionality on port 80 is also lost. I have also tried turning off (deselecting) all the other content filtering options but the device can still cannot connect if Content Filtering is enabled.
  It seems to me that setting a firewall rule to allow ALL outbound from the device should be enough to allow connection. What is Content Filtering doing that prevents this device from connecting? And why can't I override it with the firewall rules? This seems to be the same as an old thread many releases of firmware ago:   RV220W - Connecting to TiVo mothership w/ ProtectLink
  Why is this the only router that seems to have this problem? Will it cause other issues?
  If this is because of some internal behaviour of the ruleset then Content Filtering needs to be able to be excluded for a "trusted" internal IP address.
  thanks,
  David Wyatt

  Hello,
  I've opened case # 621056469. The support engineer told me that he'll try to reproduce the problem on his side, and contact me back for remote testing on my own router. If the issue is already known, does it have some kind of ref number so that I can inform him ? Is a fix already planned for  a future firmware release ?
  Thanks for your help.

• RV042 Can a Access rule be configured to override Content filtering?

  We are using a RV042 and have content filtering turned on.  Can I make a access rule to override content filtering for specific ip's?

  I have tried this in the past and been unsuccessful. 
  It seems the content filter, once enabled it takes precedence over the rules.

• RV220W Firewall Rules reordering

  How do I reorder firewall rules? I have used the reorder button and then ordered the rules. I then SAVE and the report is Operation Succeeded. The screen stays on the Reorder screen.
  If I go into some other screen and come back to Access Rules I find that the rule order is unchanged. So I select Reorder and the reorder screen comes back showing the new rules order. I now have 2 screens I can go to. The main "Access Rules" and the reorder "Access Rules". These 2 panels show the rules in different order.
  If I reboot the router the reordered rules are lost.
  There appears to be no way to reorder the rules.
  Firmware version is 1.0.4.17
  Any ideas?
  David

  After experimenting a bit further it seems as though there are 2 relevant firewall rule tables. The first one is the one that you see in Access Rules. It seems to show the all the rules in the order that you enter them. When you select "Reorder" you get another table with a list of priorities. This is the table that shows the rules in the order that they will be executed. This order is NOT the same as the first table and the first table order WILL NOT CHANGE as the rules are reordered.
  Now that I know this, it is OK - the doc could have been a bit clearer as this is not consistent with other small routers (at least in my experience!). I also found that when I had been altering a few rules I needed to reboot the router before the rules would work properly.
  Other than that - no problems so far (cross fingers!)
  David

• Rv 120W- Firewall and Content Filtering

  Hi All,
  I'm having a problem with a RV 120W wireless router.  I'm trying to block streaming video, keywords and block on URLs, but doesn't seem to block anything.  Also tried to control user bandwidth, but still runs at regular speed.  Not sure if the logging is working either.  No logs come up.
  I upgraded the firmware to the lastest available.  I'm not sure if it's something not checked off or if this router is trashed.
  Looks like it works.  Connects to the internet, but don't know if it's blocking anything.
  Any help on this?
  Attached is a config file.  It opened in Word Pad.
  Thanks,
  Vince

  Ok, I went back and read the RV120W PDF, duh.  The groups I was referring to are LAN Groups.  The steps are below.
  From there, you can create keywords and apply blocking to groups based on those keywords.
  Configuring LAN GroupsYou can create LAN groups, which are groups of endpoints that are identified by
  their IP address. After creating a group, you can then configure actions, such as
  blocked keywords in a firewall rule, that apply to the group. (See
  Adding BlockedKeywords, page 87
  To create a LAN Group:
  STEP 1
  Choose Networking > LAN > LAN Groups.
  STEP 2
  Click Add.
  STEP 3
  Enter the group name; spaces and quotes are not supported. Click Save.
  STEP 4
  In the LAN Groups page, click the box next to the group you just created and clickHost List.
  STEP 5
  To add endpoints to the group, click Add.
  STEP 6
  Enter the IP address of the endpoint and click Save. Repeat steps 4 through 6 foreach endpoint you want to add to the group.

• How to asign some content filtering policies to a wan port ISA550

  Hi, I have a Cisco ISA550, and we are trying to make some url's rules for the network. I have established a policie, with some content and url's, but now I need to asign them to a configurable wan port. What I have do is:
  1. Go to firewall and open content filtering policies
  2. Generate a new filtering policie. (named: diarios)
  3. Load the policie with some URL (all are enabled with the tickets)
  4. go to Policy to Zone Mapping and change the LAN zone. Now using "diarios"
  5. Content filtering turned ON
  6. Go to Advance settings and configure it.
  everything saved and it works. But now I need to asign this rule only to wan port #3.
  Can someone help me please?
  Thanks a lot.

  Open the Trace Log panel in Scout - it shows you all the trace messages for the selected frames (in a console-like view). If you select all frames, you can see all trace messages for the entire session.
  See Figure 27, here:
  http://www.adobe.com/devnet/scout/articles/adobe-scout-getting-started.html

• SA520 Firewall Rule cannot block HTTP

  Hi All,
  We are currently encountering a firewall rule problem. The following are the steps we
  have done so far:
  Default Outbound Policy: Allow Always
  IPV4 Rules - Delete all firewall rules we have created and made a single firewall rule to block
                              outbound HTTP for a single IP Address
                   - Delete all firewall rules we have created and made a single firewall rule to block
                              outbound HTTP for a range of IP Address
                   - Tried making "Block by schedule" Action on port HTTP on a single and a
                               range of IP Addresses
                   - We have tried blocking HTTPS / POP3 / SMTP / IMAP and was successfully
                               blocked but not on HTTP
  Services - Created a Custom Service blocking Port 1-65535 but still workstation can still access the internet.
  MAC Filtering - Checked MAC address filtering and Policy for MAC Addresses listed below is set to
                                Block and Permit the Rest and added the MAC address of  the workstation we want to block
                                still the workstation can access the internet.
  IP/MAC Binding - We have also binded the MAC Address and IP Address
  Content Filtering - Only content filtering works - blocked URL
  We have also tried doing all the IPV4 Rules with the Default Outbound Policy: Block Always and all
  the firewall rules action set to allow only those services that needs to be permitted.
  Still blocked workstations can still access the internet.
  Firmware Version: 1.1.42
  Thanks
  Karl

  Hi Karl,
  This looks like a bug in build 1.1.42. Please upgrade your
  image to the latest build 2.1.18 which fixes the problem.
  Let me know if the upgrade helps.
  Regards,
  Wei

• 0x8007000e (E_OUTOFMEMORY) while adding a firewall rule using the windows firewall COM API

  Hello,
  Configuration: Windows Embedded 8 64-bit.
  I'm using the Windows Firewall with Advanced Security COM API. The program uses the INetFwRules interface. Basically, I'm using the following code (Form the code sample available here : http://msdn.microsoft.com/en-us/library/windows/desktop/dd339604%28v=vs.85%29.aspx.)
   I get the error when performing "hr = pFwRules->Add(pFwRule);".
  We can also encounter the problem when removing a rule (using pFwRules->Remove(ruleName);)
  HRESULT hrComInit = S_OK;
  HRESULT hr = S_OK;
  INetFwPolicy2 *pNetFwPolicy2 = NULL;
  INetFwRules *pFwRules = NULL;
  INetFwRule *pFwRule = NULL;
  long CurrentProfilesBitMask = 0;
  BSTR bstrRuleName = SysAllocString(L"SERVICE_RULE");
  BSTR bstrRuleDescription = SysAllocString(L"Allow incoming network traffic to myservice");
  BSTR bstrRuleGroup = SysAllocString(L"Sample Rule Group");
  BSTR bstrRuleApplication = SysAllocString(L"%systemroot%\\system32\\myservice.exe");
  BSTR bstrRuleService = SysAllocString(L"myservicename");
  BSTR bstrRuleLPorts = SysAllocString(L"135");
  // Initialize COM.
  hrComInit = CoInitializeEx(
  0,
  COINIT_APARTMENTTHREADED
  // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
  // initialized with a different mode. Since we don't care what the mode is,
  // we'll just use the existing mode.
  if (hrComInit != RPC_E_CHANGED_MODE)
  if (FAILED(hrComInit))
  printf("CoInitializeEx failed: 0x%08lx\n", hrComInit);
  goto Cleanup;
  // Retrieve INetFwPolicy2
  hr = WFCOMInitialize(&pNetFwPolicy2);
  if (FAILED(hr))
  goto Cleanup;
  // Retrieve INetFwRules
  hr = pNetFwPolicy2->get_Rules(&pFwRules);
  if (FAILED(hr))
  printf("get_Rules failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Create a new Firewall Rule object.
  hr = CoCreateInstance(
  __uuidof(NetFwRule),
  NULL,
  CLSCTX_INPROC_SERVER,
  __uuidof(INetFwRule),
  (void**)&pFwRule);
  if (FAILED(hr))
  printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Populate the Firewall Rule object
  pFwRule->put_Name(bstrRuleName);
  pFwRule->put_Description(bstrRuleDescription);
  pFwRule->put_ApplicationName(bstrRuleApplication);
  pFwRule->put_ServiceName(bstrRuleService);
  pFwRule->put_Protocol(NET_FW_IP_PROTOCOL_TCP);
  pFwRule->put_LocalPorts(bstrRuleLPorts);
  pFwRule->put_Grouping(bstrRuleGroup);
  pFwRule->put_Profiles(CurrentProfilesBitMask);
  pFwRule->put_Action(NET_FW_ACTION_ALLOW);
  pFwRule->put_Enabled(VARIANT_TRUE);
  // Add the Firewall Rule
  hr = pFwRules->Add(pFwRule);
  if (FAILED(hr))
  printf("Firewall Rule Add failed: 0x%08lx\n", hr);
  goto Cleanup;
  This works pretty well but, sometimes, at system startup, adding a rule ends up with the error 0x8007000e (E_OUTOFMEMORY) ! At startup, the system is always loaded cause several applications starts at the same time. But nothing abnormal. This is quite a random
  issue.
  According MSDN documentation, this error indicates that the system "failed to allocate the necessary memory".
  I'm not convinced that we ran out of memory.
  Has someone experienced such an issue? How to avoid this?
  Thank you in advance.
  Regards, -Ruben-

  Does Windows 8 desktop have the same issue? Are you building a custom WE8S image, or are you using a full WE8S image? The reason I ask is to make sure you have the modules in the image to support the operation.
  Is Windows Embedded 8.1 industry an option?
  www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

• Does the ASA5525-K9 support Content filtering?

  Hi,
  I know the 5510 & 5520s support the CSC-SSM module for Content Filtering (Anti-Phishing, Anti Spam, URL filtering,
  Anti-Spyware & Antivirus), but what about content filtering for the ASA5525-K9.
  The problem that I have is that I need a firewall that supports up to 1 Gbps Maximum Firewall Throughput and to support 250 users with Content Filtering described above.
  I'm using the following doc for sizing and came across the ASA5525-K9 for 1 Gbps, but not sure about the Content filtering:
  http://www.cisco.com/en/US/partner/products/ps6120/prod_models_comparison.html#~tab-b
  Thanks,
  CR

  No, the new X series ASA does not support Content Filtering CSC module.
  Here is what is supported on the new ASA5525-X for your reference:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html

• Web Content Filtering / Virus Scanning appliance

  Hello all,
  I'm in the market for a content / url / virus scanning device for our network. We are currently using MXLogic's Web Defense service and while it's very cheap it is not suiting our needs. What I'm looking for is an appliance that will do content filtering but also virus / malware / spyware scanning on web traffic. I'd also need to be able to setup policies / groups for different set's of users. For instance the folks who purchase the products we sell need to be able to see our vendors media (streaming video) content while our sales folks don't. I can't currently do this with MXLogic, it's all or nothing.
  Our firewall is an ASA5510 and I've looked at the Content Security SSM-10 module with the plus license and while the pricing is definitely attractive I have a few questions about it. Does it integrate with MS Active Directory? In other words and it filter based on groups and policies or is it more IP / ACL based? Also does it perform well?
  I've also looked at the IronPort product cisco sell's and have similar questions regarding that mainly what are folks experience with it, is it something you would recommend?

  Hi Allen,
  To answer your questions related to the CSC module:
  1. No, the CSC module does not integrate with Active Directory. This is something that Trend Micro has in the works, but as of now there is no ETA for this functionality.
  2. The CSC module will perform fairly well if used in the environment it was designed for. I would recommend taking a look at the CSC sizing guide to see if the CSC-SSM-10 would be something that is scalable enough for your network:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.html
  I cannot speak to the performance/functionality of IronPort as I have not used it personally, but I have heard good things. Also, external appliances from Websense seem to be a popular choice when you need a product that is a bit more scalable or granular than what the CSC module can provide.
  Hope that helps.
  -Mike

• IOS web content filtering cannot get trend micro filter

  hi, i just wondering how really i can get my router's content filtering connect to trps.trendmicro.com server again. previously it was success to get connect to the server, after i doing some changes on my zone-pair firewall then it cannot connect to the trend micro server anymore.
  sh ip trm subscription status showing that i successfully connected and registerd
  all the installation guide is doing accordingly,then i turn on my debug crypto pli validation and debug ip trm detail, all showing success connection to trendmicro site.
  parameter-map type trend-global <param> are pointing to the trps.trendmicro.com, my class-map and policy-map didn't have any changes since last success connection.
  zone-pair setting also attach with the right policy-map that serve for service-policy urlfilter <name>
  overall, after my zone-pair firewall is UP again, then my web content filtering is gone, while registeration is made..
  anyone have any idea what really happen?
  thanks
  Noel

  Hi Yongkhang,
  I think in order to figure out what is happening, we need to troubleshoot and see the config, data and other show commands.  I'm not sure if you would feel comfortable posting that here.  Therefore, i think its best to open up a case with tac on it so that it can be troubleshot to see why you cant access the trend micro server.
  can you let me know what you mean by when you turn on your ZBF, your web content filtering is gone.  Are you saying, when you turn on zbf, the web content filtering is no longer blocking or allowing sites?
  have you ran the following debugs?
  debug ip urlfilter detail
  debug ip urlfilter event
  debug ip url filter function-trace
  also, what does this show:
  show policy-map type inspect zone-pair urlfilter
  Are you sure you have the class maps in the proper order since its processed sequentially..
  regards,
  scott

• IOS content filtering on trend micro subscription

  hi
  i just finish setup the IOS content filtering on C1841. basically it's combo of local filtering and Trend micro subscrition based. all the parameter-map, class-map, policy-map and zone firewall setting is up and ready to go.
  Some question to ask
  1. how do i examine trend micro content filtering on it REPUTATION and CATEGORIES is really working?
  as usual, after setup these command :
  paramater-map type trend-global MY-GLOBAL-PARAM
  server trps.trendmicro.com
  pamater-map type urlfpolicy trend MY-PARAM   
  allow-mode on
  block-pass message "bla-bla-bla"
  class-map type urlfilter trend match-any trend-block-categories
  match url catergory Adult-Mature-Content
  class-map type urlfilter trend match-any trend-block-reputation
  match url reputation ADWARE
  policy-map type inspect urlfilter MY-ACTION
    parameter type urlfpolicy trend MY-PARAM
    class type urlfilter trend trend-block-categories
    reset
    class type urlfilter trendtrend-block-reputation
    reset
  so for my zone firewall policy:
  policy-map type inspect out->in
  class type inspect trafic
  inspect
  service-policy urlfilter MY-ACTION
  then i do apply zone-pair to the outside and inside interface,everything set to go.
  so far what i can block is only using URL-blacklist to block the whole domain. anyway how can totally left to trend micro subscription license to do with it all?
  noel

  Hmm... no thoughts over the weekend. Anyone?

• Content Filtering for new tablets

  We did this last year with our tablets. We went with iboss filtering which I highly recommend but it looks like you have web filtering in place so you would need to proxy the internet traffic. Contact the tech support of your web filtering and explain them what you need to do and they will tell you what needs to be done on your end. Then you would have to create configuration profile and push (you need MDM here) the proxy configurations to your tablets. 

  Hello all,
  I work for a local high school and they just bought tablets for all of the kids to use during the school year. They are wanting content filtering while they are at school, which we have, but they are also wanting "off site" filtering as well. What/How is the easiest way to set that up? We currently have a Cisco Meraki firewall setup for the high school.
  This topic first appeared in the Spiceworks Community

• VLAN to VLAN firewall rules support missing on RV180

  How do I submit an RFE (Request For Enhancement) to the Cisco SBR team to encourage them to  implement the missing support for VLAN to VLAN firewall rules that was available in the RVS4000 (See https://supportforums.cisco.com/message/3614106#3614106) and that was supposedly added to a beta release of the RV220W firmware (See  https://supportforums.cisco.com/message/3614106#3614106)?

  Hi Kelly, the RV220W does support LAN to LAN access rules on the 1.0.4.17 and it is released.
  To make a feature request, it is pretty simple. Call the SBSC, have a case created for you. Tell the engineer you'd like to make a feature request. It usually gets escalated in 3 days or less.
  -Tom
  Please mark answered for helpful posts