Web Content Filtering and Transparency (10.x)

Security Gateway Articles and How to's
Locked
Peter
Posts: 654
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Web Content Filtering and Transparency (10.x)

Post by Peter » 16 Apr 2008, 14:53

This Knowledge Base article applies to:
  • Clavister CorePlus 8.x, 9.x
  • Clavister cOS Core 10.x
Problem:
I want to use a Clavister Security Gateway in transparent mode in a network and use Web Content Filtering to control which webpage category my users should be allowed access to.
In the configuration we have made a single switch route between the internal and the external interfaces using all-nets as network.
The Web Content Filtering system is unable to contact Clavister's WCF servers (the CSPN network) to lookup my users URLs in the database.
White listed URLs will work even without this route because a white listed URL does not need to be checked against the CSPN servers.

Solution:
This is no problem for users connected on either side, but it will cause problems when the Clavister itself wants to communicate with something beyond it's external or internal network.

Since we do not have a gateway or anything configured in the main routing table, the Clavister does not know where to send the requests for addresses "beyond" the wan_net, in this case the web content filtering server(s).

The Clavister need to have a real IP on the interface that points towards the ISP (the wan_ip assigned to the wan interface).

We have two options to solve this issue:
1. Add a static route for the WCF server(s) and use the ISP's gateway as gateway, e.g.
RouteIPv4 interface=wan, Network=202.152.177.32, Gateway=wan_gw

To find the IP address of the CSPN servers, use the CLI command 'updatecenter -servers'. Access to a DNS server might be necessary, so you might be in a catch-22 position. Please contact Clavister Support in that case.

2. Setup a route with a higher metric than the Switch Route:
RouteIPv4 interface=wan, network=all-nets, gateway=wan_gw, metric=201

This means that for any IP address that is not included in the Switch route, the Clavister will consult the ISPs gateway, and the MAC address of the gateway will be easy to find in the switch route (CAM/L3 Cache).
This method is the preferred choice if the Switch route is not defined as "all-nets", but "wan_net".

Locked