![Untangle Networks [home]](http://www.untangle.com/templates/untangle_networks_template_950px/public/images/logo.gif "Untangle Networks [home]"){kind=logo}
![Untangle Networks [home]](http://www.untangle.com/templates/untangle_networks_template_950px/images/untangle_logo.gif){kind=logo}
Protocol Control
From UntangleWiki
 Protocol Control
|
|
Contents |
About Protocol Control
Protocol Control uses an open-source tool, L7-filter. Protocol Control blocks and logs well-known protocols from entering or leaving your protected network. Unwanted protocols might include Peer-to-Peer (P2P), such Bittorent, and Instant Messaging, such as AOL Instant Messenger. You might also want to block users from playing some video games and from streaming media.
Protocol Control blocks unwanted protocols on any port. However, you must specify which protocols that you want Protocol Control to block and log. By default Protocol Control does not block any protocols; it simply logs Instant Messaging protocols.
Protocol Control uses signatures to identify unwanted protocols on all ports. Many protocols, such as Instant Messaging and Peer-to-Peer, are difficult to block with a traditional firewall because of their "port hopping" behavior. If clients are blocked after trying to connect through their default port, they will connect over port 80 or port 25. Port 80 and port 25 cannot be blocked without blocking Web and e-mail traffic. Protocol Control can identify this hopping behavior, and log and block the connections.
If Protocol Control does not support a protocol that you want to block, you can use the Untangle Server's user interface to create custom new rules to block unsupported protocols. However, not all protocols can be blocked because some protocol designers hide the protocol's signature (for example, Skype).
Blocking or Logging Network Traffic by Protocols
You can choose to block traffic—that uses a specific protocol—from either entering or leaving your protected network. Protocol Control lists most well-known protocols. You can also log such traffic in the Protocol Control Event Log and have it reported in Reports#Accessing Reports if, for example, you want to determine if anyone within the network is using a particular protocol such as file sharing.
Often System Administrators know that their network is slow due to user activity, but don't know what type of network activity is slowing down their network. If this applies to you, Untangle recommends that you first log all protocols, then review the Protocol Control's Untangle Report to determine which protocols cause poor network performance. Bittorent is frequently the culprit.
Caution: As with most Untangle Server's Software Products, you can create your own protocol control entries. However, configuring regular expressions to match Internet protocols is an advanced topic. If you create a new entry and your expression contains errors, legitimate traffic will be blocked.
To block or log a protocol:
- From Protocol Control, click the Show Settings button.
- Click the Protocol List tab.
- Select the row that corresponds to the protocol that you want to block, and select either the block checkbox, log checkbox or both.
- Click the Save button.
About Protocol Control Event Log
Use the following terms and definitions to understand the Protocol Control Event Log:
timestamp The time the event took place. action The action that was taken on the traffic. Valid values are block and pass. client The client IP address of the traffic. request reason for action The rule that was applied to the traffic. server The intended server IP address of the traffic.
Related Topics
Protocol Control FAQs
How do I add a protocol to Protocol Control?
Protocol Control provides numerous default protocols that you can block, but if you want to block a protocol that Protocol Control doesn't list, you must add that protocol. To add a protocol you must provide Protocol Control the protocol's signature. To determine the signature, you must analyze the packets, and this process can be tricky. Contact Untangle Technical Support to request the signature.
I've already installed the Firewall. Isn't Protocol Control redundant?
The Firewall application works to block traffic for IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. However, less legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports.
Protocol Control scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.
I want to block a file sharing protocol for some of my users but not all. How can I do this with Protocol Control?
The Protocol Control cannot by itself filter just for some machines, and not others. However, you can create new Policies and Virtual Racks (See Policy Management) to partition some of your users through Protocol Control with [some file sharing protocol] blocked and not others.
