03/26/2020 38 People found this article helpful 453,874 Views
How would I block one machine from going on to the internet?
Feature/Application:
How would I block one machine from going on to the internet?
Procedure:
Content filtering via user and zone screens is a common method of determining what sites can be accessed, but the default policy must be the most restrictive policy you have. This means that if CFS was used to block a single machien from going to the internet, the default policy would have to block everything, and additional permissions would need to be applied to all other devices on the network that have internet access and content filtering applied to them.
A better method of doing this is to simply block the HTTP and HTTPS services for that machine when attempting to access the WAN via firewall access rules. This can be done under Firewall > Access Rules by creating a rule with the follwing parameters:
Deny
From: LAN (if the machne is in the LAN)
To: WAN
*Source Port: Any (only available in 5.9 or 6.2 and above)
Service: HTTP, HTTPS (A group object that includes both services)
Source: (The machine being blocked)
Destination: ANY
Users: Any
Schedule: Always On
Note: This does not block the use of a proxy site that allows http connections via an alternate port, such as 8080. If this is necessary, additional ports can be blocked, or the service can be set to "ANY" to block all traffic.