I-LANCOM Systems LCOS 10.92 Okubalulekile Kokuphepha

I-copyright

© 2025 LANCOM Systems GmbH, Würselen (Germany). All rights reserved. While the information in this manual has been compiled with great care, it may not be deemed an assurance of product characteristics. LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery. The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorisation from LANCOM Systems. We reserve the right to make any alterations that arise as the result of technical development. Windows® and Microsoft® are registered trademarks of Microsoft, Corp. LANCOM, LANCOM Systems, LCOS, LANcommunity, LANCOM Service LANcare, LANCOM Active Radio Control, and AirLancer are registered trademarks. All other names or descriptions used may be trademarks or registered trademarks of their owners. This document contains statements relating to future products and their attributes. LANCOM Systems reserves the right to change these without notice. No liability for technical errors and/or omissions. This product contains separate open-source software components which are subject to their own licenses, in particular the General Public License (GPL). The license information for the device firmware (LCOS) is available on the device‘s WEBconfig interface ngaphansi kokuthi "Okwengeziwe > Ulwazi lwelayisense". Uma ilayisensi efanele ifuna, umthombo files for the corresponding software components will be made available on a download server upon request. Products from LANCOM Systems include software developed by the “OpenSSL Project” for use in the “OpenSSL Toolkit” (www.openssl.org).
Imikhiqizo evela ku-LANCOM Systems ihlanganisa isofthiwe ye-cryptographic ebhalwe ngu-Eric Young (eay@cryptsoft.com).
Imikhiqizo evela ku-LANCOM Systems ihlanganisa isofthiwe ethuthukiswe yi-NetBSD Foundation, Inc. kanye nabanikeli bayo.
Imikhiqizo evela ku-LANCOM Systems iqukethe i-LZMA SDK eyakhiwe ngu-Igor Pavlov.

• I-LANCOM Systems GmbH
• Inkampani ye-Rohde & Schwarz
• I-Adenauerstr. 20/B2
• 52146 Wuerselen
• EJalimane
• www.lancom-systems.com

Isingeniso

Nge-LANCOM Security Essentials, ungakwazi ukuhlunga okuqukethwe okuthile kunethiwekhi yakho ukuze uvimbele ukufinyelela kukho, isiboneloampi-le, engekho emthethweni, eyingozi, noma ecasulayo websites. Additionally, you can restrict private browsing on certain sites during working hours. This not only boosts employee productivity and network security but also ensures that full bandwidth is available exclusively for business processes. \LANCOM Security Essentials is an intelligent, dynamic webisihlungi sesayithi. Ixhumana neseva yokulinganisa ehlola ngokuthembekile nangokunembile webamasayithi asuselwa ezigabeni ozikhethile. Ukusebenza kwe-LANCOM Security Essentials kusekelwe ekuhloleni amakheli e-IP anqunywe kusukela kokufakiwe URLs. Emakhasini amaningi, izinqolobane ezingaphansi kwesizinda nazo zihlolwa ngokwehlukana ukuze izigaba ezihlukene ze-a URL ingalinganiswa ngokuhlukile.

• Users cannot bypass webukuqinisekiswa kwesayithi nge-LANCOM Security Essentials ngokufaka ikheli le-IP lesayithi esipheqululini. I-LANCOM Security Essentials ihlola kokubili okungabhaliwe (HTTP) nokubethelwe (HTTPS) webamasayithi. Imojula ye-BPjM iyingxenye Yezinto Ezibalulekile Zokuphepha ze-LANCOM noma ingatholwa ngokuhlukana ngelayisensi yesofthiwe ye-LANCOM BPjM Filter Option. Imojula ye-BPjM ishicilelwe yi-Federal Agency for the Protection of Children and Young People in the Media (Bundeszentrale für Kinder- und Jugendmedienschutz) futhi ivimba izizinda okungafanele zenziwe zifinyeleleke ezinganeni nasebancane eJalimane. Ilayisense oyithengele I-LANCOM Security Essentials isebenza kusigaba sedivayisi esithile kanye nesikhathi esithile (okungaba unyaka owodwa noma iminyaka emithathu). Inani labasebenzisi alikhawulelwe. Uzokwaziswa kusenesikhathi uma ilayisense yakho isizophelelwa yisikhathi.
• You can test the LANCOM Security Essentials on any router that supports this function. To do so, you must activate a time-limited 30-day demo license once per device. Demo licenses are created directly from within LANconfig. Right-click the device, select Activate Software Option from the context menu, and in the following dialog, click the link next to Need a demo license?. You will automatically be connected to the LANCOM registration server webindawo, lapho ungakhetha futhi ubhalise ilayisensi yedemo oyifunayo yocingo.
• Isigaba se-profiles store all settings related to categories. You select from predefined main and subcategories in your LANCOM Security Essentials: 73 categories are grouped into 12 thematic groups, e.g., “Pornography”, “Shopping”, or “Illegal”. Each group allows you to enable or disable the included categories. Subcategories for “Pornography” include “Pornography”, “Sex toys”, “Sexual content”, “Nudity”, “Lingerie”, and “Sex education”.
  Additionally, administrators can enable an override option for each category during configuration. When override is active, users can temporarily access a blocked site by clicking a corresponding button—but the administrator will receive a notification via e-mail, SYSLOG, and/or SNMP trap.
  Using the category profile okudalile, kanye nohlu olumhlophe nohlu oluvinjelwe, ungakha uchwepheshe wesihlungi sokuqukethwefile ezingabelwa abasebenzisi nge-firewall. Okwesiboneloample, ungakha i-profile “Employees_Department_A”, which is then assigned to all computers in that department.
  During installation, LANCOM Security Essentials automatically sets up useful default settings that only need to be activated for initial operation. In subsequent steps, you can further adapt the behaviour of LANCOM Security Essentials to your specific use case.
  Useful default settings are also automatically configured for the BPjM module. For exampfuthi, kunomthetho ozenzakalelayo we-firewall ku-IPv4 noma IPv6 firewall into yesistimu ethi “BPJM” njengesiteshi okuyiwa kuso. Chaza iziteshi zomthombo njengamanethiwekhi okufanele avikelwe imojuli ye-BPjM. Ngokuvula umthetho, imojula ye-BPjM iyaqalwa.

Izidingo zokusebenzisa i-LANCOM Security Essentials

The following requirements must be met in order to use LANCOM Security Essentials:

1. The LANCOM Security Essentials option is activated.
2. I-firewall kufanele ivunyelwe.
3. Umthetho we-firewall kufanele ukhethe isihlungi sokuqukethwe profile.
4. Isihlungi sokuqukethwe esikhethiwe profile kufanele ichaze uchwepheshe wesigabafile and optionally a white and/or blacklist for every time period of the day. To cover different time periods, a content filter profile can consist of multiple entries.
   If a specific time period is not covered by an entry, unrestricted access to webizingosi zizokwenzeka ngaleso sikhathi.

Uma isihlungi sokuqukethwe profile iqanjwa kabusha ngokuhamba kwesikhathi, umthetho we-firewall nawo kufanele ulungiswe.

Ukuqala okusheshayo

Ngemva kokufaka I-LANCOM Security Essentials, zonke izilungiselelo zilungiselelwe kusengaphambili ukuze zisebenze ngokushesha.

• The operation of the LANCOM Security Essentials may be subject to data protection regulations in your country or to company policies. Please check applicable rules before commissioning.
• In LANconfig, the settings of the LANCOM Security Essentials are listed under Content Filter.

Activate the content filter using the following steps:

1. Launch the setup wizard for the corresponding device.
2. Select the setup wizard to configure the content filter.
3. Select one of the predefined security profiles (Basic Profile, Corporate Profile, Ukulawula Kwabazali Profile):
   • Iphrofayili eyisisekelofile: Lo profile mainly blocks access to categories such as pornography, illegal, violent or discriminatory content, drugs, spam, and phishing.
   • Umsebenzi profile: Ngaphezu kwe-Basic Profile izilungiselelo, lo profile also blocks categories such as shopping, job search, games, music, radio, and certain communication services like chat.
   • Parental control profile: Ngaphezu kwe-Basic Profile izilungiselelo, lo profile includes stricter blocking for nudity and weapons.

If the firewall is disabled, the wizard will enable it. The wizard then checks whether the firewall rule for the content filter is set correctly and adjusts it if necessary. With these steps, the content filter is activated, and the default settings will apply to all stations in the network using the selected content filter profile ngohlu oluvinjelwe olungenalutho nohlu olumhlophe. Lungisa lezi zilungiselelo ukuze zihambisane nezidingo zakho uma kudingeka. Iwizadi yenza kusebenze isihlungi sokuqukethwe ngesikhathi NJALO.

Standard settings in the Content Filter

The following elements have been created in the default configuration of the Content Filter:

Firewall rule

The preset firewall rule is named CONTENT-FILTER and uses the action object CONTENT-FILTER-BASIC.

Firewall action objects

There are three firewall action objects:

• CONTENT-FILTER-BASIC
• CONTENT-FILTER-WORK
• CONTENT-FILTER-PARENTAL-CONTROL

These action objects work with the corresponding content-filter profiles.

Content filter profiles

There are three content filter profiles. Zonke izihlungi zokuqukethwe profiles sebenzisa isikhathi esibekelwe ngaso NJALO, uhlu oluvinjelwe MY-BLACKLIST kanye nohlu olumhlophe oluthi MY-WHITELIST. Isihlungi sokuqukethwe ngasinye profile isebenzisa eyodwa yesigaba esichazwe ngaphambilinifiles:

• CF-BASIC-PROFILE: Lesi sihlungi sokuqukethwe profile features a low level of restrictions and works with the category profile BASIC-CATEGORIES.
• CF-PARENTAL-CONTROL-PROFILE: Lesi sihlungi sokuqukethwe profile protects minors (e.g. trainees) from unsuitable Internet content, and it works with the category profile PARENTAL-CONTROL.
• CF-WORK-PROFILE: Lesi sihlungi sokuqukethwe profile is intended for companies wishing to place restrictions on categories such as Job Search or Chat. It works with the category profile IZIGABA ZOMSEBENZI.

Ubude besikhathi

There are two predefined timeframes:

• ALWAYS: 00.00-23.59 hrs
• NEVER: 00.00-0.00 hrs

Uhlu oluvinjelwe

• The preset blacklist is named MY-BLACKLIST and it is empty. Here you can optionally enter URLs okumele kwenqatshelwe.

Ukugunyazwa

• The preset whitelist is named MY-WHITELIST and it is empty. Here you can optionally enter URLs okumele zivunyelwe.

Isigaba se-profiles

• There are three category profiles: IZIGABA EZISISEKELO, IZIKHATHI ZOMSEBENZI KANYE NOLAWULO LWABAZALI. Isigaba se-profile icacisa izigaba okufanele zivunyelwe futhi zinqatshelwe, futhi okukodwa okubhalwe ngaphezulu okungenziwa kusebenze kuzo.

Izilungiselelo Ezijwayelekile

Ungenza izilungiselelo zokuhlunga okuqukethwe emhlabeni jikelele ku-LANconfig ngaphansi kwesihlungi sokuqukethwe > Okuvamile:

Activate Content Filter

This allows you to activate the content filter.

In case of error

This lets you define what happens in the event of an error. For exampLe, uma iseva yokulinganisa ingafinyelelwa, lesi silungiselelo sinquma ukuthi umsebenzisi angakwazi ukuphequlula ngokukhululekile noma uma ekhona web ukufinyelela kuvinjiwe.

On license expiration

The license for using LANCOM Security Essentials is valid for a specific period. You will be reminded of the upcoming license expiration 30 days, one week, and one day in advance (to the email address configured in LANconfig under Log & Trace > General > E-mail addresses > E-mail for license expiry reminder). Here, you can specify whether webamasayithi kufanele avinjwe noma adlule angahloliwe ngemva kokuphelelwa yisikhathi kwelayisensi. Ngokusekelwe kulesi silungiselelo, umsebenzisi angaphequlula ngokukhululekile ngemva kokuphelelwa yisikhathi kwelayisensi noma konke web ukufinyelela kuzonqatshelwa.

To ensure the reminder is actually sent to the specified email address, you must configure the appropriate SMTP account.

On Non-HTTPS via TCP port 443

Kwenqatshelwe

Disallows non-HTTPS traffic on port 443.

Kuvunyelwe

Allows non-HTTPS traffic on port 443.
TCP port 443 is reserved by default exclusively for HTTPS connections. Some applications that do not use HTTPS still use TCP port 443. In such cases, you can allow TCP port 443 to accept non-HTTPS traffic.

• If you allow non-HTTPS connections on port 443, the traffic will not be classified but instead generally permitted. By default, non-HTTPS traffic on port 443 is not allowed.

Max. proxy connections

Set the maximum number of simultaneous proxy connections allowed. This helps limit system load. A notification is triggered if this number is exceeded. You can configure the type of notification under Content Filter > Options > Event notification.

Proxy processing timeout

Specify the time in milliseconds the proxy is allowed for processing. If this time is exceeded, a timeout error page is returned.

Save Content Filter information to flash ROM activated

If enabled, this option stores content filter information in the device’s Flash ROM.

Allow wildcard certificates

Ngoba websites using wildcard certificates (with CN entries such as *.mydomain.de de), enabling this function uses the main domain (mydomain.de) for filtering. The filtering process occurs in the following order:

• Check the server name in the “Client Hello” (depending on the browser used)
• Check the CN in the received SSL certificate
• Wildcard entries are ignored
• If the CN is not usable, the “Alternative Name” field is evaluated
• DNS reverse lookup of the corresponding IP address and evaluation of the resulting hostname
• If wildcards are included in the certificate, the main domain is used instead (as described above)
• Hlola ikheli le-IP

Settings for blocking

Ulungisa i- webizilungiselelo zokuvimbela isayithi lapha:

LANconfig: Content filter > Blocking / Override > Blocking & error
Command line: Setup > UTM > Content-Filter > Global-Settings

Alternative blocking URL:

Lapha yilapho ongafaka khona ikheli lenye indlela URL. Uma ukufinyelela kuvinjiwe, i URL okufakwe lapha kuzovezwa esikhundleni salokho okuceliwe web indawo. Ungasebenzisa leli khasi le-HTML langaphandle ukuze ubonise idizayini yebhizinisi yenkampani yakho, isiboneloample, noma ukwenza imisebenzi efana nezinqubo ze-JavaScript, njll. Ungasebenzisa okufanayo tags here as used in the blocking text. If you do not make any entry here, the default page stored in the device will be displayed..

Amanani angenzeka:

• • Kuvumelekile URL ikheli
• Okuzenzakalelayo:
  • Akunalutho

Alternative error URL:

Lapha yilapho ongafaka khona ikheli lenye indlela URL. Uma kwenzeka iphutha, i- URL okufakwe lapha kuzovezwa esikhundleni sokujwayelekile web indawo. Ungasebenzisa leli khasi le-HTML langaphandle ukuze ubonise idizayini yebhizinisi yenkampani yakho, isiboneloample, noma ukwenza imisebenzi efana nezinqubo ze-JavaScript, njll. Ungasebenzisa okufanayo tags here as used in the error text. If you do not make any entry here, the default page stored in the device will be displayed..

• Amanani angenzeka:
  • Kuvumelekile URL ikheli
• Okuzenzakalelayo:
  • Akunalutho

Source addr. for alt. block URL:

This is where you can configure an optional sender address to be used instead of the one that would normally be automatically selected for this target address. If you have configured loopback addresses, you can specify them here as sender address.

Amanani angenzeka:

• Name of the IP networks whose address should be used
• INT for the address of the first Intranet
• DMZ for the address of the first DMZ.

If there is an interface called DMZ, its address will be taken in this case.

• LB0…LBF for the 16 loopback addresses
• ISIHAMBANE
• Any IP address in the form x.x.x.x

Okuzenzakalelayo:

• Akunalutho
  The sender address specified here is used unmasked for every remote station.

Umthombo we-adr. okwe-alt. iphutha URL:

• This is where you can configure an optional sender address to be used instead of the one that would normally be automatically selected for this target address. If you have configured loopback addresses, you can specify them here as sender address.

Amanani angenzeka:

• Name of the IP networks whose address should be used
• INT for the address of the first Intranet
• DMZ for the address of the first DMZ.

If there is an interface called DMZ, its address will be taken in this case.

• LB0…LBF for the 16 loopback addresses
• ISIHAMBANE
• Any IP address in the form x.x.x.x

Okuzenzakalelayo:

• Akunalutho

The sender address specified here is used unmasked for every remote station.

Block text

Yilapho ongachaza khona umbhalo ozovezwa lapho ukuvinjwa kwenzeka. Imibhalo ehlukene yokuvimbela ingachazwa ngezilimi ezahlukene. Ukuboniswa kombhalo ovimbayo kulawulwa isilungiselelo solimi esithunyelwa isiphequluli (i-ejenti yomsebenzisi).

Ulimi

Entering the appropriate country code here ensures that users receive all messages in their browser’s preset language. If the country code set in the browser is found here, the matching text will be displayed. You can add any other language.
Examples of the country code:

• de-DE: German-Germany
• de-CH: German-Switzerland
• de-AT: German-Austria
• en-GB: English-Great Britain
• en-US: English-United States

The country code must match the browser language setting exactly, e.g. “de-DE” must be entered for German (“de” on its own is insufficient). If the country code set in the browser is not found in this table, or if the text stored under that country code is deleted, the predefined default text (“default”) will be used. You can modify the default text.

Amanani angenzeka:

• 10 alphanumerical characters

Okuzenzakalelayo:

• Akunalutho

Umbhalo

Enter the text that you wish to use as block text for this language.

Amanani angenzeka:

• Izinhlamvu ezingama-254 zamagama

Okuzenzakalelayo:

• Akunalutho

Special values:

You can also use special tags wokuvimbela umbhalo uma ufisa ukubonisa amakhasi ahlukene kuye ngesizathu sokuthi kungani i web site was blocked (e.g. forbidden category or entry in the blacklist).

Okulandelayo tags ingasetshenziswa njenge tag amanani:

• <CF-URL/> okwenqatshelwe URL
• <CF-CATEGORIES/> for the list of categories why the web site was blocked
• <CF-PROFILE/> kuphrofayilifile igama
• <CF-OVERRIDEURL/> kwe URL esetshenziswa ukwenza kusebenze i URL (lokhu kungahlanganiswa ngendlela elula tag or in a button)
• <CF-LINK/> adds a link for activating the override
• <CF-BUTTON/> for a button to activate the override
• <CF-IF att1 att2> … </CF-IF> to display or hide parts of the HTML document. The attributes are:
• BLACKLIST: If the site was blocked because it is in the profile uhlu oluvinjelwe
• CATEGORY: If the site was blocked due to one of its categories
• ERR: If an error has occurred.
• OVERRIDEOK: If users have been allowed an override (in this case, the page should display an appropriate button)

Since there are separate text tables for the blocking page and the error page, this attribute only makes sense if you have configured an alternative URL ukukhombisa ekuvimbeni. Uma izibaluli ezimbalwa zichazwa kokukodwa tag, isigaba sizovezwa uma okungenani eyodwa yale mibandela ifinyelelwa. Konke tags and attributes can be abbreviated to the first two letters (e.g. CF-CA or CF-IF BL). This is necessary as the blocking text may only contain a maximum of 254 characters.

Example:

<CF-URL/> ivinjiwe ngoba ifana nezigaba . Uchwepheshe wokuqukethwe kwakhofile kuyinto .

I tags okuchazwe lapha kungasetshenziswa nasemakhasini e-HTML angaphandle (okunye URLs ukukhombisa ekuvimbeni).

Error text

Yilapho ongachaza khona umbhalo ozovezwa uma kwenzeka iphutha.

Ulimi

Entering the appropriate country code here ensures that users receive all messages in their browser’s preset language. If the country code set in the browser is found here, the matching text will be displayed. You can add any other language.

Examples of the country code:

• de-DE: German-Germany
• de-CH: German-Switzerland
• de-AT: German-Austria
• en-GB: English-Great Britain
• en-US: English-United States

The country code must match the browser language setting exactly, e.g. “de-DE” must be entered for

German (“de” on its own is insufficient). If the country code set in the browser is not found in this table, or if the text stored under that country code is deleted, the predefined default text (“default”) will be used. You can modify the default text.

Amanani angenzeka:

• 10 alphanumerical characters

Okuzenzakalelayo:

• Akunalutho

Umbhalo

Enter the text that you wish to use as error text for this language.

Amanani angenzeka:

• Izinhlamvu ezingama-254 zamagama

Okuzenzakalelayo:

• Akunalutho

Special values:

You can also use HTML tags for the error text.

The following empty element tags ingasetshenziswa njenge tag amanani:

• <CF-URL/> okwenqatshelwe URL
• <CF-PROFILE/> kuphrofayilifile igama
• <CF-ERROR/> for the error message

Example:

<CF-URL/> ivinjiwe ngoba kwenzeke iphutha:

Override settings

Umsebenzi wokukhipha uvumela a webindawo okumele ifinyelelwe kuyo nakuba ithathwa njengenqatshelwe. Umsebenzisi kufanele achofoze inkinobho yokukhipha ukuze acele ukuthi ikhasi elinqatshelwe livulwe. Ungakwazi ukumisa lesi sici ukuze umlawuli aziswe uma inkinobho yokukhipha ichofozwa (LANconfig: Isihlungi sokuqukethwe > Izinketho > Imicimbi).

If the override type “Category” has been activated, clicking on the override button makes all of the categories for that URL kufinyeleleka kumsebenzisi Ikhasi elilandelayo lokuvimba elizoboniswa linesigaba esisodwa esichaza ukuthi kungani ukufinyelela ku URL was blocked. If the override type “Domain” has been activated, then the entire domain can be accessed.

The settings for the override function are to be found here:

LANconfig: Content filter > Blocking / Override > Override
Command line: Setup > UTM > Content-Filter > Global-Settings

Override-Active

This is where you can activate the override function and make further related settings.

Override duration

Ubude besikhathi sokukhipha bungakhawulelwa lapha. Uma isikhathi siphela, noma yimuphi umzamo wokufinyelela isizinda esifanayo kanye/noma isigaba uzovinjelwa futhi. Ukuchofoza inkinobho yokukhipha futhi kuvumela futhi web site to be accessed again for the duration of the override and, depending on the settings, the administrator will be notified once more.

Amanani angenzeka:

• 1-1440 (amaminithi)

Okuzenzakalelayo:

• 5 (imizuzu)

Override type:

This is where you can set the type of override. It can be allowed for the domain, for the category of web site to be blocked, or for both.

Amanani angenzeka:

Isigaba

For the duration of the override, all URLs zivunyelwe eziwela ngaphansi kwezigaba ezithintekile (kanye nalezo esezivele zivunyelwe ngisho nangaphandle kokukhishwa).

Isizinda

For the duration of the override all URLs in this domain are allowed, irrespective of the categories they belong to.

Category-and-Domain

For the duration of the override, all URLs avunyelwe okungaphansi kwalesi sizinda kanye nezigaba ezivunyelwe. Lona umkhawulo ophezulu kakhulu.

Override text

Yilapho ongachaza khona umbhalo oboniswa kubasebenzisi abaqinisekisa ukukhipha.

Ulimi

Entering the appropriate country code here ensures that users receive all messages in their browser’s preset language. If the country code set in the browser is found here, the matching text will be displayed. You can add any other language.

Examples of the country code:

• de-DE: German-Germany
• de-CH: German-Switzerland
• de-AT: German-Austria
• en-GB: English-Great Britain
• en-US: English-United States

The country code must match the browser language setting exactly, e.g. “de-DE” must be entered for German (“de” on its own is insufficient). If the country code set in the browser is not found in this table, or if the text stored under that country code is deleted, the predefined default text (“default”) will be used. You can modify the default text.

Amanani angenzeka:

• 10 alphanumerical characters

Okuzenzakalelayo:

• Akunalutho

Umbhalo

Enter the text that you wish to use as override text for this language.

Amanani angenzeka:

• 254 alphanumerical characters

Okuzenzakalelayo:

• Akunalutho

Special values:

You can also use HTML tags wokuvimbela umbhalo uma ufisa ukubonisa amakhasi ahlukene kuye ngesizathu sokuthi kungani i web site was blocked (e.g. forbidden category or entry in the blacklist).

Okulandelayo tags ingasetshenziswa njenge tag amanani:

• <CF-URL/> okwenqatshelwe ekuqaleni URL that is now allowed
• <CF-CATEGORIES/> for the list of categories that have now been allowed as a result of the override (except if domain override is specified).
• <CF-BUTTON/> displays an override button that forwards the browser to the original URL.
• <CF-BUTTON/> displays an override link that forwards the browser to the original URL.
• <CF-HOST/> or <CF-DOMAIN/> displays the host or the domain for the allowed URL. I tags are of equal value and their use is optional.
• <CF-ERROR/> generates an error message in the event that the override fails.
• <CF-DURATION/> displays the override duration in minutes.
• <CF-IF att1 att2> … </CF-IF> to display or hide parts of the HTML document. The attributes are:
• CATEGORY when the override type is “Category” and the override was successful
• DOMAIN when the override type is “Domain” and the override was successful
• BOTH when the override type is “Category-and-Domain” and the override was successful
• ERROR when the override fails
• OK if either CATEGORY or DOMAIN or BOTH are applicable

If several attributes are defined in one tag, isigaba kufanele siboniswe uma okungenani eyodwa yale mibandela ifinyelelwa. Konke tags and attributes can be abbreviated to the first two letters (e.g. CF-CA or CF-IF BL). This is necessary as the blocking text may only contain a maximum of 254 characters.

Example:

Izigaba kukhona esizindeni Isizinda kuyinto ikhululwe imizuzu. Khipha iphutha:

UProfiles kusihlungi sokuqukethwe

Ngaphansi Kwesihlungi Sokuqukethwe > I-Profiles ungakha isihlungi sokuqukethwe profiles ezisetshenziselwa ukuhlola web amasayithi wokuqukethwe okungavunyelwe. Iphrofayili yesihlungi sokuqukethwefile ihlala inegama futhi, ngezikhathi ezahlukahlukene, yenza kusebenze isigaba esifiswayofile futhi, ngokuzikhethela, uhlu oluvinjelwe kanye nohlu olumhlophe. Ukuze unikeze ukucushwa okuhlukile kwezikhathi ezihlukene, iphrofayili yesihlungi sokuqukethwe ezininganafile okufakiwe kwakhiwa ngegama elifanayo. Isihlungi sokuqukethwe profile ngakho-ke kwakhiwa isamba sakho konke okufakiwe okunegama elifanayo. I-firewall ibhekisele kulo chwepheshe besihlungi sokuqukethwefile.

Please note that you must make corresponding settings in the firewall in order to use the profiles kusihlungi sokuqukethwe kwe-LANCOM.

UProfiles

Izilungiselelo zochwepheshefiles zitholakala lapha:

I-LANconfig: Okuqukethwe filer > Iphrofayilifiles > Iphrofayilifile
Umugqa womyalo: Setha > I-UTM > Isihlungi Sokuqukethwe > I-Profiles > Iphrofayilifile

Igama

Uchwepheshefile name that the firewall references must be specified here.

Ubude besikhathi

Khetha isikhathi esibekelwe lesi sigaba sochwepheshefile and, optionally, the blacklist and the whitelist. The timeframes

ALWAYS and NEVER are predefined. You can configure other timeframes under:

• LANconfig: Date & time > General > Time frame
• Command line: Setup > Time > Timeframe

One profile may contain several lines with different timeframes.

Amanani angenzeka:

• Njalo
• Ungalokothi
• Name of a timeframe profile

If multiple entries are used for a content-filter profile futhi izikhathi zabo zesikhathi ziyadlulana, bese wonke amakhasi aqukethwe kokufakiwe okusebenzayo azovinjelwa ngaleso sikhathi. Uma okufakiwe okuningi kusetshenziselwa uchwepheshe besihlungi sokuqukethwefile futhi isikhathi sihlala singacacisiwe, ukufinyelela kubo bonke web sites will be unchecked for this period.

Uhlu oluvinjelwe

Name of the blacklist profile okungukuthi ukufaka isicelo salesi sihlungi sokuqukethwe profile during the period in question. A new name can be entered, or an existing name can be selected from the blacklist table.

Amanani angenzeka:

• Name of a blacklist profile
• New name

Ukugunyazwa

Name of the whitelist profile okungukuthi ukufaka isicelo salesi sihlungi sokuqukethwe profile during the period in question. A new name can be entered, or an existing name can be selected from the whitelist table.

Amanani angenzeka:

• Name of a whitelist profile
• New name

Isigaba se-profile

Igama lesigaba sochwepheshefile okungukuthi ukufaka isicelo salesi sihlungi sokuqukethwe profile during the period in question. A new name can be entered, or an existing name can be selected from the category table.

Amanani angenzeka:

• Name of a category profile
• New name

Blacklist addresses (URL)

Lapha kulapho ungakwazi ukumisa lezo web amasayithi azovinjwa.

• I-LANconfig: Okuqukethwe files > Iphrofayilifiles > Uhlu lwamakheli (URL)
• Umugqa womyalo: Setha > I-UTM > Isihlungi Sokuqukethwe > I-Profiles > Uhlu olufingqiwe

Igama

Enter the name of the blacklist for referencing from the content-filter profile.

Amanani angenzeka:

• Blacklist name

Ikheli (URL)

Ukufinyelela ku- URLs entered here will be forbidden by the blacklist.

Amanani angenzeka:

• Kuvumelekile URL ikheli

The following wildcard characters may be used:

• * for any combination of more than one character (e.g. www.lancom.* encompasses the webamasayithi www.lancom.com, www.lancom.de, www.lancom.eu, www.lancom.es, njll.)
• ? for any one character (e.g. www.lancom.e* encompasses the web amasayithi www.lancom.eu, www.lancom.es)

URLs kumele ifakwe ngaphandle kokuhola i-http://. Sicela uqaphele ukuthi kwabaningi URLs, a forward slash is automatically added as a suffix to the URL, e.g. “www.mycompany.de/”. For this reason, it is advisable to enter the URL as: “www.mycompany.de*”.

Umuntu ngamunye URLs zihlukaniswa ngokungenalutho.

Whitelist addresses (URL)

Yilapho ongalungiselela khona web amasayithi lapho ukufinyelela kuzovunyelwa.

I-LANconfig: Okuqukethwe files > Iphrofayilifiles > Amakheli agunyaziwe (URL)
Umugqa womyalo: Setha > I-UTM > Isihlungi Sokuqukethwe > I-Profiles > Whitelist

Igama

Faka igama lohlu olugunyaziwe lwereferensi evela kuchwepheshe besihlungi sokuqukethwefile.

Amanani angenzeka:

• Name of a whitelist

Ikheli (URL)

Yilapho ongalungiselela khona websites which are to be checked locally and then accepted

Amanani angenzeka:

• Kuvumelekile URL ikheli

The following wildcard characters may be used:

• * for any combination of more than one character (e.g. www.lancom.* encompasses the webamasayithi www.lancom.com, www.lancom.de, www.lancom.eu, www.lancom.es, njll.)
• ? for any one character (e.g. www.lancom.e* encompasses the web amasayithi www.lancom.eu, www.lancom.es)
• URLs kumele ifakwe ngaphandle kokuhola i-http://. Sicela uqaphele ukuthi kwabaningi URLs, a forward slash is automatically added as a suffix to the URL, e.g. “www.mycompany.de/”. For this reason, it is advisable to enter the URL as: “www.mycompany.de*”.

Umuntu ngamunye URLs zihlukaniswa ngokungenalutho.

Isigaba se-profiles

Lapha udala uchwepheshe wesigabafile futhi inqume ukuthi yiziphi izigaba noma amaqembu okufanele asetshenziselwe ukukala web amasayithi wesigaba ngasinye profile. Ungavumela noma uvimbele izigaba ngazinye noma wenze kusebenze umsebenzi wokukhipha eqenjini ngalinye.

I-LANconfig: Isihlungi Sokuqukethwe > I-Profiles > Categories
Umugqa womyalo: Setha > I-UTM > Isihlungi Sokuqukethwe > I-Profiles > Isigaba-Profile

Isigaba se-profile

Igama lesigaba sochwepheshefile ngereferensi evela kuchwepheshe besihlungi sokuqukethwefile is entered here.

Amanani angenzeka:

• Name of a category profile

Category settings

For each main category and the associated sub-categories, it is possible to define whether the URLs are to be allowed, forbidden or allowed with override only.

The following main categories can be configured:

• Akukho emthethweni
• Cyberthreats
• Izithombe zobulili ezingcolile
• Ukukhangisa
• Imidlalo
• Web izicelo
• Ukuthenga
• Ezezimali
• Religions & occult
• Ulwazi
• Entertainment & Culture
• Okunhlobonhlobo

Isigaba se-profile kufanele ngabe yabelwa uchwepheshe wesihlungi sokuqukethwefile together with a time frame in order to become active.

Amanani angenzeka:

• a Allowed, forbidden, override

Options for the Content Filter

Ngaphansi Kwesihlungi Sokuqukethwe > Izinketho unquma ukuthi uyafisa yini ukwaziswa ngezehlakalo nokuthi ulwazi Lwesihlungi Sokuqukethwe luzogcinwa kuphi.

Imicimbi

This is where you define how you wish to receive notification of specific events. Notification can be made by e-mail, SNMP or SYSLOG. For different event types you can specify whether messages should be output and, if so, how many.

I-imeyili

Here, you specify if and how e-mail notification takes place:

• Cha
  No e-mail notification is issued for this event.
• Ngokushesha
  Notification occurs when the event occurs.
• Nsuku zonke
  The notification occurs once per day.

Notifications can be sent for the following events:

• Iphutha
  For SYSLOG: Source “System”, priority “Alert”.
  Default: SNMP notification
• License expiry
  For SYSLOG: Source “Admin”, priority “Alert”.
  Default: SNMP notification
• License exceeded
  For SYSLOG: Source “Admin”, priority “Alert”.
  Default: SNMP notification
• Override applied
  For SYSLOG: Source “Router”, priority “Alert”.
  Default: SNMP notification
• Proxy limit
  For SYSLOG: Source “Router”, priority “Info”.
  Default: SNMP notification

E-mail recipient

An SMTP client must be defined if you wish to use the e-mail notification function. You can use the client in the device, or another client of your choice.

No e-mail will be sent if no e-mail recipient is specified.

Content Filter snapshot

This is where you can activate the content filter snapshot and determine when and how often it should be taken. The snapshot copies the category statistics table to the last snapshot table, overwriting the old contents of the snapshot table. The category statistics values are then reset to 0.

Isikhawu

Here you decide whether the snapshot should be taken monthly, weekly or daily.

Amanani angenzeka:

• Nyanga zonke
• Maviki onke
• Nsuku zonke

Usuku lwenyanga

For monthly snapshots, set the day of the month when the snapshot should be taken. Possible values: a 1-31

It is advisable to select a number between 1 and 28 in order to ensure that it occurs every month.

Usuku lwesonto

For weekly snapshots, set the day of the week when the snapshot should be taken. Possible values:

• Umsombuluko Ulwesibili ULWESITHATHU ULWESINE ULWESIHLANU umqgibelo isonto

Isikhathi sosuku:

If you require a daily snapshot, then enter here the time of day for the snapshot in hours and minutes. Possible values:

• Format HH:MM (default: 00:00)

Additional settings for the Content Filter

Firewall settings for the content filter

The firewall must be activated in order for the Content Filter to function. You can activate the firewall under:

• LANconfig: Firewall/QoS > General
• Command line: Setup > IP-Router > Firewall

In the default configuration, you will find the firewall rule CONTENT-FILTER that refers to the action object CONTENT-FILTER-BASIC:

The firewall rule should be limited to the target services HTTP and HTTPS so that only outgoing HTTP and HTTPS connections are examined. Without this restriction, all packets will be checked by the content filter, which could lead to a loss of system performance. A content-filter related firewall rule must contain a special action object that uses packet actions to check the data according to a content-filter profile. In the default configuration, you will find the action objects CONTENT-FILTER-BASIC,

CONTENT-FILTER-WORK and CONTENT-FILTER-PARENTAL-CONTROL, each of which refer to their corresponding content-filter profile:

Example: nxa a web ikhasi liyafinyelelwa, amaphakethe edatha adlula ku-firewall futhi acutshungulwa ngomthetho othi CONTENT-FILTER. Into yesenzo ethi CONTENT-FILTER-BASIC ihlola amaphakethe edatha isebenzisa uchwepheshe besihlungi sokuqukethwefile OKUQUKETHWE-ISIHLUNGI-BASIC.

Ubude besikhathi

Amafreyimu esikhathi asetshenziswa nesihlungi sokuqukethwe ukuchaza izikhathi lapho uchwepheshe wesihlungi sokuqukethwefiles ziyasebenza. Uchwepheshe oyedwafile ingaqukatha imigqa eminingana enezikhathi ezihlukene. Imigqa ehlukene esimisweni sesikhathi kufanele iphelelisane, okungukuthi, uma ucacisa ISIKHATHI SOKUSEBENZA kufanele ucacise isikhathi esibekelwe esibizwa ngokuthi FREETIME ukuze uhlanganise isikhathi esingaphandle kwamahora okusebenza. Amafreyimu esikhathi angasetshenziswa futhi ukuvimbela i-WLAN SSID ukuthi ingasakazwa unomphela. Lokhu kungengezwa kuzilungiselelo ze-WLAN ezinengqondo. Izikhawu zesikhathi NJALO futhi AKAZE zichazwe ngaphambili. Ungakwazi ukumisa ezinye izikhathi ngaphansi:

Command line: Setup > Time > Timeframe

Igama

Faka igama lohlaka lwesikhathi lwereferensi evela kuchwepheshe besihlungi sokuqukethwefile noma nge-WLAN SSID. Okufakiwe okuningana okunegama elifanayo kubangela uchwepheshe ofanayofile.

Amanani angenzeka:

• Name of a timeframe

Qala

Here you set the start time (time of day) when the selected profile becomes valid.

Amanani angenzeka:

• Format HH:MM (default: 00:00)

Ima

Here you set the stop time (time of day) when the selected profile ceases to be valid.

Amanani angenzeka:

• Format HH:MM (default: 23:59)

A stop time of HH:MM usually runs until HH:MM:00. The stop time 00:00 is an exception, since this is interpreted as 23:59:59.

Izinsuku zeviki

Here you select the weekday on which the timeframe is to be valid.

Amanani angenzeka:

• Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday, Holiday

The holidays are set under Date & Time > General > Public holidays.

Ungakha ishejuli yesikhathi ngegama elifanayo kodwa ngezikhathi ezihlukene ezidlulela emigqeni embalwa:

BPjM module

Imojuli ye-BPjM yahlelwa yi-Federal Re yaseJalimaneview Ibhodi Lemidiya Elilimaza Abancane (BPjM) namabhulokhi webamasayithi okungafanele afinyeleleke ezinganeni nakubantu abasha. Lesi sici sisebenza ikakhulukazi ezikoleni nasezikhungweni zemfundo ezinabafundi abancane. I-DNS-Domains enokuqukethwe okuhlukaniswa ngokusemthethweni njengokuyingozi kwabancane ayikwazi ukufinyelelwa yiqembu eliqondiwe. Lolu hlu luqinisekisiwe ukuthi luzobuyekezwa ngokuzenzakalelayo futhi lunwetshwe njalo. Imojula ye-BPjM ivimba i-DNS-Domains esohlwini olusemthethweni webindawo ye-Federal Review Ibhodi Lemidiya Elilimaza Abancane (BPjM) eJalimane. Ukuvinjwa ngezigaba nokukhipha (okuvunyelwe) akutholakali. Imojula ye-BPjM iyatholakala njengengxenye yenketho yesihlungi sokuqukethwe kwe-LANCOM noma ngokuhlukene ngenketho yesofthiwe yesihlungi se-LANCOM BPjM. Izinqamulimlilo ze-IPv4 noma ze-IPv6 zisebenzisa lesi sici ngomthetho ozenzakalelayo wohlelo lokuvikela ongenziwa lusebenze futhi lulungiselelwe inethiwekhi ngayinye. Okwesiboneloampfuthi, kungenzeka ukuhlomisa kuphela inethiwekhi yabafundi ngalesi sihlungi, kodwa ungafaki amanye amanethiwekhi kuwo. I-IPv6 firewall ifaka isimiso esisha esizenzakalelayo se-BPJM, esivalwa ngokuzenzakalela ngento yesistimu ethi “BPJM” njengesiteshi okuyiwa kuso. Umthetho ofanayo uyatholakala ku-IPv4 firewall. Amanethiwekhi azovikelwa imojuli ye-BPjM acaciswe njengeziteshi zomthombo.

Amanye amasethingi angatholakala ku-LANconfig ngaphansi kwe-Miscellaneous Services > Services > BPjM filter.

Ikheli lomthombo

Source address used by the BPjM module to access the server for BPjM signature updates.

Izincomo zokusetshenziswa

If content filters and BPJM filters are to be used together, both rules must be configured with different priorities so that they are run through one after the other. Likewise, for the first rule, care must be taken to ensure that the item “Observe further rules, after this rule matches” is activated.
In rare cases, the BPJM module may block desired domains because only (DNS) domains and not URL directory levels can be checked due to TLS. In this case, these desired domains can be added to the “BPJM Allow list”, e.g. *.exampcom. The LANCOM router must serve as DNS server or DNS forwarder in the network, i.e. clients in the local network must use the router as DNS server. In addition, the direct use of DNS-over-TLS and DNS-over-HTTPS (possibly browser-internal) with external DNS servers by clients must be prevented.

This can be achieved as follows:

• The DHCP server must distribute the router’s IP address as the DNS server (set up by default by the Internet Wizard).
• Set up firewall rules that prevent direct use of external DNS servers, for example. by blocking outgoing port 53 (UDP) for clients from the corresponding source network.
• Setting up firewall rules that prevent direct use of external DNS servers supporting DNS-over-TLS, e.g. by blocking outgoing port 853 (TCP) for clients from the corresponding source network.
• Disabling DNS-over-HTTPS (DoH) in the browser.

Notes on synchronising the firewall’s DNS database: Because the firewall learns its information from client DNS requests, in certain situations, the DNS database may not yet be complete. This can happen in the following situations:

• A new firewall rule is added, but the client still has a DNS record cached.
• Shortly after the router reboots and the client still has a DNS record cached. In these cases, clearing the DNS cache on the client, rebooting the client, or timing out the DNS record on the client will help.

If different DNS names resolve to the same IP address, then they cannot be distinguished. In this case, the first rule that references one of these DNS names always applies. This should not be a problem with large service providers. However, it could occur with small websites hosted by the same provider

FAQ

• Yini okufanele ngiyenze uma isihlungi sokuqukethwe profile idinga ukushintshwa?
  • Uma udinga ukulungisa isihlungi sokuqukethwe profile, ensure to adjust the corresponding firewall rule accordingly to maintain proper functionality.
• Ngingakuqinisekisa kanjani ukusetshenziswa okusebenzayo kwe-LANCOM Security Essentials?
  • Ukuqinisekisa ukusetshenziswa ngempumelelo, njalo review and update the category profiles and settings based on your organisation’s requirements and policies.

Amadokhumenti / Izinsiza

I-LANCOM Systems LCOS 10.92 Okubalulekile Kokuphepha [pdf] Umhlahlandlela Womsebenzisi I-LCOS 10.92, LCOS 10.92 Security Essentials, LCOS 10.92, Okubalulekile Kokuvikela, Okubalulekile

Izithenjwa

• Imaniwali yosebenzisayo