Skip to main content

Prevent double filtering from both Cloud Filter and On-Premise Appliance

Updated

Cloud Filter and On-Premise Appliance filter devices in different ways, causing ‘Double Filtered’ devices to show certificate errors or blank pages. To prevent these issues, devices must be filtered only by Cloud Filter:

  • Option 1: Use a VLAN to route traffic from devices past the On-Premise Appliance.
    • This is recommended for all devices.
    • This is the only available option for iPads, as Smoothwall Browser does not work with the ‘Secret Knock’.
  • Option 2: Use the ‘Secret Knock’ to bypass the On-Premise Appliance.
    • This option should only be used for devices that aren’t segregated at the network level where VLANs are shared with devices that don’t use Cloud Filter, such as BYOD networks, general Wi-Fi, etc.
    • This option can be used for devices using Android Filter App or Cloud Filter Extension.

Option 1: Use a VLAN

  1. Add a VLAN interface from Network > Configuration > Interfaces.
  2. Add an IP address to the VLAN interface.
  3. Ensure client devices are configured via DHCP to use the new VLAN interface as their gateway. If you’re using On-Premise Appliance to manage DHCP, see Managing DHCP servers.

If you have the On-Premise Appliance as part of the route out of the network, you won’t have VLAN interfaces set up in your On-Premise Appliance.

  1. Go to Guardian > Web Filter > Exceptions.
  2. Enter the VLAN subnet network range that you route from your core switch into the Source exception IP addresses field.
  3. Select Save.

Option 2: Use the ‘Secret Knock’

Before you begin

  • Ensure you can resolve the hostname of your On-Premise Appliance via local DNS. Refer to your service’s documentation for instructions.
  • Check that you have set up an Internal Network interface to use from Network > Configuration > Interfaces.

Step 1: Enable Cloud Filter Bypass

  1. Sign in to On-Premise Appliance.
  2. Add a Smoothwall access rule with these settings:
    • Source IP addresses: Any.
    • Inbound Interfaces: Select all Internal interfaces.
    • Destination IP addresses: Any.
    • Services: Cloud Filter Bypass (6150)
    • Groups: Any.
    • Action: Accept
    • Select the Log checkbox.

Step 2: Enable the ‘Secret Knock’

  1. Go to Guardian > Client interfaces > Cloud Filter.
  2. Go to the Secret Knock section.
  3. Enter the Hostname or IP of the On-Premise Appliance internal interface.
  4. Enter a refresh time in seconds to dictate how often Cloud Filter devices can request a bypass from the On-Premise Appliance. We recommend 600 seconds.
  5. Sign out of the On-Premise Appliance to sync your changes to Cloud.