Yes the firewall section has 4 settings. off, low, medium and high and if switching to three of the settings a person can check or uncheck inbound and outbound on many ports and services.This looks like a GUI for a standard router with an SPI firewall. Website filtering on that is just a place to enter a few URL's to block.
Setting up a secure DNS will do the same though, since all those services share the same database.Additionally virtually all UTM devices include a ATP detection and will warn/block a system (phone, PC, ) that attempts to connect to C&C or any other recognized rougue network.
A dormant malware is harmless. It is following the set of instructions: A - B - C. If you block it at B, it can not do anything, it is just a dumb malware. I do not care, if I get infected, as long as malware is unable to steal passwords, encrypt data, etc. Like blocking outbound stopped CCleaner. As you said, it is about the viewpoint.are you aware that you are infected when no warning is present?
Err.. A huge percentage use IP based communication precisely so they can bypass DNS protection and increasing their survivability in the wild. This is why most UTM's have settings to block 'IP Only Requests', it's actually precisely why. Also, DNS filtration relies strictly on KNOWN entities, UTM's do not rely on this for all of their technologies. For example many UTM's are now blocking 'Newly created domains' and 'Newly seen domains', which both are designed to protect you from ATP threats, ransomware, and zero day outbreaks. Add to that the flow inspection, traffic heuristics, sandboxing and other ATP units it's pretty exciting.Infections also use DNS for downloads and etc. Very few use IPs, because IPs tend to change, once it is discovered and that would make the malware short-lived.
In the Untangle case I was referring to, creating the root cert on the appliance was not a walk in the park. After that was done installing the cert on the computers was easy.If you want HTTPS scanned you need local root certificate, no ifs buts about it. That's the only way to have it scanned. Be aware that since Android 7+ you might have issues including local root certs.
And from my experience Untangle 10+ (now on 13), Sophos UTM 9.5.x and Sophos XG17 all are able to scan HTTPS if you install their root certs..
For IoT's I setup a VLAN and send them via a different path away from my network...those don't get HTTPS scanned but they are separate from the net.
The root CA on Untangle is already created once the SSL inspector is installed (1 click), after that an installer is generated for the RCA to be downloaded. Execute the installer on Windows Machines to install the RCA in a couple clicks. Very easy.In the Untangle case I was referring to, creating the root cert on the appliance was not a walk in the park. After that was done installing the cert on the computers was easy.
As you say a VLAN will help to separate your IoT from your network, but what happens if some of them get infected and starts communicate with a command server over https, or is this scenario unreal?