Nexapp - Content Filtering
Content Filtering
Content filtering is a core security capability in NexappOS. It serves two main goals:
- Protect the network from malware and malicious activity
- Control access to unwanted or non-business sites (for example adult content, gambling, or risky categories)
NexappOS provides three complementary filtering engines. Each works at a different layer, giving you flexibility to build a layered policy:
- InstaShield IP – blocks malicious IP addresses
- InstaShield DNS – blocks malicious or unwanted domains at DNS level
- Deep Packet Inspection (DPI) Filter – application/protocol filtering with traffic signatures
InstaShield IP
InstaShield IP is an IP-based blocking engine focused on stopping malware communication at the network level. It blocks traffic to or from known hostile IP addresses.
Scope - Malware protection first - Limited privacy enhancement (trackers / ads reduction)
Lists
- Community lists (free): general malware, ads, trackers
- Enterprise lists (licensed): higher-value malware intelligence and broader coverage
Advantages
- Very fast, because decisions are made directly on IPs
- Effective against whole malicious networks and botnets
Limitations
- Cannot block by category or URL type
- May occasionally block legitimate services that share an IP with malicious hosts
To configure this feature, open the InstaShield IP section in the NexappOS UI.
InstaShield DNS
InstaShield DNS uses DNS-level filtering. When a device queries a blocked domain, NexappOS prevents resolution, stopping access before a connection starts.
Scope
- Malware protection
- Basic content categories (for example adult, gambling)
Lists
- Community lists (free): malware + basic category filtering
- Enterprise lists (licensed): advanced malware intelligence
Advantages
- Blocks domains even if their IP changes
- Adds light content categorization without complex rules
Limitations
- Can be bypassed if clients use external DNS servers
- Mitigation: enforce DNS via firewall rules and combine with DPI filtering
- Less granular than full URL-path filtering
To configure this feature, open the InstaShield DNS section in NexappOS.
Deep Packet Inspection (DPI) Filter
DPI filtering analyzes traffic beyond IPs and domains. NexappOS uses traffic classification signatures to identify applications and protocols, then applies rules per interface.
Scope
- Application and protocol-level filtering
- Useful for blocking risky apps, enforcing policy on SaaS, or shaping traffic behavior
Signatures
- Community signatures (free): limited scope, slower updates
- Enterprise signatures (included with subscription): larger library, higher update frequency
Advantages
- Very granular control (by app/protocol, not just domain)
- Enables real-time policy enforcement
- Supports advanced SD-WAN needs like app-aware routing and control
Considerations
- Higher CPU cost than IP/DNS filtering
- Rules should be designed carefully to avoid over-blocking
- DPI policies must be created per interface
To configure DPI, open DPI Filter in NexappOS.
Choosing the Right Filtering Method
| Feature | InstaShield IP | InstaShield DNS | DPI Filter |
|---|---|---|---|
| Blocking method | IP-based | DNS-based | Packet/application inspection |
| Primary focus | Malware networks | Malware + basic categories | App / protocol control |
| List types | Community / Enterprise | Community / Enterprise | Signatures (real-time) |
| Configuration | Gateway UI | Gateway UI | Gateway UI per interface |
| Reporting | None | None | Limited |
Recommended Layered Strategy
For best protection, use a defense-in-depth approach:
Enable InstaShield IP
- First barrier against known malicious IP infrastructure.
Enable InstaShield DNS
- Blocks malware domains and enforces basic category filtering.
Apply DPI Filter rules
- For app/protocol enforcement
- For blocking bypass attempts
- For SD-WAN app-aware security and routing policies
This layered model blocks threats at multiple levels and prevents easy circumvention.