topic Issue with allowing AnyDesk on a no-internet policy in Next-Generation Firewall Discussions

Issue with allowing AnyDesk on a no-internet policy

gtaboy34 — Thu, 20 Nov 2025 20:00:44 GMT

Hey,

I have a need to block all internet traffic at a specific site.

I have created specific policies to allow needed services,

and at the bottom of the policy, I have added a drop all.

I have created a URL category for *.net.anydesk.com

and allowed the ports according to this URL

https://support.anydesk.com/docs/firewall

but traffic from clients using Anydesk gets the drop policy.

I understand that it is something related to the fact that the header do not have the SNI. as the traffic is incripted by anydesk client.

But if I want to allow the trafic using application ID, it allows 443 and that will allow user to go on the WEB with 443 and I cannot allow it.

Will appriciate any help or ways to aproach this.

Thanks.

Re: Issue with allowing AnyDesk on a no-internet policy

BPry — Tue, 25 Nov 2025 14:31:25 GMT

@gtaboy34,

If you look at the traffic from a test client with a URL profile that is set to 'alert' on every category, what does the traffic actually look like? Do you anything from a URL standpoint which is possibly just not matching your custom category, or does it simply not log anything at all?
You used to be able to decrypt this traffic as long as you trusted the Anydesk self-signed certificate that it uses, but that has maybe changed. You also previously needed to have anydesk.com/, *.anydesk.com/, *.net.anydesk.com/, and net.anydesk.com/ for this to filter properly. Again, that could have changed as it's a couple years out of date at this point.