Note: Only domains can be targeted with HTTPS
Due to the encrypted nature of HTTPS, it is only possible to whitelist or blacklist at the
domain level. For example, only the form *.example.com/* can be used for blacklisting
or whitelisting with HTTPS. Using the form*.example.com is insufficient.
If *.example.com/server is specified for HTTPS traffic, this will not work and the
matching URLs will not be caught.
URL Filtering using an IP Policy
When enabling URL filtering using an IP Policy object, a different set of steps is used:
• Create a Web Profile object.
• Add one or more URL Filter objects as children of the Web Profile to define URLs that are
whitelisted or blacklisted. Wildcarding can be used when specifying the URLs.
• Create a new Service object for HTTP and/or HTTPS. A predefined object could be used for
this purpose. This Service object must have its Protocol property set to be HTTP. For HTTPS,
the Service must include the port number 443 for HTTPS.
• Use the Service object with an IP policy that filters the relevant traffic.
• Set the Web Profile property of the IP Policy to the profile created earlier.
Example 6.20. URL Filtering Using IP Rules
This example shows the use of static content filtering where certain URLs are to be blacklisted or
white listed.
In this small scenario, a general surfing policy prevents users from downloading .exe files from
any website. However, .exe files downloaded from the www.example.com website are to be an
exception to this rule.
Command-Line Interface
Start by adding an HTTP ALG in order to filter HTTP traffic:
gw-world:/> add ALG ALG_HTTP my_content_filter
Change the CLI context to be the ALG:
gw-world:/> cc ALG ALG_HTTP my_content_filter
Then add an HTTP ALG URL as a child to blacklist a URL:
gw-world:/my_content_filter> add ALG_HTTP_URL
URL=*/*.exe
Action=Blacklist
Make an exception from the blacklist by adding a whitelisted URL:
gw-world:/my_content_filter> add ALG_HTTP_URL
Chapter 6: Security Mechanisms
506
To Next Page
Loading...
