Purpose of this article:
This document shows how to configure URL-filtering on director GUI.
What is URL Filtering?
Filtering packet based on the URL/website present in the application layer data.
Filtering criteria are:
- Blacklist
- Whitelist
- Category Based Action
- Reputation Based Action
Creating URL Filtering has two major steps:
- Configuring URL Filtering profile.
- Configuring URL Filtering Policy.
1. Configuring URL Filtering profile:
Specify matching pattern or Strings for the URL.
In the snapshot below, we are intending to block bbc and youtube and they are added in Pattern with regex.
- Default Action: the action that applies to all Filter criteria. Generally, it is untouched.
- Under each Filter criterion, there is an action item that needs to be checked. Action can be block, allow, etc.
- In Blacklist and Whitelist, URL can be matched based on Pattern or Strings. Pattern allows you to use regular expression whereas Strings needs you to put the exact URL.
- Relevant cli after pushing config to the CPE:
admin@branch1-cli> show configuration | display set | match url-filtering
set orgs org-services org1-sub security profiles url-filtering block-url-profiles cloud-lookup-mode never
set orgs org-services org1-sub security profiles url-filtering block-url-profiles lef-profile-default false
set orgs org-services org1-sub security profiles url-filtering block-url-profiles decrypt-bypass false
set orgs org-services org1-sub security profiles url-filtering block-url-profiles blacklist patterns [ ".*bbc.* .*youtube.*" ]
set orgs org-services org1-sub security profiles url-filtering block-url-profiles blacklist action predefined block
- Configuring URL Filtering Policy:
This is where you need to configure the rules. You can also include more matching options.
Now enable the profile by creating Rules. Rules will have “match” and “set” items. “set” is an action if a match is made otherwise the control moves to the next entry. In policy window, there are several tabs.
General tab allows you to name the policy.
Source/Destination tab allows you to specify the source of traffic so that URL filtering can be applied to those packets coming from there. In this example, Intf-lan-Zone is selected because we wanted to apply URL filtering for packets coming in from LAN interfaces.
Enforce tab allows you to define an action on the profile.
In Action, select “Apply Security Profile” that allows you to define the URL-filtering profile you have created earlier.
Block-url-policies is the newly created Rule. It is placed at the end of the list by default, which means it will be checked/matched after all the above rules are checked. So, ensure it is placed at the top of the list. This control-flow is similar to how control-flow works in Access-list such that checking/matching is done from top to bottom. If a match is made, the control-flow is stopped and if match is not made, then the control-flow keeps moving towards the bottom until a match is made or exhaustion of the entry.
Block-url-polices is moved to the top of the list so that it is checked first.
admin@branch1-cli> show configuration | display set | match block-url-policies
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies description "this policy blocks bbc and youtube"
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies match source zone zone-list [ Intf-lan-Zone ]
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies match source user local-database status disabled
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies match source user user-type any
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies set security-profile url-filtering user-defined block-url-profiles
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies set action allow
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies set lef profile-default false
set orgs org-services org1-sub security access-policies Default-Policy rules block-url-policies set lef options send-pcap-data enable false