Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
Customer reported that url filtering function is working for http but not working for https on NGFW.
1.Checked the configuration of url filtering configuration and what is correct.
2. Checked the proxy and found that there are no SSL decrypt proxy created.
Because the firewall only check URL from “GET” packet, and normally it will be encrypted by SSL for https. So firewall can only read the URL name with SSL decrypt proxy policy. I have a HTTP “GET” packet example as following, for https we can’t see the host since it will be encrypted.
Huawei Firewall doesn’t take the URL from “client hello” packet but from “GET” packets when use URL-filtering function, I don’t know if websense read the host name via “client hello” but not via “GET” packets. And Huawei firewall have another function called “application control”(need license support) can read the host name via “client hello” and can block the https site which don’t need SSL decrypt proxy policy. But the way to block website via the host name in “client hello” has a limitation that it will block the whole website but don’t have grained control like only block part of the website (video..).
The root cause is that huawei firewall take the host name from get packet for URL filtering, but usually get packets has been decrypted. So we need to configure SSL decrypt proxy to take the host name of https.
So we have two solutions to solve the issue.
Option A is to configure SSL decrypt proxy for HTTPS URL filtering.
Option B is to use application control to make actions for https filtering , but as I told above it has some limitations.However, I list the way how to use this method as below.