No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

URL filtering function doesn't work without SSL decrypt proxy for https

Publication Date:  2016-05-31 Views:  206 Downloads:  0
Issue Description

Customer reported that url filtering function is working for http but not working for https on NGFW.

Handling Process

1.Checked the configuration of url filtering configuration and what is correct.

2. Checked the proxy and found that there are no SSL decrypt proxy created.

Because the firewall only check URL from “GET” packet, and normally it will be encrypted by SSL for https. So firewall can only read the URL name with SSL decrypt proxy policy.   I have a HTTP “GET” packet example as following, for https we can’t see the host since it will be encrypted.


Huawei Firewall doesn’t take the URL from “client hello” packet but from “GET” packets when use URL-filtering function, I don’t know if websense read the host name via “client hello” but not via “GET” packets. And Huawei firewall have another function called “application control”(need license support) can read the host name via “client hello” and can block the https site which don’t need SSL decrypt proxy policy. But the way to block website via the host name in “client hello” has a limitation that it will block the whole website but don’t have grained control like only block part of the website (video..).

 


Root Cause

The root cause is that huawei firewall take the host name from get packet for URL filtering, but usually get packets has been decrypted. So we need to configure SSL decrypt proxy to take the host name of https.

Solution

So we have two solutions to solve the issue.

 Option A is to configure SSL decrypt proxy for HTTPS URL filtering.

Option B is to use application control to make actions for https filtering , but as I told above it has some limitations.However, I list the way how to use this method as below.




END