No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Output of HTTPS URL filter without using traffic detection Justification

Publication Date:  2017-07-15 Views:  110 Downloads:  0
Issue Description

Customer has Firewall with the version V500R001C50 and straight forward topology where the clients connect to trust zone and internet on untrust zone and then he is using HTTPS filter by enabling Filter Encrypted Traffic function on URL profile as below:

But the result of the HTTPS filter is confusing and doesn’t tell client this website is broken or filtered, below is the result once this function is triggered by HTTPS website using Firefox and Chrome browsers.



Customer wants to know if we can generate the same output of HTTP filter, the output of the HTTP URL filter is very clear showing this web site is filtered by firewall URL filter and under particular category as shown below.


Alarm Information



No alarm reported for this case.



Handling Process

First of all, there is no issue on the configuration and the URL filter function works good in term of HTTP and HTTPS, we checked the websites there is no issue
on the filtered website as it works good without filter, and furthermore the PC and Internet Explorer tools are good also.

So basically we should understand the output of this filter is normal in Huawei and other vendors’ firewalls for HTTPS filter as this function is not doing any traffic detection in order to get the HTTPS Server Name, while the firewall examines the Server Extensions field in the Client Hello message and/or the CN in the Server Hello message to block HTTPS sites, in other words Web filtering analyzes the first packet of the HTTPS traffic as a "Client Hello" message and extracts the server name from the SNI (Server Name Indication) extension, and uses server name to maintain/run the URL query.

If the URL filter match and there is a block decision, the firewall URL filtering solution does not generate a block page because the clear text is not available for a HTTPS session. However, the solution terminates the session and sends resets to the client and the server for the blocked HTTPS sessions.

Root Cause

As stated in the problem handling, there is no root cause for this issue, it is normal process for Huawei firewall to terminate the session between client and web server and the output in client PC will be as secure connection failed or the site can’t provide secure connection depends on your browser error code interpretation.



Solution

The Solution in case customer doesn’t like their clients to receive this termination error message and still wants to get the clear URL filtering notification is using traffic detection policy.



Suggestions

Good clarification with good example will make your customer understands how the firewall works with HTTPS URL filtering and there is a proof of concept from other vendors which are using same method like Huawei.



END