The difference between " user-defined classification" and "blacklist and whitelist" of the URL function.

Publication Date:  2012-09-26 Views:  501 Downloads:  0
Issue Description
Networking:
Intranet-- -- - usg2210 (v1r5) -- -- - public network
User description:
Several departments of the intranet want to limit the network permision of the employee. For example, the finance department can only access baidu, and unable to access other website. The production department could not access baidu, but can access other website; restrict the Internet behavior of all employees, but not to the leadership and so on.
Alarm Information
none
Handling Process
One. Create url - filter configuration user-defined classification name: UC.
[USG5360]url-filter category UC:baidu [USG5360-urlfilter-category-UC:baidu]url keyword baidu

Two. Using the "baidu" example to allow access to baidu, are not allowed to access to baidu. (for configuring the domain application URL filtering policy)
[USG5360] url - filter policy ABC – can access to other website, but can not access the baidu.
[USG5360-urlfilter-policy-abc]category user-defined name UC:baidu action Deny
[USG5360-urlfilter-policy-xyz]category user-defined name uc:baidu action permit
[USG5360-urlfilter-policy-xyz]category pre-defined action deny
[USG5360-urlfilter-policy-xyz]dis url-filter policy xyz ---can’t access to other website, but can access the baidu..
==================================================================
Category ID  category name  action
------------------------------------------------------------------
1 P2P Deny
2 Downloading Deny
60001 UC:baidu Permit ----permit
-----------------------------------------------------
[USG5360-urlfilter-policy-xyz] dis url-filter policy abc
==================================================================
Category ID  category name  action
------------------------------------------------------------------
1 P2P Permit
2 Downloading Permit
60001 UC:baidu Deny ---deny
-----------------------------------------------------
Matching method: keyword matching
Three. Application: apply URL filtering policy between Trust and Untrust, to realize the purpose that manage Internet behavior of users accurately.
[USG5360-policy-interzone-trust-untrust-outbound]policy 10
[USG5360-policy-interzone-trust-untrust-outbound-10]policy source 192.168.45.0 0.0.0.255
[USG5360-policy-interzone-trust-untrust-outbound-10]policy url-filter abc
[USG5360-policy-interzone-trust-untrust-outbound-10]action permit
[USG5360-policy-interzone-trust-untrust-outbound]policy 20
[USG5360-policy-interzone-trust-untrust-outbound-20]policy source 192.168.46.0 0.0.0.255
[USG5360-policy-interzone-trust-untrust-outbound-20]policy url-filter xyz
[USG5360-policy-interzone-trust-untrust-outbound-20]action permit
Root Cause
How to do?
Use the traditional ACL? Of course it can not realize.
It can work by using the firewall URL filtering function. For example: 1. Use URL function of the "configure open special user all Internet permission and exemption IP" can realize the leadership behavior on the Internet without limit. 2. Use URL function of the "blacklist and whitelist" can realize the "restrict the Internet behavior to all employees". 3. The "blacklist and whitelist" can’t realize the demands: " the finance department can only access baidu, and unable to access other website. The production department could not access baidu ", but URL function "user-defined classification" can.
The network segment of finance department is 192.168.45.0/24 and the network segment of production department is 192.3168.46.0/24
Suggestions
• The "blacklist and whitelist" can’t realize the demands: " the finance department can only access baidu, and unable to access other website. The production department could not access baidu ", but the URL function "user-defined classification" can.

END