Setting a URL filter for some website on the USG6650 with V500R001C30SPC100 can’t work.

Publication Date:  2016-12-21 Views:  913 Downloads:  0
Issue Description
In the network, the customers has a USG6650 as output firewall. There are some limited policy for controlling user access Internet. So customers use URL filter function at firewall by creating some policy.
Firstly, deny all the user to access facebook website. So the customers set a URL blacklist which including “www.facebook.com”, then active it at policy from inside to outside.
Secondly, customers make test for accessing facebook website, it can access without any deny.
Handling Process

(1) Check the URL filter is work or not
Add a new website of “www.baidu.com” at URL blacklist, and active it. then make test that access the baidu website. The result is the baidu website can’t be access, and user get a page show this website has been blocked by URL.



(2) Compare the different between facebook and baidu.
    On the blacklist of URL, we edit this two website as same form:
     www.baidu.com
     www.facebook.com
    Check the browser for this two website, we can find that the protocol of facebook is https, and baidu is http.
(3) Currently, URL filtering can filter HTTP and HTTPS URL requests. For HTTPS traffic, a proxy policy with the action of SSL decryption is required. URL filtering is performed for decrypted HTTPS traffic.
(4) Configure an untrusted SSL decryption certificate.
(5) Download the SSL decryption certificate to the user’s terminal, then active it.
(6) Import the CA certificates of the certificate authorities that the enterprise trusts.
(7) Specify the CA certificate used by the FW to verify the server certificate.
(8) Configure a proxy policy to decrypt HTTPS traffic.
(9) make test again at user’s terminal, the terminal will not be allowed to access facebook again.

Root Cause
For HTTPS traffic, a proxy policy with the action of SSL decryption must is configured. URL filtering is performed for decrypted HTTPS traffic.
Solution

(1)Configure a proxy policy with the action of SSL decryption.

(2)Choose the "Application" feature to control the user's bebavior.


Suggestions
(1) When we operate the URL filter function, we must be care about what’s protocol they used. If the protocol is https, it will make the URL complex, must configure a proxy policy with the action of SSL decryption.
(2) When we face the https protocol, we can consider about the “Application” feature. Firewall has an Application database which including thousands normal application, we can choose it and active it at security policy. It still can control the access users behavior.

END