url-filter https-filter consistency-check enable
Function
The url-filter https-filter consistency-check enable command enables the encrypted traffic consistency check function.
The undo url-filter https-filter consistency-check enable command disables the encrypted traffic consistency check function.
Format
url-filter https-filter consistency-check enable
undo url-filter https-filter consistency-check enable
Usage Guidelines
By default, this function is disabled.
Usually, URL requests are transmitted through HTTP or HTTPS. The AC can filter HTTP traffic without any additional configuration. To filter HTTPS traffic, the AC must have the encrypted traffic filtering function enabled.
Encrypted traffic filtering of URL filtering does not decrypt HTTPS. Instead, it obtains the domain name (HOST) of the website that a user wants to access by parsing packets.
After the url-filter https-filter consistency-check enable command is used to enable encrypted traffic consistency check, the AC extracts the target website domain name (HOST) from the Server Name Indication field in the Client Hello packet of the client and the Common Name and Subject Alternative Name fields in the Certificate packet of the server and verifies the three values during TLS negotiation. In addition, the AC verifies the values of the three fields. If the verification succeeds, the AC performs URL filtering. If the verification fails, the AC performs URL filtering by directly blocking traffic as abnormal packets.
The website information contained in the three fields may be tampered with by malicious users. Therefore, some traffic evades URL filtering due to a field verification failure, which affects the detection accuracy of the device.
