Referencing URL Categories in Security Policies
URL categories are classified based on web page content. Huawei uses machine learning and artificial intelligence technologies to scan massive web page content and classify URL types. URL categories can be used to manage users' online behaviors.
- Method 1: Add URL filtering profiles to security policies. You can use the URL categories, URL blacklists, URL whitelists, and others to accurately control website access. For details about URL filtering, see the product documentation.
- Method 2: Reference URL categories in security policies to implement simple and URL category-based access control. After a URL category is referenced in a security policy, you can specify a content security profile based on the URL category. For example, add antivirus check and file filtering only to traffic accessing high-risk URL categories.
The following provides two configuration examples of applying URL categories to security policies.
Scenario 1: Restricting Access to Specific Types of Websites
Assume that a security policy named inside-out has been configured on the firewall to allow all users to access the Internet without any restriction.
Employees are now banned from accessing social networks and job-seeking websites. You can copy the inside-out security policy, change its name, specify the URL categories, and set Action to Deny.
After the previous step is complete, move the inside-out-exclude security policy on top of inside-out.
Scenario 2: Only Specific Employees Can Access Specific Types of Websites
According to the information security policy of a company, ordinary employees can access common websites and the URL profile is used to set access control over detailed URLs. In addition, IT personnel are allowed to access IT-related websites for work purposes. In this case, you need to configure two security policies.
- Policy 1: Allowing IT employees who belong to user group IT to access websites whose URL category is IT-related.
- Policy 2: Allowing ordinary employees who are not categorized into user groups to access common websites. The common websites are specified in the URL filtering profile of the content security and exclude the IT-related URL category.
Note that policy 1 must be on top of policy 2. Security policies are matched from top to bottom. When an IT employee attempts to access an IT-related website, policy 1 is matched and the access is permitted. When other employees attempt to access an IT-related website, they match policy 2 and continue to check the URL filtering profile. The access requests of ordinary employees are blocked, because the common websites that can be accessed do not contain the IT-related URL category.
A firewall need to identify HTTP applications and then URL categories, and then sends the identification result to the security policy module for matching. Before a URL category is identified, the security policy is in the pending state. The firewall establishes a session based on the matching conditions other than the URL categories, permits the traffic, and continues the detection. After the URL category is identified, the traffic is matched against the security policies again. For websites that use HTTPS, the SSL decryption function must be used together.