CLI: Example for Using URL Categories and Blacklist/Whitelist to Control Website Access
The URL categories and blacklist/whitelist can be used together to control the access to a certain type of websites and implement more refined access control on a fixed website.
Networking Requirements
As shown in Figure 1, the FW is deployed at the network border as the enterprise's gateway to implement URL filtering on HTTP requests.
Employees can access only Education/Science, Search Engines/Portals and Social Network websites. In addition, the enterprise wants to further control the access to the following websites:
- Allow employees to access internal forum websites: www.example3.com and www.example4.com.
- Prohibit employees from accessing www.example2.com in the Education/Science category and www.example1.com in the Social Network category.
Configuration Roadmap
- Set the IP address and security zone of the interface.
- Create the URL filtering profile url_profile_01, add www.example1.com and www.example2.com to the blacklist, and add www.example3.com and www.example4.com to the whitelist. Use predefined URL categories and set the control actions of Education/Science, Search Engines/Portals and Social Network websites to Allow, set the action for other websites to Block.
- Configure a security policy and reference the URL filtering profile url_profile_01 to implement URL access control.
Procedure
- Set the IP address and security zone of the interface.
- Configure URL filtering profiles.
You can run the display url-filter category pre-defined command to query the mappings between the following predefined categories and IDs:- 17: Education/Science
- 15: Search Engines/Portals
- 7: Social Network
[FW] profile type url-filter name url_profile_01 [FW-profile-url-filter-url_profile_01] add blacklist url www.example1.com [FW-profile-url-filter-url_profile_01] add blacklist url www.example2.com [FW-profile-url-filter-url_profile_01] add whitelist url www.example3.com [FW-profile-url-filter-url_profile_01] add whitelist url www.example4.com [FW-profile-url-filter-url_profile_01] category pre-defined action block [FW-profile-url-filter-url_profile_01] category pre-defined category-id 15 action allow [FW-profile-url-filter-url_profile_01] category pre-defined category-id 17 action allow [FW-profile-url-filter-url_profile_01] category pre-defined category-id 7 action allow [FW-profile-url-filter-url_profile_01] quit
If you want to deny URLs outside the whitelist, you can set the default action to deny so that the FW uses the default action when the remote query service is unavailable. In this manner, URLs outside the whitelist can be denied.
If you want to permit URLs outside the blacklist, you can set the default action to permit so that the FW uses the default action when the remote query service is unavailable. In this manner, URLs outside the blacklist can be permitted.
- Reference URL filtering profiles in security policies.
[FW] security-policy [FW-policy-security] rule name policy_sec_01 [FW-policy-security-rule-policy_sec_01] source-zone trust [FW-policy-security-rule-policy_sec_01] destination-zone untrust [FW-policy-security-rule-policy_sec_01] source-address 10.3.0.0 mask 255.255.255.0 [FW-policy-security-rule-policy_sec_01] action permit [FW-policy-security-rule-policy_sec_01] profile url-filter url_profile_01 [FW-policy-security-rule-policy_sec_01] quit [FW-policy-security] quit
- Commit the content security profiles.
[FW] engine configuration commit Info: The operation may last for several minutes, please wait. Info: URL submitted configurations successfully. Info: Finish committing engine compiling.
Verification
Employees can access only Education/Science, Search Engines/Portals, and Social Network websites.
By viewing the URL log URL/4/FILTER, you can see that the access requests from employees to other websites matched the URL filtering policy whose filtering type is Pre-defined and action is Block.
Enterprise employees can access www.example3.com and www.example4.com, but cannot access www.example1.com or www.example2.com.
By viewing the URL log (URL/4/FILTER), you can see that the filtering type of the log generated when the FW permitted or blocked employees' access requests is Whitelist or Blacklist, respectively.
Configuration Scripts
# sysname FW # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # profile type url-filter name url_profile_01 add blacklist url www.example1.com add blacklist url www.example2.com add whitelist url www.example3.com add whitelist url www.example4.com category pre-defined subcategory-id 101 action block category pre-defined subcategory-id 102 action block category pre-defined subcategory-id 162 action block category pre-defined subcategory-id 163 action block category pre-defined subcategory-id 164 action block category pre-defined subcategory-id 165 action block category pre-defined subcategory-id 103 action block category pre-defined subcategory-id 166 action block category pre-defined subcategory-id 167 action block category pre-defined subcategory-id 168 action block category pre-defined subcategory-id 104 action block category pre-defined subcategory-id 169 action block category pre-defined subcategory-id 170 action block category pre-defined subcategory-id 105 action block category pre-defined subcategory-id 171 action block category pre-defined subcategory-id 172 action block category pre-defined subcategory-id 173 action block category pre-defined subcategory-id 174 action block category pre-defined subcategory-id 106 action block category pre-defined subcategory-id 109 action block category pre-defined subcategory-id 110 action block category pre-defined subcategory-id 111 action block category pre-defined subcategory-id 112 action block category pre-defined subcategory-id 114 action block category pre-defined subcategory-id 115 action block category pre-defined subcategory-id 117 action block category pre-defined subcategory-id 178 action block category pre-defined subcategory-id 179 action block category pre-defined subcategory-id 180 action block category pre-defined subcategory-id 181 action block category pre-defined subcategory-id 248 action block category pre-defined subcategory-id 118 action block category pre-defined subcategory-id 119 action block category pre-defined subcategory-id 122 action block category pre-defined subcategory-id 182 action block category pre-defined subcategory-id 183 action block category pre-defined subcategory-id 184 action block category pre-defined subcategory-id 123 action block category pre-defined subcategory-id 124 action block category pre-defined subcategory-id 186 action block category pre-defined subcategory-id 187 action block category pre-defined subcategory-id 188 action block category pre-defined subcategory-id 189 action block category pre-defined subcategory-id 125 action block category pre-defined subcategory-id 127 action block category pre-defined subcategory-id 128 action block category pre-defined subcategory-id 130 action block category pre-defined subcategory-id 131 action block category pre-defined subcategory-id 132 action block category pre-defined subcategory-id 197 action block category pre-defined subcategory-id 198 action block category pre-defined subcategory-id 199 action block category pre-defined subcategory-id 200 action block category pre-defined subcategory-id 227 action block category pre-defined subcategory-id 228 action block category pre-defined subcategory-id 133 action block category pre-defined subcategory-id 201 action block category pre-defined subcategory-id 202 action block category pre-defined subcategory-id 204 action block category pre-defined subcategory-id 205 action block category pre-defined subcategory-id 134 action block category pre-defined subcategory-id 135 action block category pre-defined subcategory-id 136 action block category pre-defined subcategory-id 137 action block category pre-defined subcategory-id 138 action block category pre-defined subcategory-id 139 action block category pre-defined subcategory-id 140 action block category pre-defined subcategory-id 141 action block category pre-defined subcategory-id 206 action block category pre-defined subcategory-id 207 action block category pre-defined subcategory-id 208 action block category pre-defined subcategory-id 209 action block category pre-defined subcategory-id 210 action block category pre-defined subcategory-id 229 action block category pre-defined subcategory-id 142 action block category pre-defined subcategory-id 143 action block category pre-defined subcategory-id 144 action block category pre-defined subcategory-id 145 action block category pre-defined subcategory-id 146 action block category pre-defined subcategory-id 147 action block category pre-defined subcategory-id 211 action block category pre-defined subcategory-id 212 action block category pre-defined subcategory-id 213 action block category pre-defined subcategory-id 240 action block category pre-defined subcategory-id 253 action block category pre-defined subcategory-id 149 action block category pre-defined subcategory-id 150 action block category pre-defined subcategory-id 214 action block category pre-defined subcategory-id 215 action block category pre-defined subcategory-id 216 action block category pre-defined subcategory-id 217 action block category pre-defined subcategory-id 151 action block category pre-defined subcategory-id 218 action block category pre-defined subcategory-id 219 action block category pre-defined subcategory-id 220 action block category pre-defined subcategory-id 221 action block category pre-defined subcategory-id 222 action block category pre-defined subcategory-id 223 action block category pre-defined subcategory-id 230 action block category pre-defined subcategory-id 252 action block category pre-defined subcategory-id 152 action block category pre-defined subcategory-id 153 action block category pre-defined subcategory-id 238 action block category pre-defined subcategory-id 154 action block category pre-defined subcategory-id 155 action block category pre-defined subcategory-id 224 action block category pre-defined subcategory-id 225 action block category pre-defined subcategory-id 156 action block category pre-defined subcategory-id 157 action block category pre-defined subcategory-id 158 action block category pre-defined subcategory-id 231 action block category pre-defined subcategory-id 232 action block category pre-defined subcategory-id 159 action block category pre-defined subcategory-id 254 action block category pre-defined subcategory-id 160 action block category pre-defined subcategory-id 161 action block category pre-defined subcategory-id 176 action block category pre-defined subcategory-id 226 action block category pre-defined subcategory-id 234 action block category pre-defined subcategory-id 235 action block category pre-defined subcategory-id 236 action block category pre-defined subcategory-id 237 action block category pre-defined subcategory-id 239 action block category pre-defined subcategory-id 241 action block category pre-defined subcategory-id 233 action block # security-policy rule name policy_sec_01 source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 profile url-filter url_profile_01 action permit