CLI: Example for Implementing URL Filtering on Encrypted HTTPS Traffic

You can configure the function of filtering encrypted traffic to implement URL filtering for encrypted HTTPS traffic.

Networking Requirements

As shown in Figure 1, the FW is deployed at the network border as the enterprise's gateway to implement URL filtering on HTTPS requests sent by users to access the Internet.

An enterprise allows employees to access most websites except pornographic and illegal websites. In addition, the enterprise wants to:

Permit employees to access intranet websites: www.example1.com and www.example2.com.
Prevent employees from accessing external forum websites: www.example3.com and www.example4.com.

Figure 1 Implementing URL filtering on encrypted HTTPS traffic

Configuration Roadmap

Set the IP address and security zone of the interface.
Create the URL filtering profile url_profile_01.
- Add www.example1.com and www.example2.com to the whitelist. Employees can access the whitelisted websites.
- Add www.example3.com and www.example4.com to the blacklist. Employees are not allowed to access the blacklisted websites.
- Set the URL filtering level to Medium to block access requests for pornographic and illegal websites.
- Enable the function of filtering encrypted traffic to perform URL filtering on encrypted HTTPS traffic.
Configure a security policy and reference the URL filtering profile url_profile_01 to control the URL access requests of the enterprise employees.

Procedure

Set the IP address and security zone of the interface.

Set an IP address for interface GigabitEthernet 0/0/1 and assign the interface to the untrust zone.

<FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

Set an IP address for interface GigabitEthernet 0/0/3 and add the interface to the trust zone.

[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Configure URL filtering profiles.

[FW] profile type url-filter name url_profile_01
[FW-profile-url-filter-url_profile_01] add whitelist url www.example1.com
[FW-profile-url-filter-url_profile_01] add whitelist url www.example2.com
[FW-profile-url-filter-url_profile_01] add blacklist url www.example3.com
[FW-profile-url-filter-url_profile_01] add blacklist url www.example4.com
[FW-profile-url-filter-url_profile_01] category pre-defined control-level medium
[FW-profile-url-filter-url_profile_01] https-filter enable
[FW-profile-url-filter-url_profile_01] quit

If you want to deny URLs outside the whitelist, you can set the default action to deny so that the FW uses the default action when the remote query service is unavailable. In this manner, URLs outside the whitelist can be denied.

If you want to permit URLs outside the blacklist, you can set the default action to permit so that the FW uses the default action when the remote query service is unavailable. In this manner, URLs outside the blacklist can be permitted.

Reference URL filtering profiles in security policies.

[FW] security-policy
[FW-policy-security] rule name policy_sec_01
[FW-policy-security-rule-policy_sec_01] source-zone trust
[FW-policy-security-rule-policy_sec_01] destination-zone untrust
[FW-policy-security-rule-policy_sec_01] source-address 10.3.0.0 mask 255.255.255.0
[FW-policy-security-rule-policy_sec_01] action permit
[FW-policy-security-rule-policy_sec_01] profile url-filter url_profile_01
[FW-policy-security-rule-policy_sec_01] quit
[FW-policy-security] quit

Commit the content security profiles.

[FW] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: URL submitted configurations successfully.
Info: Finish committing engine compiling.

Verification

Employees can access most websites, but not pornographic and illegal websites.

By viewing the URL log URL/4/FILTER, you can see that the filtering type of the URL log generated when the FW blocked the employees' access to websites is Pre-defined.
Employees can access www.example1.com and www.example2.com but cannot access www.example3.com or www.example4.com.

By viewing the URL log URL/4/FILTER, you can see that the filtering type of the URL log generated when the FW blocked or permitted the employees' access to websites is Blacklist or Whitelist, respectively.

Configuration Scripts

#                                                                               
sysname FW
#                                                                               
interface GigabitEthernet0/0/1   
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/3   
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/3
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1
#
profile type url-filter name url_profile_01
 add blacklist url www.example3.com
 add blacklist url www.example4.com
 add whitelist url www.example1.com
 add whitelist url www.example2.com
 category pre-defined control-level medium
 https-filter enable
#
security-policy
 rule name policy_sec_01
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  profile url-filter url_profile_01
  action permit
#
return