Web: Example for Implementing URL Filtering on Decrypted HTTPS Traffic

This section provides an example for configuring SSL-encrypted traffic detection to decrypt HTTPS traffic into HTTP traffic and then implement URL filtering on the HTTP traffic.

Networking Requirements

As shown in Figure 1, the FW is deployed at the network border as the enterprise's gateway to implement URL filtering on HTTPS requests sent by users to access the Internet.

An enterprise allows employees to access most websites except pornographic and illegal websites. In addition, the enterprise wants to:

Permit employees to access intranet websites: www.example1.com and www.example2.com.
Prevent employees from accessing external forum websites: www.example3.com and www.example4.com.

Figure 1 Implementing URL filtering on decrypted HTTPS traffic

Configuration Roadmap

Set the IP address and security zone of the interface.
Create the URL filtering profile url_profile_01.
- Add www.example1.com and www.example2.com to the whitelist. Employees can access the whitelisted websites.
- Add www.example3.com and www.example4.com to the blacklist. Employees are not allowed to access the blacklisted websites.
- Set the URL filtering level to Medium to block access requests for pornographic and illegal websites.
Configure a security policy and reference the URL filtering profile url_profile_01 to control the URL access requests of the enterprise employees.
Configure SSL-encrypted traffic detection to decrypt HTTPS traffic.
- Configure the SSL decryption certificate and import and install the SSL decryption certificate to the intranet PC.
- Optional: Import the CA certificate of the certificate authority trusted by the enterprise and specify the imported CA certificate as the server CA certificate. The FW checks whether the server certificate is trusted based on the server CA certificate.
  Note that over 100 common server CA certificates have been preset on the FW by default, which can be used to verify most server certificates. Generally, these default CA certificates are enough and you do not need to import other CA certificates. In some cases, however, if the preset CA certificates cannot verify the peer server certificates, you need to import other CA certificates. This section describes how to import a CA certificate as a configuration step.
- Configure the detection profile and SSL-encrypted traffic detection policy.

Procedure

Set the IP address and security zone of the interface.
1. Choose Network > Interface.
2. Click for GE0/0/3 and set the parameters as follows:
  
  Zone
  
  trust
  
  IPv4
  
  IP Address
  
  10.3.0.1/24
3. Click OK.
4. Repeat the previous steps to set the parameters for GE0/0/1.
  
  Zone
  
  untrust
  
  IPv4
  
  IP Address
  
  1.1.1.1/24

Zone	trust
IPv4
IP Address	10.3.0.1/24

Zone	untrust
IPv4
IP Address	1.1.1.1/24

Configure URL filtering profiles.

Choose Object > Security Profiles > URL Filtering.

In URL Filtering Profile, click Add and set the parameters as follows:

Name	url_profile_01
Default Action	Allow NOTE: If you want to deny URLs outside the whitelist, you can set the default action to deny so that the FW uses the default action when the remote query service is unavailable. In this manner, URLs outside the whitelist can be denied. If you want to permit URLs outside the blacklist, you can set the default action to permit so that the FW uses the default action when the remote query service is unavailable. In this manner, URLs outside the blacklist can be permitted.
Whitelist URL	www.example1.com www.example2.com
Blacklist URL	www.example3.com www.example4.com
URL Filtering Level	Select Medium to block the access to all pornographic and illegal websites.

Click OK.

Reference URL filtering profiles in security policies.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add Security Policy and set the parameters as follows:
  
  Name
  
  policy_sec_01
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  10.3.0.1/24
  
  Action
  
  permit
  
  Content Security
  
  URL Filtering
  
  url_profile_01
3. Click OK.
Configure SSL-encrypted traffic detection.
1. Configure an SSL decryption certificate and import and install the SSL decryption certificate on an intranet PC.
  1. Choose Object > Certificates > SSL Decryption Certificate.
  2. Click the SSL Decryption Certificate tab. Click Add and configure an SSL decryption certificate as follows.
    
    Certificate Name
    
    ssl-server-ca
    
    FQDN
    
    www.example.com
    
    Country/Area
    
    China(CN)
    
    Locality
    
    Trust-Network
  3. Click OK.
  4. Click of the SSL decryption certificate and download the SSL decryption certificate to the administrator PC.
    
    File Format
    
    Export files in PKCS12 format
    
    Password/Confirm Password
    
    Hello@123
    
    The password specified here is used to protect the key file in the certificate. You are required to enter this password when you install the certificate later.
  5. Click OK.
  6. Send the certificate file that you export to the intranet user and require the user to install the certificate on the PC and trust it. For how to install the trusted certificate, see Installing an SSL Decryption Certificate on a Client. If the certificate is not installed, normal access may be blocked.
2. Optional: Import the CA certificates of the certificate authorities that the enterprise trusts. Specify the CA certificate used by the FW to verify the server certificate.
  1. Choose Object > Certificates > CA Certificates.
  2. Click Upload to import a CA certificate.
    
    Upload Type
    
    Local Upload
    
    Certificate File
    
    server_ca.cer
  3. Click OK.
  4. Choose Object > Certificates > SSL decryption certificate and click the Server CA Certificate tab.
  5. Click Add and select the CA certificate that has been imported into the FW.
  6. Click OK.
3. Configure the detection profile and SSL-encrypted traffic detection policy.
  1. Choose Policy > Encrypted Traffic Detection > Detection Profile.
  2. Click Add and set the following parameters.
    
    Name
    
    ssl_profile
    
    Type
    
    Outbound
  3. Click OK.
  4. Choose Policy > Encrypted Traffic Detection > Detection Policy.
  5. Click Add and set the following parameters.
    
    Name
    
    ssl_policy
    
    Source Zone
    
    trust
    
    Destination Zone
    
    untrust
    
    Source Address
    
    10.3.0.1/24
    
    Service
    
    https
    
    Action
    
    Decrypt
    
    Detection Profile
    
    ssl_profile
  6. Click OK.
Click Save on the upper right of the web page, and click OK in the dialog box that is displayed.
Click Commit on the upper right of the web page, and click OK in the dialog box that is displayed.

Name	policy_sec_01
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.0.1/24
Action	permit
Content Security
URL Filtering	url_profile_01

Certificate Name	ssl-server-ca
FQDN	www.example.com
Country/Area	China(CN)
Locality	Trust-Network

File Format	Export files in PKCS12 format
Password/Confirm Password	Hello@123

Upload Type	Local Upload
Certificate File	server_ca.cer

Name	ssl_profile
Type	Outbound

Name	ssl_policy
Source Zone	trust
Destination Zone	untrust
Source Address	10.3.0.1/24
Service	https
Action	Decrypt
Detection Profile	ssl_profile

Verification

Employees can access most websites, but not pornographic and illegal websites. They received pushed information when their access was blocked. For example:

Choose Monitor > Log > URL Log. You can view the URL logs generated when the FW blocks employee's access to a website, and find that Filtering Type is Predefined. For example:
Employees can access www.example1.com and www.example2.com but cannot access www.example3.com or www.example4.com. They received pushed information when their access was blocked. For example:

Choose Monitor > Log > URL Log. You can view the URL logs generated when the FW blocks employee's access to a website, and find that Filtering Type is Blacklist or Whitelist.

Configuration Scripts

# 
 app-proxy built-in-ca trust filename ssl-server-ca
 app-proxy ca trust filename server_ca.cer
#                       
pki entity ssl-server-ca     
 common-name ssl-server-ca   
 fqdn www.example.com
 locality Trust Network
 country CN
#                                                                               
interface GigabitEthernet0/0/1   
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/3   
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/3
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1
#
profile type url-filter name url_profile_01
 add blacklist url www.example3.com
 add blacklist url www.example4.com
 add whitelist url www.example1.com
 add whitelist url www.example2.com
 category pre-defined control-level medium
#
security-policy
 rule name policy_sec_01
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  profile url-filter url_profile_01
  action permit
#
profile type decryption name ssl_profile
  detect type outbound
#
decryption-policy
 rule name ssl_policy
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 mask 255.255.255.0
  service https
  action decrypt profile ssl_profile
#
return