url-filter https-filter consistency-check enable

By default, this function is disabled.

Usually, URL requests are transmitted through HTTP or HTTPS. The FW can filter HTTP traffic without any additional configuration. To filter HTTPS traffic, the FW must have the encrypted traffic filtering function or the SSL-encrypted traffic detection function enabled.

Encrypted traffic filtering of URL filtering does not decrypt HTTPS. Instead, it obtains the domain name (HOST) of the website that a user wants to access by parsing packets.

After the url-filter https-filter consistency-check enable command is used to enable encrypted traffic consistency check, the FW extracts the target website domain name (HOST) from the ServerName field in the ClientHello packet of the client and the Common Name and Subject Alternative Name fields in the Certificate packet of the server and verifies the three values during TLS negotiation. In addition, the FW verifies the values of the three fields. If the verification succeeds, the FW performs URL filtering. If the verification fails, the FW performs URL filtering by directly blocking traffic as abnormal packets.

The website information contained in the three fields may be tampered with by malicious users. Therefore, some traffic evades URL filtering due to a field verification failure, which affects the detection accuracy of the device.

In whitelist mode (whitelist-only enable), the encrypted traffic consistency check function does not take effect. URL requests can be allowed only if the ServerName field is in the configured whitelist.