URL Reputation and Malicious URL

This section describes the concepts and sources of URL reputation and malicious URLs.

In addition to URL categories, blacklist, and whitelist, the FW can block URLs that may cause threats, including low-reputation and malicious URLs.

URL Reputation

URL reputations reflect whether the URLs that users access are reliable. After URL reputation detection is enabled, URLs with low reputation can be blocked. URL reputation query can be performed in either of the following modes: URL reputation hotspot database and remote query server.

URL reputation hotspot database

The URL reputation hotspot database is launched by sec.huawei.com. It is used to quickly obtain the latest URL reputation data from the cloud to block the access to untrusted URLs. The configurations of the URL reputation hotspot database take effect only after the license and component package of URL remote query are loaded. After the URL reputation hotspot database update function is enabled, the device periodically obtains the latest URL reputation hotspot database through the fast update channel and loads the latest URL reputation hotspot database to the predefined URL category cache. The device checks the URL reputation in the predefined URL category cache. If the URL is found, the device performs the next action based on the URL reputation value.
Remote query server

If the FW does not enable the URL reputation hotspot database update function and the URL reputation value cannot be found in the predefined URL category cache, the FW can obtain the latest URL reputation value through URL Remote Query Process and save the queried URL reputation to the predefined URL category cache for quick query next time.

Malicious URL

A malicious URL is a URL that contains malicious information. After the malicious URL detection function is enabled, the URL filtering function blocks subsequent traffic based on the malicious URL information. Malicious URLs are identified by:

Antivirus function
Sandbox interworking with the FW
Obtaining the local reputation, which contains malicious URLs, from the HiSec Insight. The local reputation supports scheduled update to periodically update malicious URL information.

The IAE saves the malicious URLs to the malicious URL cache on the device. When a user requests to access a URL, if the parsed URL matches a malicious URL, the FW will block the URL request. Malicious URLs have a validity period. Expired malicious URLs will be automatically deleted.

From the implementation effect perspective, malicious URLs are similar to the blacklist. Their differences are as follows:

The blacklist must be manually configured on the FW, while malicious URLs do not.
The blacklist never expires. Malicious URLs have a validity period. Expired malicious URLs will be automatically deleted.
The blacklist configuration is stored in the configuration file, while malicious URL information is stored in the cache. When the FW restarts, the malicious URL cache is cleared.