Understanding HTTPS URL Filtering
This section describes the HTTPS URL filtering function.
URL filtering applies only to HTTP or HTTPS URL requests at a time. To filter HTTPS URL requests, you also need to configure SSL-encrypted traffic detection or encrypted traffic filtering of URL filtering. The differences between the two functions are as follows:
SSL-encrypted traffic detection
SSL-encrypted traffic detection can decrypt HTTPS traffic. The
FW implements URL filtering for decrypted HTTP traffic. This function has the following characteristics:
Complicated configuration.
The function needs to encrypt a large volume of traffic, which compromises the forwarding performance of the device.
More precise URL filtering.
In addition, this function requires clients to install an SSL decryption certificate. However, this might be impractical at public places, such as railway stations and large supermarkets. In this case, you can configure the encrypted traffic filtering of URL filtering function to filter encrypted traffic (HTTPS traffic), or configure DNS filtering to filter URLs requested by users.
Encrypted traffic filtering
Encrypted traffic filtering of URL filtering does not decrypt HTTPS. Instead, it obtains the domain name (HOST) of the website that a user wants to access based on the
Server Name Indication field in the Client Hello packet from a client and the
Common Name and
Subject Alternative Name fields in the Certificate packet from the server. This function has the following characteristics:
Simple configuration.
As the encrypted traffic filtering function does not decrypt traffic, its performance is high.
Domain name-based filtering is supported. URL filtering is not sufficiently accurate.
During the TLS negotiation, the FW verifies the values of SNI in the client's Client Hello packet and CN and SAN in the server's Certificate packet. If the verification succeeds, the FW performs URL filtering. If the verification fails, the FW performs URL filtering by directly blocking traffic as abnormal packets.
The website information contained in the three fields may be tampered with by malicious users. Therefore, some traffic evades URL filtering due to a field verification failure, which affects the detection accuracy of the device.
Read Limitations and Precautions for URL Filtering before configuring the encrypted traffic filtering function.