CLI: Example for Using URL Filtering and Application Control Together
Networking Requirements
As shown in Figure 1, the FW is deployed at the network border as the enterprise's gateway to implement URL filtering on HTTPS requests of employees. The detailed requirements are as follows:
- Enterprise employees can access only Facebook in the social networking category and cannot access other websites.
- Employees of the marketing department can access the Facebook website and all Facebook applications. Employees of the R&D department can access only the Facebook website but cannot use other Facebook applications, such as email and chat.
To meet the requirements, URL filtering and application control must be used together. URL filtering controls employees to access only Facebook but not other websites. Application control implements refined control on the access to Facebook applications.
Configuration Roadmap
- Set interface IP addresses and assign the interfaces to security zones.
- Create the URL filtering profile url_profile_all to allow enterprise employees to access Facebook in the social networking category and prohibit the access to other websites.
- Configure the security policy policy_sec_all and reference the URL filtering profile url_profile_all to control the URL access of all employees in the enterprise.
- Configure the security policy policy_sec_marketing to allow employees in the marketing department to access Facebook and all Facebook applications.
To control lower-level Facebook applications, you need to configure SSL-encrypted traffic detection.
- Configure the security policy policy_sec_research to control employees in the R&D department to access only the Facebook website but not other Facebook applications, such as email and chat.
Procedure
- Set interface IP addresses and assign the interfaces to security zones.
Set the IP address of interface GE0/0/1 and add it to the Untrust zone.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet0/0/1] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/1 [FW-zone-untrust] quit
Set the IP address of interface GE0/0/3 and add it to the Trust zone.
[FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet0/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
- Create the URL filtering profile url_profile_all to allow enterprise employees to access Facebook in the social networking category and prohibit the access to other websites.
[FW] profile type url-filter name url_profile_all [FW-profile-url-filter-url_profile_all] https-filter enable [FW-profile-url-filter-url_profile_all] default action block [FW-profile-url-filter-url_profile_all] category pre-defined action block [FW-profile-url-filter-url_profile_all] add whitelist host facebook.com [FW-profile-url-filter-url_profile_all] add whitelist host *.facebook.com [FW-profile-url-filter-url_profile_all] quit
- Configure the security policy policy_sec_all and reference the URL filtering profile url_profile_all to control the URL access of all employees in the enterprise.
[FW] security-policy [FW-policy-security] rule name policy_sec_all [FW-policy-security-rule-policy_sec_all] source-zone trust [FW-policy-security-rule-policy_sec_all] destination-zone untrust [FW-policy-security-rule-policy_sec_all] source-address 10.3.0.1 mask 255.255.255.255 [FW-policy-security-rule-policy_sec_all] profile url-filter url_profile_all [FW-policy-security-rule-policy_sec_all] action permit [FW-policy-security-rule-policy_sec_all] quit [FW-policy-security] quit
- Configure the security policy policy_sec_marketing to allow employees in the marketing department to access Facebook and all Facebook applications.
[FW] security-policy [FW-policy-security] rule name policy_sec_marketing [FW-policy-security-rule-policy_sec_marketing] source-zone trust [FW-policy-security-rule-policy_sec_marketing] destination-zone untrust [FW-policy-security-rule-policy_sec_marketing] source-address 10.3.0.1 mask 255.255.255.255 [FW-policy-security-rule-policy_sec_marketing] user user-group /default/marketing [FW-policy-security-rule-policy_sec_marketing] application app Facebook [FW-policy-security-rule-policy_sec_marketing] application app Facebook_Browsing [FW-policy-security-rule-policy_sec_marketing] application app Facebook_Games [FW-policy-security-rule-policy_sec_marketing] application app Facebook_Login [FW-policy-security-rule-policy_sec_marketing] application app Facebook_Messages [FW-policy-security-rule-policy_sec_marketing] application app Facebook_Messenger [FW-policy-security-rule-policy_sec_marketing] application app Facebook_Photos [FW-policy-security-rule-policy_sec_marketing] application app Facebook_VideoChat [FW-policy-security-rule-policy_sec_marketing] application app Facebook_Videos [FW-policy-security-rule-policy_sec_marketing] application app HTTP [FW-policy-security-rule-policy_sec_marketing] application app HTTPS [FW-policy-security-rule-policy_sec_marketing] application app RTP [FW-policy-security-rule-policy_sec_marketing] application app RTSP [FW-policy-security-rule-policy_sec_marketing] application app SSL [FW-policy-security-rule-policy_sec_marketing] application app STUN [FW-policy-security-rule-policy_sec_marketing] application software Facebook [FW-policy-security-rule-policy_sec_marketing] action permit [FW-policy-security-rule-policy_sec_marketing] quit [FW-policy-security] quit
- Configure the security policy policy_sec_research to control employees in the R&D department to access only the Facebook website but not other Facebook applications, such as email and chat.
[FW] security-policy [FW-policy-security] rule name policy_sec_research [FW-policy-security-rule-policy_sec_research] source-zone trust [FW-policy-security-rule-policy_sec_research] destination-zone untrust [FW-policy-security-rule-policy_sec_research] source-address 10.3.0.1 mask 255.255.255.255 [FW-policy-security-rule-policy_sec_research] user user-group /default/research [FW-policy-security-rule-policy_sec_research] application app Facebook_Games [FW-policy-security-rule-policy_sec_research] application app Facebook_Messages [FW-policy-security-rule-policy_sec_research] application app Facebook_Messenger [FW-policy-security-rule-policy_sec_research] application app Facebook_Photos [FW-policy-security-rule-policy_sec_research] application app Facebook_VideoChat [FW-policy-security-rule-policy_sec_research] application app Facebook_Videos [FW-policy-security-rule-policy_sec_research] action deny [FW-policy-security-rule-policy_sec_research] quit [FW-policy-security] quit
- Commit the configuration.
[FW] engine configuration commit Info: The operation may last for several minutes, please wait. Info: URL submitted configurations successfully. Info: Finish committing engine compiling.
Verification
All employees can access Facebook but cannot access other websites.
By viewing the URL log URL/4/FILTER, you can see that the access requests from employees to other websites matched the URL filtering policy whose filtering type is Pre-defined and action is Block.
Employees of the marketing department can access the Facebook website and all Facebook applications.
Employees of the R&D department can access only the Facebook website but cannot access other Facebook applications.
Configuration Scripts
# sysname FW # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # profile type url-filter name url_profile_all add whitelist host facebook.com add whitelist host *.facebook.com category pre-defined subcategory-id 101 action block category pre-defined subcategory-id 102 action block category pre-defined subcategory-id 162 action block category pre-defined subcategory-id 163 action block category pre-defined subcategory-id 164 action block category pre-defined subcategory-id 165 action block category pre-defined subcategory-id 103 action block category pre-defined subcategory-id 166 action block category pre-defined subcategory-id 167 action block category pre-defined subcategory-id 168 action block category pre-defined subcategory-id 104 action block category pre-defined subcategory-id 169 action block category pre-defined subcategory-id 170 action block category pre-defined subcategory-id 105 action block category pre-defined subcategory-id 171 action block category pre-defined subcategory-id 172 action block category pre-defined subcategory-id 173 action block category pre-defined subcategory-id 174 action block category pre-defined subcategory-id 106 action block category pre-defined subcategory-id 108 action block category pre-defined subcategory-id 177 action block category pre-defined subcategory-id 251 action block category pre-defined subcategory-id 109 action block category pre-defined subcategory-id 110 action block category pre-defined subcategory-id 111 action block category pre-defined subcategory-id 112 action block category pre-defined subcategory-id 114 action block category pre-defined subcategory-id 115 action block category pre-defined subcategory-id 117 action block category pre-defined subcategory-id 178 action block category pre-defined subcategory-id 179 action block category pre-defined subcategory-id 180 action block category pre-defined subcategory-id 181 action block category pre-defined subcategory-id 118 action block category pre-defined subcategory-id 119 action block category pre-defined subcategory-id 122 action block category pre-defined subcategory-id 182 action block category pre-defined subcategory-id 183 action block category pre-defined subcategory-id 184 action block category pre-defined subcategory-id 247 action block category pre-defined subcategory-id 248 action block category pre-defined subcategory-id 249 action block category pre-defined subcategory-id 250 action block category pre-defined subcategory-id 123 action block category pre-defined subcategory-id 124 action block category pre-defined subcategory-id 186 action block category pre-defined subcategory-id 187 action block category pre-defined subcategory-id 188 action block category pre-defined subcategory-id 189 action block category pre-defined subcategory-id 125 action block category pre-defined subcategory-id 126 action block category pre-defined subcategory-id 190 action block category pre-defined subcategory-id 127 action block category pre-defined subcategory-id 128 action block category pre-defined subcategory-id 129 action block category pre-defined subcategory-id 191 action block category pre-defined subcategory-id 192 action block category pre-defined subcategory-id 193 action block category pre-defined subcategory-id 194 action block category pre-defined subcategory-id 195 action block category pre-defined subcategory-id 196 action block category pre-defined subcategory-id 130 action block category pre-defined subcategory-id 131 action block category pre-defined subcategory-id 132 action block category pre-defined subcategory-id 197 action block category pre-defined subcategory-id 198 action block category pre-defined subcategory-id 199 action block category pre-defined subcategory-id 200 action block category pre-defined subcategory-id 227 action block category pre-defined subcategory-id 228 action block category pre-defined subcategory-id 133 action block category pre-defined subcategory-id 201 action block category pre-defined subcategory-id 202 action block category pre-defined subcategory-id 204 action block category pre-defined subcategory-id 205 action block category pre-defined subcategory-id 134 action block category pre-defined subcategory-id 135 action block category pre-defined subcategory-id 136 action block category pre-defined subcategory-id 137 action block category pre-defined subcategory-id 138 action block category pre-defined subcategory-id 139 action block category pre-defined subcategory-id 140 action block category pre-defined subcategory-id 141 action block category pre-defined subcategory-id 206 action block category pre-defined subcategory-id 207 action block category pre-defined subcategory-id 208 action block category pre-defined subcategory-id 209 action block category pre-defined subcategory-id 210 action block category pre-defined subcategory-id 229 action block category pre-defined subcategory-id 142 action block category pre-defined subcategory-id 143 action block category pre-defined subcategory-id 144 action block category pre-defined subcategory-id 145 action block category pre-defined subcategory-id 146 action block category pre-defined subcategory-id 147 action block category pre-defined subcategory-id 211 action block category pre-defined subcategory-id 212 action block category pre-defined subcategory-id 213 action block category pre-defined subcategory-id 240 action block category pre-defined subcategory-id 253 action block category pre-defined subcategory-id 149 action block category pre-defined subcategory-id 150 action block category pre-defined subcategory-id 214 action block category pre-defined subcategory-id 215 action block category pre-defined subcategory-id 216 action block category pre-defined subcategory-id 217 action block category pre-defined subcategory-id 151 action block category pre-defined subcategory-id 218 action block category pre-defined subcategory-id 219 action block category pre-defined subcategory-id 220 action block category pre-defined subcategory-id 221 action block category pre-defined subcategory-id 222 action block category pre-defined subcategory-id 223 action block category pre-defined subcategory-id 230 action block category pre-defined subcategory-id 252 action block category pre-defined subcategory-id 152 action block category pre-defined subcategory-id 153 action block category pre-defined subcategory-id 238 action block category pre-defined subcategory-id 154 action block category pre-defined subcategory-id 155 action block category pre-defined subcategory-id 224 action block category pre-defined subcategory-id 225 action block category pre-defined subcategory-id 156 action block category pre-defined subcategory-id 157 action block category pre-defined subcategory-id 158 action block category pre-defined subcategory-id 231 action block category pre-defined subcategory-id 232 action block category pre-defined subcategory-id 159 action block category pre-defined subcategory-id 254 action block category pre-defined subcategory-id 160 action block category pre-defined subcategory-id 161 action block category pre-defined subcategory-id 176 action block category pre-defined subcategory-id 226 action block category pre-defined subcategory-id 234 action block category pre-defined subcategory-id 235 action block category pre-defined subcategory-id 236 action block category pre-defined subcategory-id 237 action block category pre-defined subcategory-id 239 action block category pre-defined subcategory-id 241 action block category pre-defined subcategory-id 233 action block default action block https-filter enable # security-policy rule name policy_sec_research source-zone trust destination-zone untrust source-address 10.3.0.1 mask 255.255.255.255 user user-group /default/research application app Facebook_Games application app Facebook_Messages application app Facebook_Messenger application app Facebook_Photos application app Facebook_VideoChat application app Facebook_Videos action deny rule name policy_sec_marketing source-zone trust destination-zone untrust source-address 10.3.0.1 mask 255.255.255.255 user user-group /default/marketing application app Facebook application app Facebook_Browsing application app Facebook_Games application app Facebook_Login application app Facebook_Messages application app Facebook_Messenger application app Facebook_Photos application app Facebook_VideoChat application app Facebook_Videos application app HTTP application app HTTPS application app RTP application app RTSP application app SSL application app STUN application software Facebook action permit rule name policy_sec_all source-zone trust destination-zone untrust source-address 10.3.0.1 mask 255.255.255.255 profile url-filter url_profile_all action permit