Monitoring URL Filtering
This section describes the verification and check operations after URL filtering is configured.
Common Maintenance Commands
Action |
Command |
|---|---|
Display the information about URL filtering profiles. |
display profile type url-filter display profile type url-filter name name [ blacklist [ url url-text | host host-text ] | whitelist [ url url-text | host host-text ] | refererlist [ host host-text ] | pre-defined [ category-id category-id | subcategory-id subcategory-id ] | user-defined [ name category-name ] ] |
Display the URL category list. |
display url-filter category [ pre-defined [ category-id category-id | subcategory-id subcategory-id | url url-text | host host-text ] | user-defined [ name category-name | url url-text | host host-text ] ] |
Display the information about all the predefined categories of a specific control level. |
display url-filter category pre-defined control-level [ high | low | medium ] |
Display the global URL filtering configurations. |
|
Display the safe search tags of search engines. |
|
Display information about Google account control lists. |
display web-apps-control type restrict-google-account [ name restrict-google-account-name ] |
Display the statistics on URL filtering. |
|
Clear the statistics on URL filtering. |
reset url-filter statistics { blacklist | whitelist | category [ user-defined | pre-defined ] | malicious | all } |
Check the URL category statistics. |
display url-filter category { pre-defined [ subcategory-id subcategory-id ] | user-defined [ name category-name ] } statistics [ slot slot-id cpu cpu-id ] |
Clear the URL category statistics. |
reset url-filter category { pre-defined [ subcategory-id subcategory-id ] | user-defined [ name category-name ] } statistics |
Viewing Logs
After referencing the URL filtering profile in the security policy, the FW checks the data of traffic matching the security policy. If a URL that a user wants to access matches the whitelist, blacklist, or a URL category with the alert or block action defined in the URL filtering profile, a content log is generated.
Web
Choose to view URL logs. The following table lists the fields in a content log.
Field |
Description |
|---|---|
View |
Click In View URL Log Details, click the Source Region/Destination Region/Source Address/Destination Address/Source User/Application/URL Category/Security Policy/Profile field value. You can view and operate existing field settings. Based on the Referer field in the URL column of View URL Log Details, you can view the domain name from which the URL is redirected. For example, if Referer is www.example.com, the URL is redirected from www.example.com; if Referer is the domain name in the referer field of a URL request and referer field of the URL request is empty, Referer is displayed none. |
Time |
Time when a URL log is generated |
URL Categories |
Matched URL category |
URL |
Requested URL |
Filtering Type |
URL filtering type:
|
Source Zone |
Source security zone of traffic |
Destination Zone |
Destination security zone of traffic |
Source Region |
Source region of the traffic |
Destination Region |
Destination region of the traffic |
Source Address |
Source IP address of traffic |
Destination Address |
Destination IP address of traffic |
Source User |
User who generates traffic |
Source Port |
Source port of traffic |
Destination Port |
Destination port of traffic |
Application |
Application type of traffic |
Action |
Action defined in the URL filtering profile that traffic matches |
Security Policy |
Security policy that traffic matches |
Profile |
Security profile that traffic matches |
Virtual System |
Virtual system that generates the traffic |
CLI
The following is an example of a content log (URL filtering).
URL/4/FILTER(l): The URL filtering policy was matched.(SyslogId=100, VSys="vsys_1", Policy="rule_1", SrcIp=192.168.0.100, DstIp=172.16.10.100, SrcPort=6096, DstPort=80, SrcZone=trust, DstZone=untrust, User="user_1", Protocol=TCP, Application="HTTP", Profile="profile_l", Type=Blacklist, EventNum=1, Category="none", SubCategory="none", Page="/", Host="www.sina.com", Referer="www.baidu.com", Item="www.sina.com", Action=Block)
The following table lists the fields in a content log.
Field |
Description |
|---|---|
syslog-id |
Log ID |
vsys-name |
Name of the virtual system |
policy-name |
Name of a security policy |
source-ip-address |
Source IP address of packets |
destination-ip-address |
Destination IP address of packets |
source-port |
Source port of packets |
destination-port |
Destination port of packets |
source-zone |
Source security zone of packets |
destination-zone |
Destination security zone of packets |
user-name |
User name |
protocol |
Protocol name |
application-name |
Application name |
profile-name |
Profile name |
type |
Matched rule types as defined in a URL filtering profile. The types are as follows:
|
event-number |
Number of merged events |
category |
Matched the URL predefined category |
sub-category |
Matched the URL predefined sub-category |
page |
Page field in the URL, that is, the path and parameter information other than the domain name. For example: "/news/edu.aspx?name=tom&age=20" in http://www.example.com:8088/news/edu.aspx?name=tom&age=20. For security reasons, the value of the page field is replaced by *. For security reasons, the value of the page field is replaced by *. |
host |
Name of the target host |
referer |
Domain name in the referer field of an HTTP request |
item |
A matched user-defined rule, such as a whitelist rule, blacklist rule, referer-host rule, user-defined category rule, or a rule manually added to a predefined category. This parameter is blank when a predefined rule, the timeout action, Google account control, or the default action is matched. |
action |
Action defined in the URL filtering profile. Possible actions are as follows:
|