This section describes how to adjust URL filtering parameters.
Operation |
Command |
Description |
|---|---|---|
| Enable encrypted traffic consistency check. | By default, the encrypted traffic consistency check function is disabled. Enable encrypted traffic consistency check, the FW extracts the target website domain name (HOST) from the ServerName field in the ClientHello packet of the client and the Common Name and Subject Alternative Name fields in the Certificate packet of the server and verifies the three values during TLS negotiation. In addition, the FW verifies the values of the three fields. If the verification succeeds, the FW performs URL filtering. If the verification fails, the FW performs URL filtering by directly blocking traffic as abnormal packets. |
|
| Enable abnormal HTTP packet detection. | By default, the abnormal HTTP packet detection function is disabled. After you enable the abnormal HTTP packet detection function, the FW can detect abnormal HTTP packets, preventing attackers from evading URL filtering. |
|
| Adjust the timeout period of malicious URLs. | url-filter malicious cache aging-period aging-period-time | The default value is 10080 minutes. If malicious URL detection is enabled in the URL filtering profile, you can set a timeout period for malicious URLs. The URLs will be automatically deleted after the timeout period expires. |
| Adjust the timeout period for remote URL category query and action to be taken when the remote URL category query times out. | url-filter query timeout { time time | action { alert | allow | block } } * | By default, remote URL query times out in 3s, and the action is permit. |
| Adjust the aging time of the predefined URL category cache. | url-filter cache aging-period aging-period | By default, predefined URL categories in the cache are aged in 24 hours. To ensure the effectiveness of predefined URL categories, the system periodically queries URL categories on a remote query server. The query interval can be adjusted using this command. If the category of a URL changes, the system updates the corresponding information in the cache. |
| Adjust the interval and time for backing up the predefined URL category cache to the predefined URL category database. | url-filter cache backup-period backup-period backup-time backup-time | By default, the backup interval is 7 days, and the backup time is 00:00. Cached predefined URL categories can be periodically backed up to the predefined URL category database. When the device restarts, it automatically loads the latest predefined URL category database file, reducing self-learning workloads and improving detection efficiency. |
| Enable the URL filtering feedback function. | url-filter feedback enable | By default, URL filtering feedback is disabled. After URL filtering feedback is enabled, the statistics on access to the predefined URL category database is fed back to a remote query server. The remote query server periodically sorts the data for optimizing the URL category database. |
| Enable the high-performance URL filtering function. | url-filter high-performance mode enable | By default, the high-performance URL filtering function is disabled. If only the URL filtering profile is configured
in the security policy and the URL filtering function filters a large
volume of HTTP/HTTPS traffic, you can run this command to enable the
high-performance URL filtering function to improve the performance
of URL filtering. After this function is enabled:
|
| Clone an existing URL filtering profile to create a new URL filtering profile. | profile type url-filter copy old-name [ new-name ] | You can create another profile by cloning an existing URL filtering profile and modifying it as required. |
| Rename an existing URL filtering profile. | rename old-name new-name | This command renames an existing URL filtering profile and displays the view of the new URL filtering profile. |
| Clone a predefined category. | url-filter category pre-defined copy subcategory-id new-name | You can create a user-defined URL category by cloning an existing predefined URL category and modifying it as required. |
| Clone a user-defined category. | url-filter category user-defined copy old-name [ new-name ] | You can create a user-defined URL category by cloning an existing user-defined URL category and modifying it as required. |
| Rename an existing user-defined URL category. | rename old-name new-name | This command renames an existing user-defined URL category and displays the view of the new user-defined URL category. |
| Create a new Google account control policy by cloning an existing Google account control policy. | web-apps-control type restrict-google-account copy old-name [ new-name ] | If a Google account control policy to be created has similar content as an existing one, you can create the Google account control policy by cloning the existing one. |
| Rename an existing Google account control policy. | rename old-name new-name | The command can be used to rename an existing Google account control policy and access the Google account control policy view. |