A URL filtering profile defines actions for URLs that match the blacklist, whitelist, user-defined categories, and predefined categories to allow or block access to these URLs. A remote query server is required to use the remote query function.
URL filtering includes global configuration and URL filtering profile configuration.
By default, the country where the FW resides is not set.
This item must be set when Query Mode of the URL remote query service is set to Remote. If the country information is not configured or the configuration information is inconsistent with the actual location of the FW, the URL remote query service is unavailable.
Parameter |
Description |
|---|---|
Query Mode |
Query mode, which is determined by the deployment location of dispatch servers: |
Scheduling Center |
Domain name of the scheduling center, namely, sec.huawei.com When Query Mode is Remote, the parameter is displayed and the parameter does not need to be set. |
Local Server Address |
IP address of the dispatch server When Query Mode is Local, the parameter is mandatory. Otherwise, the remote query service is unavailable. |
Port |
Port of the dispatch server When Query Mode is Local, the parameter is displayed. The default value is 12612. |
Parameter |
Description |
|---|---|
Timeout |
Remote query timeout period. Note the following points when setting the remote query timeout period:
The default timeout period is 3 seconds. |
Action upon Timeout |
Actions for a query timeout are as follows:
The default action for the predefined category query timeout is Allow. |
Timeout period for malicious URLs |
If malicious URL detection is enabled in the URL filtering profile, you can set a timeout period for malicious URLs. The URLs will be automatically deleted after the timeout period expires. The default value is 10080 minutes. |
URL reputation hotspot upgrade function |
Enable URL reputation hotspot upgrade function. By default, this function is disabled. If the URL reputation hotspot upgrade function is enabled in the URL filtering profile, the device can rapidly obtain the latest URL reputation data from the cloud and block the access to untrusted URLs in a timely manner. In addition, you can configure the frequency for updating the URL reputation hotspot database as required. By default, the URL reputation hotspot database is updated every 5 minutes. |
encrypted traffic consistency check |
Enable encrypted traffic consistency check. By default, this function is disabled. Enable encrypted traffic consistency check, the FW extracts the target website domain name (HOST) from the ServerName field in the ClientHello packet of the client and the Common Name and Subject Alternative Name fields in the Certificate packet of the server and verifies the three values during TLS negotiation. In addition, the FW verifies the values of the three fields. If the verification succeeds, the FW performs URL filtering. If the verification fails, the FW performs URL filtering by directly blocking traffic as abnormal packets. |
Google account control Some enterprises attempt to allow employees to log in to Google services only with specified enterprise accounts but not their personal accounts. To achieve this, configure the Google account control function on the FW. For example, an enterprise requires that an employee can log in to Google services only with an enterprise account ending with example.com. After the Google account control function is enabled, the login succeeds if the employee uses an account ending with example.com to log in to Google services and fails if the employee uses a personal account to log in to Google services. |
|
Name |
Enter the name of a Google account control policy. |
Description |
Enter the description of a Google account control policy. Proper description helps the administrator correctly understand the Google account control, facilitating the selection, search, and maintenance of Google account control policies. |
HTTP header |
The parameter cannot be changed. Currently, the value of the parameter is X-GoogApps-Allowed-Domains. |
Domain name list |
Add domain names to a Google account control policy. |
Parameter |
Description |
|---|---|
Name |
Name of the URL filtering profile |
Description |
Description of the URL filtering profile The description helps you understand the functions of the URL filtering profile and maintain this profile. |
Filter Encrypted Traffic |
Encrypted traffic filtering function is enabled. By default, the function is disabled. For HTTPS traffic, the FW can implement URL filtering only after encrypted traffic filtering or SSL-encrypted traffic detection is configured. |
Default Action |
If the URL does not match any blacklist, whitelist, or URL category in the local cache and the remote query function for predefined categories is unavailable, the FW will take the default action, which is Allow, Alert, or Block.
|
Malicious URL Detection |
Enable malicious URL detection and URL reputation detection. By default, malicious URL detection and URL reputation detection are disabled. Configuring remote query service for the FW enhances its capability in malicious URL detection. When the FW blocks the access to a malicious URL, the web push page will be displayed on the browser of the access user. Push Information can be edited on the FW. |
Whitelist |
The FW looks up the URLs or domain names in the whitelist for the resolved URL. If a match is found, the FW permits the URL request. |
Blacklist |
The FW looks up the URLs or domain names in the blacklist for the resolved URL. If the URL matches the blacklist, the FW blocks the request and pushes a specific web page to the user's browser. |
URL |
Whitelisted or blacklisted URL |
Host |
Whitelisted or blacklisted domain name |
URL Filtering Level NOTE:
URL filtering level takes effect only on predefined categories. That is, selecting the URL filtering level does not change the actions for user-defined categories, and setting the actions for user-defined categories does not change the URL filtering level. The actions for user-defined categories must be manually configured by the administrator. The default action is Allow. If the action of the URL category that a URL request matches is block, the browser of the visitor will display a web push page. Push Information can be edited on the FW. |
URL filtering level is including High, Medium, Low, or User-defined. After you select High, Medium, or Low, the system sets an initial action for each predefined category. For Allow action, you can determine whether to set Re-marked DSCP. High indicates the stricter action, and Low indicates the looser action.
NOTE:
You can also create a user-defined URL category by clicking Add URL Category next to the User-defined Category. |
Re-marked DSCP |
If the action of a specific URL category is Allow, you can set Re-marked DSCP for the URL category so that other devices can differentially process traffic of URL categories based on their DSCP values. |
Advanced Settings |
Safe Search Safe search is enabled. The function is disabled by default. To configure the safe search function of the search engine, add the safe search tag in the URL contained in the search request and enable the function of filtering search results. The safe search function of the FW can be used to by the administrator to enable safe search function for all Internet access users to regulate Internet access behavior. After safe search is enabled on the FW, the safe search function will be enforced forcibly for Bing, Google, Yahoo, Yandex, and YouTube. The FW filters search results as long as users use these search engines for information search. |
Action Mode If a URL belongs to multiple categories, the FW takes an action based on the action mode.
|
|
Whitelist mode URL filtering that supports the whitelist mode only is enabled. By default, this function is disabled. After URL filtering that supports only the whitelist mode is enabled, the data flow that has a matching whitelist rule is permitted, and the data flow that does not have a matching whitelist rule is blocked. |
|
Google Account Control Reference the created Google account control policy. Alternatively, create a Google account control policy. Some enterprises attempt to allow employees to log in to Google services only with specified enterprise accounts but not their personal accounts. To achieve this, configure the Google account control function on the FW. For example, an enterprise requires that an employee can log in to Google services only with an enterprise account ending with example.com. After the Google account control function is enabled, the login succeeds if the employee uses an account ending with example.com to log in to Google services and fails if the employee uses a personal account to log in to Google services. |
|
Whitelist for Nested Links Generally, a major web page contains the links to other web pages. If only the main web page is added to the whitelist, the embedded web pages of the main web page cannot be accessed. For example, if only www.example.com is configured as a whitelist rule, web pages that are embedded in www.example.com but do not use www.example.com as the domain name are inaccessible. To allow the access to such embedded web pages, you can add them one by one to the whitelist, but this method is complex. To solve this problem, you can enable the whitelist function for embedded web pages. This function matches the referer field in a user's HTTP request with the whitelist for embedded web pages. If the referer field is matched, the user can access the web page. Therefore, if a whitelist for embedded web pages is configured for a web page, users can access the web pages embedded in this web page, simplifying the configuration.
|
The configuration does not take effect immediately after you create or modify the profile. You must click Commit on the upper right of the interface to apply the configuration. To save time, you can commit the configuration after all operations on the profile are complete.