Application and URL Filtering - Advanced Settings

What can I do here?

Use this window to configure general settings for the Application and URL Filtering Software Blade. These are global settings that apply to all Security Gateways with Application and URL Filtering enabled.

Advanced Settings on a SmartConsole connected to a Multi-Domain Server

Note - When you open Manage & Settings > Blades > Application and URL Filtering > Advanced Settings from a SmartConsole connected to a Multi-Domain Server, only this section shows.

Services

Web Browsing

Fail Mode

You can select the enforcement option to use if the Application and URL Filtering engine fails during inspection.

To select the enforcement option

1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
2. In the Application Settings window, select one option:
   • Allow all requests (fail-open) - All traffic is allowed.
   • Block all requests (fail-close) - All traffic is blocked (default).

URL Filtering

In this section of the Application Settings window, you can enable these URL Filtering features:

• Categorize HTTPS sites (without activating HTTP inspection).
• Enforce safe search in search engines.
• Categorize cached pages and translated pages in search engines.

Categorize HTTP sites

This option lets Application and URL Filtering assign categories to HTTPS sites without activating HTTPS inspection. It assigns a site category based on its domain name and whether the site has a valid certificate. If the server certificate is:

• Trusted - Application and URL Filtering gets the domain name from the certificate and uses it to categorize the site.
• Not Trusted - Application and URL Filtering assigns a category based on the IP address.

Application and URL Filtering uses these pages (in the SmartConsole Manage & Settings tab > Blades > HTTPS Inspection > Configure in SmartDashboard) to make sure that a certificate is valid:

• Trusted CAs page - Makes sure the certificate is not stolen or revoked.

  Note: If your company issues certificates, you must add your company CA to the list of Trusted CAs.

• HTTPS Validation page - If the certificate is blacklisted, for example, it is not trusted and the site categorized according to its IP address.

  Important The Categorize HTTPS sites option does not run if HTTPS Inspection is enabled. Application and URL Filtering gets the site URL from the SSL CONNECT request sent to the proxy if: There is a proxy between the Firewall and the destination site or The Firewall is configured to work as a proxy

Manual category assignment settings

You can manually configure category assignment for HTTPS sites based on the domain name. Change these properties in GuiDBedit Tool (see sk13009) or dbedit (see skI3301):

• urlf_ssl_cn_enc_http_services_only

• urlf_ssl_cn_max_server_hello_size

  The maximum certificate size in bytes.

• urlf_ssl_cn_wstlsd_ttl

The maximum period of time allowed to get a domain name from a certificate. After this time period, Application and URL Filtering uses the IP address to assign a category. The default value is 10 seconds. We do not recommend that you change this internal value.

Enforce safe search in search engines

Select this option to require use of the safe search feature in search engines. When activated, the URL Filtering Policy uses the strictest available safe search option for the specified search engine. This option overrides user specified search engine options to block offensive material in search results.

Categorize cached pages and translated pages in search engines

Select this option to assign categories to cached search engine results and translated pages. When this option is selected, Application and URL Filtering assigns categories based on the original Web site instead of the 'search engine pages' category.

Connection Unification

Application and Web site traffic generate a large quantity of logs. To make logs manageable, Application and URL Filtering consolidates logs by session. A session is a period that starts when the user first connects to an application or site. The Security Gateway generates one log entry for each application or site accessed during the session. All actions that occur during are included in the log.

To change the length of a session:

1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
2. In the Application Settings window:
   • For applications and sites that are allowed in a Rule Base, the default session is three hours (180 minutes). To change this, click Session Unification Timeout and enter a different value, in minutes.
   • For applications and sites that are blocked in the Rule Base, the default session is 30 seconds. You cannot change this setting.

Application Control Web Browsing Services

Application Control Web browsing services are the services that match a Web-based custom Application/Site.

These are the default Application Control Web browsing services:

• http on port 80
• https on port 443
• HTTPS_proxy on port 8080
• HTTP_proxy on port 8080

Other services, such as SSH are not matched.

To add to the list of services that match Web applications:

1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
2. In the Application and URL Filtering Settings window:
   1. Click the add icon to open the list of services.
   2. Select a service.

Application Port Match

Match Web application on ‘Any’ port when used in Block rule - By default, this is selected, and applications are matched on all services when used in a Block rule.

Web Browsing

If you do not enable URL Filtering on the Security Gateway, you can use a generic Web browser application called Web Browsing in the rule.

This application includes all HTTP traffic that is not a defined application. Because Web Browsing traffic can generate many logs, the Web browsing application has its own activation setting.

Application and URL Filtering assigns Web Browsing as the default application for all HTTP traffic that does not match an application in the Application and URL Filtering Database. The Web Browsing application is activated by default.

If you deactivate the Web browsing application:

• Web Browsing in Access Control Policy rules is not enforced. For example, if you have a rule that blocks Web Browsing, traffic is allowed.
• No Web Browsing logs are generated.

To deactivate the Web Browsing application:

1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
2. Deselect Enable web browsing logging and policy enforcement.

HTTP Inspection

Enable HTTP inspection on non standard ports for application and URL filtering - Applications that use HTTP normally send the HTTP traffic on TCP port 80. Some applications send HTTP traffic on other ports also.

By default, the Application and URL Filtering Software Blades inspect HTTP traffic on non-standard ports.

You can configure the Application and URL Filtering Software Blades to only inspect HTTP traffic on port 80.

Compatibility with R75 and R75.10 Gateway Settings

These settings are for compatibility with Security Gateway versions earlier than R75.20:

• Unify connections from the same user/IP to a specific application into a single session/log
  • Select this to unify logs for all application traffic during a session into one log. This is the default.
  • Clear this to generate one log for each connection or activity during a session
• Issue a separate log per each domain accessed

  Optional: When you select the Unify connections option, this additional option is available:

  • When cleared, connections of the Web Browsing application from a user or IP address during a session are consolidated into one log record. This is the default.
  • When selected, connections of the Web Browsing application generate one log for each domain that a user or IP address browses to, for each session.