Print Download Documentation Send Feedback

Previous

Next

Application and URL Filtering - Advanced Settings

What can I do here?

Use this window to configure general settings for the Application and URL Filtering Software Blade. These are global settings that apply to all Security Gateways with Application and URL Filtering enabled.

Getting Here

Getting Here - Manage & Settings > Blades > Application and URL Filtering > Advanced Settings > General

Advanced Settings on a SmartConsole connected to a Multi-Domain Server

Note - When you open Manage & Settings > Blades > Application and URL Filtering > Advanced Settings from a SmartConsole connected to a Multi-Domain Server, only this section shows.

Services

Web Browsing

Fail Mode

You can select the enforcement option to use if the Application and URL Filtering engine fails during inspection.

To select the enforcement option

  1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
  2. In the Application Settings window, select one option:
    • Allow all requests (fail-open) - All traffic is allowed.
    • Block all requests (fail-close) - All traffic is blocked (default).

URL Filtering

In this section of the Application Settings window, you can enable these URL Filtering features:

Categorize HTTP sites

This option lets Application and URL Filtering assign categories to HTTPS sites without activating HTTPS inspection. It assigns a site category based on its domain name and whether the site has a valid certificate. If the server certificate is:

Application and URL Filtering uses these pages (in the SmartConsole Manage & Settings tab > Blades > HTTPS Inspection > Configure in SmartDashboard) to make sure that a certificate is valid:

Manual category assignment settings

You can manually configure category assignment for HTTPS sites based on the domain name. Change these properties in GuiDBedit Tool (see sk13009) or dbedit (see skI3301):

Value

Description

False

The Security Gateway listens for SSL signatures on all ports.

True

  • The Security Gateway listens for SSL signatures only on those ports specified by the enc_http services property
  • By default, enc_http services specifies only port 443.
  • To add new enc_http services to a port, create a new service in SmartConsole.

The maximum period of time allowed to get a domain name from a certificate. After this time period, Application and URL Filtering uses the IP address to assign a category. The default value is 10 seconds. We do not recommend that you change this internal value.

Enforce safe search in search engines

Select this option to require use of the safe search feature in search engines. When activated, the URL Filtering Policy uses the strictest available safe search option for the specified search engine. This option overrides user specified search engine options to block offensive material in search results.

Categorize cached pages and translated pages in search engines

Select this option to assign categories to cached search engine results and translated pages. When this option is selected, Application and URL Filtering assigns categories based on the original Web site instead of the 'search engine pages' category.

Connection Unification

Application and Web site traffic generate a large quantity of logs. To make logs manageable, Application and URL Filtering consolidates logs by session. A session is a period that starts when the user first connects to an application or site. The Security Gateway generates one log entry for each application or site accessed during the session. All actions that occur during are included in the log.

To change the length of a session:

  1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
  2. In the Application Settings window:
    • For applications and sites that are allowed in a Rule Base, the default session is three hours (180 minutes). To change this, click Session Unification Timeout and enter a different value, in minutes.
    • For applications and sites that are blocked in the Rule Base, the default session is 30 seconds. You cannot change this setting.

Application Control Web Browsing Services

Application Control Web browsing services are the services that match a Web-based custom Application/Site.

These are the default Application Control Web browsing services:

Other services, such as SSH are not matched.

To add to the list of services that match Web applications:

  1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
  2. In the Application and URL Filtering Settings window:
    1. Click the add icon to open the list of services.
    2. Select a service.

Application Port Match

Match Web application on ‘Any’ port when used in Block rule - By default, this is selected, and applications are matched on all services when used in a Block rule.

Web Browsing

If you do not enable URL Filtering on the Security Gateway, you can use a generic Web browser application called Web Browsing in the rule.

This application includes all HTTP traffic that is not a defined application. Because Web Browsing traffic can generate many logs, the Web browsing application has its own activation setting.

Application and URL Filtering assigns Web Browsing as the default application for all HTTP traffic that does not match an application in the Application and URL Filtering Database. The Web Browsing application is activated by default.

If you deactivate the Web browsing application:

To deactivate the Web Browsing application:

  1. Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
  2. Deselect Enable web browsing logging and policy enforcement.

HTTP Inspection

Enable HTTP inspection on non standard ports for application and URL filtering - Applications that use HTTP normally send the HTTP traffic on TCP port 80. Some applications send HTTP traffic on other ports also.

By default, the Application and URL Filtering Software Blades inspect HTTP traffic on non-standard ports.

You can configure the Application and URL Filtering Software Blades to only inspect HTTP traffic on port 80.

Compatibility with R75 and R75.10 Gateway Settings

These settings are for compatibility with Security Gateway versions earlier than R75.20: