What can I do here?
Use this window to configure general settings for the Application and URL Filtering Software Blade. These are global settings that apply to all Security Gateways with Application and URL Filtering enabled.
Getting Here - Manage & Settings > Blades > Application and URL Filtering > Advanced Settings > General |
Note - When you open Manage & Settings > Blades > Application and URL Filtering > Advanced Settings from a SmartConsole connected to a Multi-Domain Server, only this section shows.
You can select the enforcement option to use if the Application and URL Filtering engine fails during inspection.
To select the enforcement option
In this section of the Application Settings window, you can enable these URL Filtering features:
Categorize HTTP sites
This option lets Application and URL Filtering assign categories to HTTPS sites without activating HTTPS inspection. It assigns a site category based on its domain name and whether the site has a valid certificate. If the server certificate is:
Application and URL Filtering uses these pages (in the SmartConsole Manage & Settings tab > Blades > HTTPS Inspection > Configure in SmartDashboard) to make sure that a certificate is valid:
Note: If your company issues certificates, you must add your company CA to the list of Trusted CAs.
Important
|
Manual category assignment settings
You can manually configure category assignment for HTTPS sites based on the domain name. Change these properties in GuiDBedit Tool (see sk13009) or dbedit (see skI3301):
urlf_ssl_cn_enc_http_services_only
Value |
Description |
---|---|
False |
The Security Gateway listens for SSL signatures on all ports. |
True |
|
urlf_ssl_cn_max_server_hello_size
The maximum certificate size in bytes.
urlf_ssl_cn_wstlsd_ttl
The maximum period of time allowed to get a domain name from a certificate. After this time period, Application and URL Filtering uses the IP address to assign a category. The default value is 10 seconds. We do not recommend that you change this internal value.
Enforce safe search in search engines
Select this option to require use of the safe search feature in search engines. When activated, the URL Filtering Policy uses the strictest available safe search option for the specified search engine. This option overrides user specified search engine options to block offensive material in search results.
Categorize cached pages and translated pages in search engines
Select this option to assign categories to cached search engine results and translated pages. When this option is selected, Application and URL Filtering assigns categories based on the original Web site instead of the 'search engine pages' category.
Application and Web site traffic generate a large quantity of logs. To make logs manageable, Application and URL Filtering consolidates logs by session. A session is a period that starts when the user first connects to an application or site. The Security Gateway generates one log entry for each application or site accessed during the session. All actions that occur during are included in the log.
To change the length of a session:
Application Control Web browsing services are the services that match a Web-based custom Application/Site.
These are the default Application Control Web browsing services:
http
on port 80 https
on port 443HTTPS_proxy
on port 8080 HTTP_proxy
on port 8080 Other services, such as SSH are not matched.
To add to the list of services that match Web applications:
Application Port Match
Match Web application on ‘Any’ port when used in Block rule - By default, this is selected, and applications are matched on all services when used in a Block rule.
If you do not enable URL Filtering on the Security Gateway, you can use a generic Web browser application called Web Browsing in the rule.
This application includes all HTTP traffic that is not a defined application. Because Web Browsing traffic can generate many logs, the Web browsing application has its own activation setting.
Application and URL Filtering assigns Web Browsing as the default application for all HTTP traffic that does not match an application in the Application and URL Filtering Database. The Web Browsing application is activated by default.
If you deactivate the Web browsing application:
To deactivate the Web Browsing application:
Enable HTTP inspection on non standard ports for application and URL filtering - Applications that use HTTP normally send the HTTP traffic on TCP port 80. Some applications send HTTP traffic on other ports also.
By default, the Application and URL Filtering Software Blades inspect HTTP traffic on non-standard ports.
You can configure the Application and URL Filtering Software Blades to only inspect HTTP traffic on port 80.
These settings are for compatibility with Security Gateway versions earlier than R75.20:
Optional: When you select the Unify connections option, this additional option is available: