topic URLF / APCL Whitelisting in Firewall and Security Management

URLF / APCL Whitelisting

G_W_Albrecht — Thu, 08 Feb 2018 15:57:09 GMT

A customer wanted to allow his clients access to all sites needed by whitelisting (R77.30). He uses URLF / APCL blade, but no https inspection, so all he can do is let the blade categorize https sites. But he does not want to Allow any URLF Categories!

Using Custom Categories for overriding URLF category to create exception does not work, because Custom Categories only can be used in URLF / APCL rulebase and is not available for "Overriding URLF category" that only shows the pre-defined categories. Otherwise, it would be possible to first create a new category and then overide the URLF categorization with this category for the sites to be whitelisted. Then he could allow the sites by allowing the new category (=RFE).

So he had to follow this procedure for site exceptions suggested by CP:

1. Create one custom application with all the URLs that you need allow or different custom applications for each needed URL

2. Add the created application to "allow" rule on top of rule base

3. Add "DNS protocol" and "SSL protocol" services to the same rule (we have to allow them in case a custom application is used).

4. Install policy.

This solution will work even if HTTPS inspection is disabled.

Re: URLF / APCL Whitelisting

Vladimir — Thu, 08 Feb 2018 16:10:13 GMT

Guenther,

Can you expand on the "3 different custom applications for each URL"?

Thank you,

Vladimir

Re: URLF / APCL Whitelisting

Marco_Valenti — Fri, 09 Feb 2018 08:04:50 GMT

why not using a regex for those site and assign to a custom categorie and put the categorie in an allow rule at the top? probably I am missing something

Re: URLF / APCL Whitelisting

G_W_Albrecht — Fri, 09 Feb 2018 08:11:30 GMT

Hi,

call it a typo 😉 Here, customer has two URLs that could have been whitelisted by IP address and one that had to use DNS resolving (collaboration site). That gave three...

Re: URLF / APCL Whitelisting

G_W_Albrecht — Fri, 09 Feb 2018 08:18:46 GMT

regex is good if you are 😉 I have seen strange side effects with regex created by people without very much experience and in analysis learned that pattern matching is not really that easy. So this seems much more appropriate as the customer can add more URLs if needed without risk of bad regex .

Re: URLF / APCL Whitelisting

Hiep_Bui — Fri, 18 Jan 2019 07:46:47 GMT

Hello Günther,
I am searching for a solution of allowing specific youtube videos but blocking youtube and found this post.
Can you please explain in more details step 3 - "Add "DNS protocol" and "SSL protocol" apps to the same rule"?
My current situation: Mgmt & gateway in R80.20, I have a rule with:
- source: some IP addresses
- destination: any
- app & services: a list of youtube videos that I want to allow.

When I tried to go to a youtube video in the allowed list, it doesnot match with my rule but blocked by the next rule that blocks Youtube.
thanks,
Hiep.

Re: URLF / APCL Whitelisting

G_W_Albrecht — Fri, 18 Jan 2019 08:30:32 GMT

Thank you, i have corrected that to services !

Re: URLF / APCL Whitelisting

Hiep_Bui — Mon, 21 Jan 2019 07:54:59 GMT

Hi Gunther,

I understood that you meant "services". I was actually asking you how the rules looked like.

(my current issue is I am not able to allow some specific youtube videos but block all others; or similarly, block a category of a site but allow other categories of the same site, for example: block https://www.bbc.com/sport but allow https://www.bbc.com as well as other categories of bbc.com)

Thanks,

Hiep.

Re: URLF / APCL Whitelisting

G_W_Albrecht — Mon, 21 Jan 2019 10:10:01 GMT

I would suggest to create custom apps for the URLs and add them to the rulebase, but this will need to have https inspection enabled - else it will be impossible to block https://www.bbc.com/sportbut not https://www.bbc.com.

Re: URLF / APCL Whitelisting

RKinsp — Mon, 05 Jun 2023 20:03:09 GMT

Hello! Sorry to bring up such an old topic, but I am curious as to how this is working. In theory, without HTTPS inspection, the only time the URL is "seen" is during DNS resolution. Is this getting blocked at the DNS resolutions stage, much like a DNS query filter would work?

I ask because I have a similar demand to block specific URLs without HTTPS inspection, however with the additional challenge that some domains user the same wildcard certificate and have the same destination IP.

Thanks in advance,

Re: URLF / APCL Whitelisting

Timothy_Hall — Mon, 05 Jun 2023 20:57:00 GMT

No the site name (SNI) is included in the Client Hello sent by the browser and that happens in the clear. There is also a site name (subject) as part of the web server's certificate which is also sent before encryption starts. However if these values are not truly indicative of where the user will end up, once encryption starts there is no way to see what happens after that without HTTPS Inspection.

Re: URLF / APCL Whitelisting

RKinsp — Mon, 05 Jun 2023 21:02:41 GMT

Thanks Timothy! BTW, big fan of your book.

In this case, if the SNI will does not help, is there any way to block the DNS query?

I realize it does not provide security, since a user could simply type the direct IP, but this is more of a control issue than security.

I figured the Custom Application Tool would be a way however I can no longer find the download for it (link in the SK is dead). I'm guessing it has been discontinued.

Re: URLF / APCL Whitelisting

Timothy_Hall — Mon, 05 Jun 2023 21:36:44 GMT

You could just define a domain object matching the undesirable site then use it in a Drop rule, however this wouldn't affect the DNS lookup traffic: sk120633: Domain Objects in R8x. Although I still am hesitant about recommending the use of domain objects due to some bad prior experiences, even though domain objects were revamped in R80.

From the DNS end you could define a custom Threat Prevention Indicator for the Anti-virus or Anti-bot blades to match that site name, and block it that way. If you do the Indicator for Anti-bot, I'm not completely sure if the offender would get caught by the Malware DNS trap in that instance or not.