You are here: Cookbook > Data Security > URL Filtering for HTTPS Traffic without the CA Certificate

URL Filtering for HTTPS Traffic without the CA Certificate

This example shows how to achieve the URL filtering for HTTPS traffic without installing the CA certificate.

As shown in the following topology, Hillstone device works as the gateway of an enterprise. The ethernet0/0 connects the Internet and belongs to the untrust zone. The ethernet0/1 connects to the Intranet and belongs to the trust zone.

With the configured URL filtering rule, staff of the enterprise (the network segment: 10.100.0.0/16) are prohibited from accessing shopping websites and the entertainment websites https:// www.bcd.com during working hours (09:00 to 18:00, Monday to Friday). The access and search attempts will be logged.

Preparation

Before configuring the URL filtering function, prepare the following first:

  1. Install the URL service license and reboot the device.
  2. Update the predefined URL database.

Configuration Steps

Step 1: Configure a schedule

Select Object > Schedule, and click New.

In the Schedule Configuration dialog:

  • Name: workday
  • Days: Click Add to add a periodic schedule.
  • Type: Days.
  • Days: Monday, Tuesday, Wednesday, Thursday, Friday
  • Start Time: 09:00
  • End Time: 18:00
Step 2: Configure the user-defined URL category named bcd that contains https://www.bcd.com
Select Object > URL Filtering, and select Configuration > User-defined URL DB at the top-right corner.
In the User-defined URL DB dialog, click New.

In the URL Category dialog:

  • Category: bcd
  • URL http(s)://: www.bcd.com
  • Click Add to add the "https://www.bcd.com" and its category to the table.
Step 3: Configure the URL filtering rule named URLcontrol, and enable the SSL Inspection

Select Object > URL Filtering, and click New.

In the URL Filtering Rule Configuration dialog:

  • Name: URLcontrol
  • Control Type: URL Category
  • SSL Inspection: Select the Enable check box to enable SSL negotiation packets inspection.
  • Select the predefined URL category Shopping, and then select the Block check box and Log check box.
  • Select the user-defined URL category bcd, and then select the Block check box and Log check box.

Step 4: Bind the URL filtering rule to a policy rule

Select Policy > Security Policy, and click New.

In the Basic Configuration tab of the Policy Configuration dialog:

  • Name: policy1
  • Source Address: Select the address type IP/Netmask , type 10.100.0.0 and 16 into the IPand Netmask text box respectively, and click -> to add the address to the right pane.

In the Protection tab of the Policy Configuration dialog:

  • URL Filtering: Select the Enable check box.
  • Profile: Select the created URL filtering rule "URLcontrol" from the drop-down list.

In the Options tab of the Policy Configuration dialog:

  • Schedule: Select the schedule "workday" from the Schedule drop-down list.
Step 5: Result

After the configuration, adjust the configured rule to the highest priority rule for traffic matching.

When the rule takes effect, during the working hours, company staff cannot access shopping websites and the entertainment websites "https:// www.bcd.com". The system will log the access and search attempts.