topic Re: Hybrid whitelist/blacklist Policy in General Topics

Hybrid whitelist/blacklist Policy

russ.starr — Wed, 09 Oct 2013 22:23:29 GMT

I played around on our lab FW a bit but couldn't get this working. Here are my objectives:

- Create a "White List" custom URL category that allows only a handful of web sites. (Working with URL Filtering profile.)

- Log all permits (Working. I got this by setting Action to alert)

- Create a "Black List" custom URL category that denies a bunch of "noisy" URLs without logging.

- Log all other denies (Working. I got this at the very end of my rules)

The goal is to create a log noise reducing rule so I can see denies that matter to me. I have tried several variations of rules and defining a separate URL policy. So far not much luck. Any tips for accomplishing this?

Re: Hybrid whitelist/blacklist Policy

gwesson — Wed, 09 Oct 2013 23:27:52 GMT

When you look at your traffic log, there is a column that shows the rule that is being hit. Do you see your Black List rule listed or is that rule being missed and it's instead hitting the bottom rule?

Generally, this should work the way you mention. The one caveat I can think of is the URL filtering logs. Those logs will show up no matter what, as a deny is a log action. There is no concept of denying a URL category and not logging it to the URL filtering rules. You may be able to get this to work by not using the URL filtering profile and instead selecting the categories in the rule itself with a deny action and unchecking the logging options on that rule, but I have not tried doing so yet.

Hope this helps,

Greg

Re: Hybrid whitelist/blacklist Policy

ukhapre — Wed, 09 Oct 2013 23:30:16 GMT

Hello, if you put security rule with black list on top - without option log - it should avoid too many logs.

e.g. create custom category with black list as custom-deny-no log

add a security rule to block traffic with custom category and put it on top.

Re: Hybrid whitelist/blacklist Policy

russ.starr — Thu, 10 Oct 2013 20:08:46 GMT

Thank you both for your response.

I added a line that proceeds my URL Whitelist Policy line that has a blacklist line like you indicated. It has a custom URL category defined, denies traffic, and is set to not log.

I am passing traffic through and it is getting denied, however it gets logged and never gets matched by the rule I created. I'm still troubleshooting but source/dest zone IP (any), category, application/service, and everything _should_ be matching it.

Re: Hybrid whitelist/blacklist Policy

russ.starr — Thu, 10 Oct 2013 20:23:38 GMT

Probably the quickest work around for my solution is to add the following expression to my log viewing:

( category neq 'URL Blacklist' )

I think I can deal with that for now. Deny with no log would be icing on the cake but unless someone has a quick fix I'll leave it at that.

Re: Hybrid whitelist/blacklist Policy

murphyj — Tue, 25 Aug 2015 12:52:45 GMT

You could just create a DNS black list on your DNS server that points some place else for all of those sites its an internal address it won't hit your firewall.