URL filtering https pages

L3 Networker

URL filtering https pages

I can’t seem to get this working. I’m trying to block bbc I player but neither url filtering or APP-ID does the job.

Do I need to enable ssl inspection to block https pages?

I have tried with httpvshttps.com for example and I can block the http version but not the https version
L7 Applicator

Re: URL filtering https pages

URL filtering works even without TLS decryption. But without additional steps you will not be able to inject a response page.

Did you check the URL log when you open this BBC player website? There you should (depending on how the website is built) be able to identify the website that you need to block (with a custom URL category).

L3 Networker

Re: URL filtering https pages

the url is:

bbc.co.uk/iplayer

 

if i go via http then it is blocked, the https version works. There are a number of URL's displayed in ther URL Filtering log, none of which are bbc/iplayer.

 

The block page dispplays when browsing via non-https. How can i get this blocked when going via https and still display the block page?

L7 Applicator

Re: URL filtering https pages

@welly_59

This one is not possible without TLS decryption because the firewall sees only the fqdn (at best, but normally with a current browser). So for example if the URL would be iplayer.bbc.co.uk then blocking without decryption would work...

L3 Networker

Re: URL filtering https pages

ive imported a subordinate CA from our Windows Server and am now decrypting SSL, this is allowing me to block https sites as required.

 

Are there any drawbacks to me doing this?

L7 Applicator

Re: URL filtering https pages

It depends ...

  • If the load on your firewall is already pretty high, then depending on what you are going to decrypt (everything?), the load will definately increase even higher
  • If you decrypt everything there could be problems with specific websites that cannot be decrypted (pinned certs, client cert auth), but most of these problems you could solve with a decryption profile that does not block these connections

If you are only decrypting this one connection to the bbc website, then there shouldn't be big drawbacks.

L3 Networker

Re: URL filtering https pages

Load is quite low. These are 850’s and at max I will be decrypting traffic from 100 users.

I’ve already had to add in a bunch of exceptions due to tls decryption breaking the site/application.

Currently decrypting all apart from finance, shopping, health, and computer url groups
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!