Security Policy - with Service\URL category configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Policy - with Service\URL category configuration

L0 Member

 I have a Security policy rule configured as below

1.source and destination any

2. User - any

3. Application - Any

4. Service ports open for http

5. Url category allowing access to custom created URL category in which only search engines google and bing's URL is defined

6. Action - Allow

7. Profile - Nill


Note that the URL category is configured in Service/URL category

I understand this policy will allow access to google and bing on http

My query is

1. Will this policy allow traffic on port 80 on other applications other than browser

2. Will this policy only allow traffic to google and bing on port 80 on web browser

3. If traffic is generated in port 80 using other application will this policy allow that traffic to other destinations other than google and bing.

1 accepted solution

Accepted Solutions

L7 Applicator

1. Will this policy allow traffic on port 80 on other applications other than browser

- Yes. You're not specifying an application, so any connection on port 80 (you said "http" but that's not a port, so I'm assuming just port 80) to the sites in the URL Category you've defined will match.

 

 

2. Will this policy only allow traffic to google and bing on port 80 on web browser

- See above. It will technically do what you want, but it's not a very robust rule.

 

 

3. If traffic is generated in port 80 using other application will this policy allow that traffic to other destinations other than google and bing.

-Sort of. If the initial packet is a TCP SYN on port 80, it doesn't know if it's going to match your category yet since there is no domain name associated with the request. The 4th packet would be an HTTP GET request, so it should be ok.

 

 

All this said, I doubt your rule will do anything useful. Both Google and Bing have HSTS configured, meaning you're immediately redirected to their respective HTTPS pages, so your port-80 rule won't get much use. 

 

I'd recommend starting with allowing everything, then going to Google and Bing to see what your traffic looks like. You'll likely have better luck creating a rule based on applications rather than ports anyway. Categories are good, but the rules can get complex to handle if you're defining everything in the service/category section. A more robust way would be to create a URL filtering policy with "Alert" as the action for your custom category you want to allow and "deny" as the others. Using profiles allows you to change any rule using that profile instead of having to update many rules when your needs change.

View solution in original post

1 REPLY 1

L7 Applicator

1. Will this policy allow traffic on port 80 on other applications other than browser

- Yes. You're not specifying an application, so any connection on port 80 (you said "http" but that's not a port, so I'm assuming just port 80) to the sites in the URL Category you've defined will match.

 

 

2. Will this policy only allow traffic to google and bing on port 80 on web browser

- See above. It will technically do what you want, but it's not a very robust rule.

 

 

3. If traffic is generated in port 80 using other application will this policy allow that traffic to other destinations other than google and bing.

-Sort of. If the initial packet is a TCP SYN on port 80, it doesn't know if it's going to match your category yet since there is no domain name associated with the request. The 4th packet would be an HTTP GET request, so it should be ok.

 

 

All this said, I doubt your rule will do anything useful. Both Google and Bing have HSTS configured, meaning you're immediately redirected to their respective HTTPS pages, so your port-80 rule won't get much use. 

 

I'd recommend starting with allowing everything, then going to Google and Bing to see what your traffic looks like. You'll likely have better luck creating a rule based on applications rather than ports anyway. Categories are good, but the rules can get complex to handle if you're defining everything in the service/category section. A more robust way would be to create a URL filtering policy with "Alert" as the action for your custom category you want to allow and "deny" as the others. Using profiles allows you to change any rule using that profile instead of having to update many rules when your needs change.

  • 1 accepted solution
  • 3521 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!