This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

URL filtering https pages

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

URL filtering https pages

welly_59
L3 Networker

‎08-22-2018 10:11 AM

I can’t seem to get this working. I’m trying to block bbc I player but neither url filtering or APP-ID does the job.

Do I need to enable ssl inspection to block https pages?

I have tried with httpvshttps.com for example and I can block the http version but not the https version
0 Likes Likes
6 REPLIES 6

Remo
L7 Applicator

‎08-22-2018 11:33 AM

URL filtering works even without TLS decryption. But without additional steps you will not be able to inject a response page.

Did you check the URL log when you open this BBC player website? There you should (depending on how the website is built) be able to identify the website that you need to block (with a custom URL category).

0 Likes Likes

welly_59
L3 Networker
In response to Remo

‎08-23-2018 12:29 AM

the url is:

bbc.co.uk/iplayer

 

if i go via http then it is blocked, the https version works. There are a number of URL's displayed in ther URL Filtering log, none of which are bbc/iplayer.

 

The block page dispplays when browsing via non-https. How can i get this blocked when going via https and still display the block page?

0 Likes Likes

Remo
L7 Applicator
In response to welly_59

‎08-23-2018 01:17 AM

@welly_59

This one is not possible without TLS decryption because the firewall sees only the fqdn (at best, but normally with a current browser). So for example if the URL would be iplayer.bbc.co.uk then blocking without decryption would work...

0 Likes Likes

welly_59
L3 Networker
In response to Remo

‎08-23-2018 02:13 AM

ive imported a subordinate CA from our Windows Server and am now decrypting SSL, this is allowing me to block https sites as required.

 

Are there any drawbacks to me doing this?

0 Likes Likes

Remo
L7 Applicator
In response to welly_59

‎08-23-2018 10:24 AM

It depends ...

  • If the load on your firewall is already pretty high, then depending on what you are going to decrypt (everything?), the load will definately increase even higher
  • If you decrypt everything there could be problems with specific websites that cannot be decrypted (pinned certs, client cert auth), but most of these problems you could solve with a decryption profile that does not block these connections

If you are only decrypting this one connection to the bbc website, then there shouldn't be big drawbacks.

0 Likes Likes

welly_59
L3 Networker
In response to Remo

‎08-23-2018 10:39 AM

Load is quite low. These are 850’s and at max I will be decrypting traffic from 100 users.

I’ve already had to add in a bunch of exceptions due to tls decryption breaking the site/application.

Currently decrypting all apart from finance, shopping, health, and computer url groups
0 Likes Likes
  • 2676 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks