[T&C] HTTP/HTTPS URL Filtering with Thunder ADC/CFW
siddharthaa
Member ✭
In this article, we will look at how you can do HTTP/HTTPS URL filtering using Thunder CFW.
Download and install web category license and database
First, make sure you have the web category license on the Thunder device:
vThunder#sh license-info ------------------------------------------------------------------------------------ Enabled Licenses Expiry Date (UTC) Notes ------------------------------------------------------------------------------------ WEBROOT 16-February-2022 License Type: webroot_trial
Configure the Thunder device to download the web category database:
glm use-mgmt-port glm enable-requests ! web-category use-mgmt-port enable
Verify that the web category database has been downloaded:
vThunder#sh web-category database Database Name : full_bcdb_rep_7.954.bin Database Status : Active Database Size : 420 MB Database Version : 954 Last Update Time : Thu Dec 9 00:00:55 2021 Next Update Time : Wed Dec 15 00:00:20 2021 Connection Status : GOOD Last Successful Connection : Tue Dec 14 16:37:39 2021 vThunder#
Define SLB wildcard VIP
Define a wildcard VIP 0.0.0.0 with the gateway router as an SLB server:
access-list 112 permit tcp any any eq 80 ! access-list 112 permit tcp any any eq 443 slb server GATEWAY 203.0.113.254 health-check-disable port 0 tcp health-check-disable port 0 udp health-check-disable port 80 tcp health-check-disable port 443 tcp health-check-disable ! slb service-group SG_HTTP tcp member GATEWAY 80 ! slb service-group SG_HTTPS tcp member GATEWAY 443 ! slb virtual-server URL 0.0.0.0 acl 112 port 80 http service-group SG_HTTP no-dest-nat port 443 https service-group SG_HTTPS no-dest-nat
Enable promiscuous VIP on the incoming client-facing interface:
interface ethernet 1 enable ip address 100.64.10.1 255.255.255.0 ip allow-promiscuous-vip
Specify the web traffic to be matched
Define a web category list consisting of URLs to be dropped. You can choose from the following categories:
vThunder(config)#web-category vThunder(config-web-category)#category-list blocked-categories vThunder(config-web-category-category-list)#? abortion Category Abortion adult-and-pornography Category Adult and Pornography alcohol-and-tobacco Category Alcohol and Tobacco auctions Category Auctions bot-nets Category Bot Nets business-and-economy Category Business and Economy cdns Category CDNs cheating Category Cheating clear Clear or Reset Functions computer-and-internet-info Category Computer and Internet Info computer-and-internet-security Category Computer and Internet Security confirmed-spam-sources Category Confirmed SPAM Sources cult-and-occult Category Cult and Occult dating Category Dating dead-sites Category Dead Sites (db Ops only) do To run exec commands in config mode drugs Category Abused Drugs dynamic-comment Category Dynamic Comment educational-institutions Category Educational Institutions end Exit from configure mode entertainment-and-arts Category Entertainment and Arts exit Exit from configure mode or sub mode fashion-and-beauty Category Fashion and Beauty financial-services Category Financial Services food-and-dining Category Food and Dining gambling Category Gambling games Category Games government Category Government gross Category Gross hacking Category Hacking hate-and-racism Category Hate and Racism health-and-medicine Category Health and Medicine home-and-garden Category Home and Garden hunting-and-fishing Category Hunting and Fishing illegal Category Illegal illegal-pornography Category Illegal join Adult and Pornography image-and-video-search Category Image and Video Search internet-communications Category Internet Communications internet-portals Category Internet Portals job-search Category Job Search keyloggers-and-monitoring Category Keyloggers and Monitoring kids Category Kids legal Category Legal local-information Category Local Information malware-sites Category Malware Sites marijuana Category Marijuana military Category Military motor-vehicles Category Motor Vehicles music Category Music news-and-media Category News and Media no Negate a command or set its defaults nudity Category Nudity nudity-artistic Category Nudity join Entertainment and Arts online-greeting-cards Category Online Greeting cards open-http-proxies Category Open HTTP Proxies parked-domains Category Parked Domains pay-to-surf Category Pay to Surf peer-to-peer Category Peer to Peer personal-sites-and-blogs Category Personal sites and Blogs personal-storage Category Personal Storage philosophy-and-politics Category Philosophy and Political Advocacy phishing-and-other-fraud Category Phishing and Other Frauds private-ip-addresses Category Private IP Addresses proxy-avoid-and-anonymizers Category Proxy Avoid and Anonymizers questionable Category Questionable real-estate Category Real Estate recreation-and-hobbies Category Recreation and Hobbies reference-and-research Category Reference and Research religion Category Religion sampling-enable Enable baselining search-engines Category Search Engines sex-education Category Sex Education shareware-and-freeware Category Shareware and Freeware shopping Category Shopping show Show Running System Information social-network Category Social Network society Category Society spam-urls Category SPAM URLs sports Category Sports spyware-and-adware Category Spyware and Adware stock-advice-and-tools Category Stock Advice and Tools streaming-media Category Streaming Media swimsuits-and-intimate-apparel Category Swimsuits and Intimate Apparel training-and-tools Category Training and Tools translation Category Translation travel Category Travel uncategorized Uncategorized URLs unconfirmed-spam-sources Category Unconfirmed SPAM Sources user-tag Customized tag violence Category Violence weapons Category Weapons web-advertisements Category Web Advertisements web-based-email Category Web based email web-hosting-sites Category Web Hosting Sites write Write Configuration
Here we define the following web category list:
web-category use-mgmt-port enable category-list blocked-categories social-network
Policy to filter HTTP traffic
Define an SLB policy template matching destination based on the web category list defined earlier and bind it to the wildcard VIP under port 80:
slb template policy HTTP-FILTERING forward-policy action DROP drop log drop-message "Prohibited site" action PERMIT forward-to-internet SG_HTTP log source ANY match-any destination web-category-list blocked-categories action DROP host priority 10 destination any action PERMIT ! slb virtual-server URL 0.0.0.0 acl 112 port 80 http template policy HTTP-FILTERING service-group SG_HTTP no-dest-nat
Policy to filter HTTPS traffic
Thunder device supports SNI-based filtering by binding a policy template to a wildcard VIP configured for an HTTPS vPort.
Define an SLB policy template for HTTPS traffic matching the web category list defined earlier:
slb template policy HTTPS-FILTERING forward-policy action DROP drop log action PERMIT forward-to-internet SG_HTTPS log source ANY match-any destination web-category-list blocked-categories action DROP url priority 10 destination any action PERMIT
Apply this policy template and client SSL template to the wildcard VIP under port 443:
slb virtual-server URL 0.0.0.0 acl 112 port 80 http template policy HTTP-FILTERING service-group SG_HTTP no-dest-nat port 443 https template policy HTTPS-FILTERING service-group SG_HTTPS no-dest-nat
Verification
From a client machine, try accessing a website on the blocked list (e.g. https://www.facebook.com). The traffic will be blocked:
You can also confirm this from the log message on the Thunder device:
Dec 16 2021 18:15:30 Info [ACOS]:Proxy CLIENT HELLO[drop- (ANY priority#10 category social-network reputation trustworthy(81))]: url www.facebook.com client 100.64.10.31:41370, server 31.13.65.36:443 out-bytes:0
Other websites (e.g. https://www.a10networks.com) that are not on the blocked list will still be accessible:
Tagged:
0