In this article, we will look at how you can do HTTP/HTTPS URL filtering using Thunder CFW.
Download and install web category license and database
First, make sure you have the web category license on the Thunder device:
vThunder#sh license-info
------------------------------------------------------------------------------------
Enabled Licenses Expiry Date (UTC) Notes
WEBROOT 16-February-2022 License Type: webroot_trial
Configure the Thunder device to download the web category database:
glm use-mgmt-port
glm enable-requests
!
web-category
use-mgmt-port
enable
Verify that the web category database has been downloaded:
vThunder#sh web-category database
Database Name : full_bcdb_rep_7.954.bin
Database Status : Active
Database Size : 420 MB
Database Version : 954
Last Update Time : Thu Dec 9 00:00:55 2021
Next Update Time : Wed Dec 15 00:00:20 2021
Connection Status : GOOD
Last Successful Connection : Tue Dec 14 16:37:39 2021
vThunder#
Define SLB wildcard VIP
Define a wildcard VIP 0.0.0.0 with the gateway router as an SLB server:
access-list 112 permit tcp any any eq 80
!
access-list 112 permit tcp any any eq 443
slb server GATEWAY 203.0.113.254
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 80 tcp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group SG_HTTP tcp
member GATEWAY 80
!
slb service-group SG_HTTPS tcp
member GATEWAY 443
!
slb virtual-server URL 0.0.0.0 acl 112
port 80 http
service-group SG_HTTP
no-dest-nat
port 443 https
service-group SG_HTTPS
no-dest-nat
Enable promiscuous VIP on the incoming client-facing interface:
interface ethernet 1
enable
ip address 100.64.10.1 255.255.255.0
ip allow-promiscuous-vip
Specify the web traffic to be matched
Define a web category list consisting of URLs to be dropped. You can choose from the following categories:
vThunder(config)#web-category
vThunder(config-web-category)#category-list blocked-categories
vThunder(config-web-category-category-list)#?
abortion Category Abortion
adult-and-pornography Category Adult and Pornography
alcohol-and-tobacco Category Alcohol and Tobacco
auctions Category Auctions
bot-nets Category Bot Nets
business-and-economy Category Business and Economy
cdns Category CDNs
cheating Category Cheating
clear Clear or Reset Functions
computer-and-internet-info Category Computer and Internet Info
computer-and-internet-security Category Computer and Internet Security
confirmed-spam-sources Category Confirmed SPAM Sources
cult-and-occult Category Cult and Occult
dating Category Dating
dead-sites Category Dead Sites (db Ops only)
do To run exec commands in config mode
drugs Category Abused Drugs
dynamic-comment Category Dynamic Comment
educational-institutions Category Educational Institutions
end Exit from configure mode
entertainment-and-arts Category Entertainment and Arts
exit Exit from configure mode or sub mode
fashion-and-beauty Category Fashion and Beauty
financial-services Category Financial Services
food-and-dining Category Food and Dining
gambling Category Gambling
games Category Games
government Category Government
gross Category Gross
hacking Category Hacking
hate-and-racism Category Hate and Racism
health-and-medicine Category Health and Medicine
home-and-garden Category Home and Garden
hunting-and-fishing Category Hunting and Fishing
illegal Category Illegal
illegal-pornography Category Illegal join Adult and Pornography
image-and-video-search Category Image and Video Search
internet-communications Category Internet Communications
internet-portals Category Internet Portals
job-search Category Job Search
keyloggers-and-monitoring Category Keyloggers and Monitoring
kids Category Kids
legal Category Legal
local-information Category Local Information
malware-sites Category Malware Sites
marijuana Category Marijuana
military Category Military
motor-vehicles Category Motor Vehicles
music Category Music
news-and-media Category News and Media
no Negate a command or set its defaults
nudity Category Nudity
nudity-artistic Category Nudity join Entertainment and Arts
online-greeting-cards Category Online Greeting cards
open-http-proxies Category Open HTTP Proxies
parked-domains Category Parked Domains
pay-to-surf Category Pay to Surf
peer-to-peer Category Peer to Peer
personal-sites-and-blogs Category Personal sites and Blogs
personal-storage Category Personal Storage
philosophy-and-politics Category Philosophy and Political Advocacy
phishing-and-other-fraud Category Phishing and Other Frauds
private-ip-addresses Category Private IP Addresses
proxy-avoid-and-anonymizers Category Proxy Avoid and Anonymizers
questionable Category Questionable
real-estate Category Real Estate
recreation-and-hobbies Category Recreation and Hobbies
reference-and-research Category Reference and Research
religion Category Religion
sampling-enable Enable baselining
search-engines Category Search Engines
sex-education Category Sex Education
shareware-and-freeware Category Shareware and Freeware
shopping Category Shopping
show Show Running System Information
social-network Category Social Network
society Category Society
spam-urls Category SPAM URLs
sports Category Sports
spyware-and-adware Category Spyware and Adware
stock-advice-and-tools Category Stock Advice and Tools
streaming-media Category Streaming Media
swimsuits-and-intimate-apparel Category Swimsuits and Intimate Apparel
training-and-tools Category Training and Tools
translation Category Translation
travel Category Travel
uncategorized Uncategorized URLs
unconfirmed-spam-sources Category Unconfirmed SPAM Sources
user-tag Customized tag
violence Category Violence
weapons Category Weapons
web-advertisements Category Web Advertisements
web-based-email Category Web based email
web-hosting-sites Category Web Hosting Sites
write Write Configuration
Here we define the following web category list:
web-category
use-mgmt-port
enable
category-list blocked-categories
social-network
Policy to filter HTTP traffic
Define an SLB policy template matching destination based on the web category list defined earlier and bind it to the wildcard VIP under port 80:
slb template policy HTTP-FILTERING
forward-policy
action DROP
drop
log
drop-message "Prohibited site"
action PERMIT
forward-to-internet SG_HTTP
log
source ANY
match-any
destination web-category-list blocked-categories action DROP host priority 10
destination any action PERMIT
!
slb virtual-server URL 0.0.0.0 acl 112
port 80 http
template policy HTTP-FILTERING
service-group SG_HTTP
no-dest-nat
Policy to filter HTTPS traffic
Thunder device supports SNI-based filtering by binding a policy template to a wildcard VIP configured for an HTTPS vPort.
Define an SLB policy template for HTTPS traffic matching the web category list defined earlier:
slb template policy HTTPS-FILTERING
forward-policy
action DROP
drop
log
action PERMIT
forward-to-internet SG_HTTPS
log
source ANY
match-any
destination web-category-list blocked-categories action DROP url priority 10
destination any action PERMIT
Apply this policy template and client SSL template to the wildcard VIP under port 443:
slb virtual-server URL 0.0.0.0 acl 112
port 80 http
template policy HTTP-FILTERING
service-group SG_HTTP
no-dest-nat
port 443 https
template policy HTTPS-FILTERING
service-group SG_HTTPS
no-dest-nat
Verification
From a client machine, try accessing a website on the blocked list (e.g. https://www.facebook.com). The traffic will be blocked:
You can also confirm this from the log message on the Thunder device:
Dec 16 2021 18:15:30 Info [ACOS]:Proxy CLIENT HELLO[drop- (ANY priority#10 category social-network reputation trustworthy(81))]: url www.facebook.com client 100.64.10.31:41370, server 31.13.65.36:443 out-bytes:0
Other websites (e.g. https://www.a10networks.com) that are not on the blocked list will still be accessible:
