Business support

Using URL filtering with CenturyLink SD-WAN

This use case shows the steps you need to take to complete a rule for URL filtering on a SD-WAN branch template. 

Note: Subscription to the CenturyLink® SD-WAN Advanced Security package is required to access the firewall features.

Overview

Configuring your firewall with the URL filtering feature lets you manage your users’ internet access. URL filtering prevents users from accessing sites your organization deems unproductive; enables secure web access; and protects from sophisticated threats, including malware and phishing sites. URL filtering uses local databases to associate the URL with the category and reputation for a comprehensive screening process.

What you need to know about URL filtering
 

  • URL filtering provides rich and flexible filtering solutions for web traffic.

  • More than 450 million URLs are categorized and are continually updated.

  • Each URL is looked up in the local database, so the URL is associated with a URL category and URL reputation.

  • Restricts access to websites you choose based on the URL category and/or URL reputation.

  • Enforce policy actions for websites based on blacklists and whitelists of URLs.
Pre-defined URL reputations

SD-WAN supports the following types of pre-defined URL reputations. You can also create your own user defined reputations. Values are assigned to each URL, the lower the value, the higher the reputation.
 

  • Trustworthy

  • Low risk

  • Moderate risk

  • Suspicious

  • High risk

  • Undefined

URL filtering actions
 

  • Allow—the URL can be viewed without generating an entry log.

  • Drop-packet—the browser waits for a response from the server and drops the packets. There is no way to differentiate if this is due to the delayed response from the server or if the firewall blocks access to the website.

  • Drop-session—the browser waits for a response from the server and drops the session. There is no way to differentiate if this is due to the delayed response from the server or if the firewall blocks access to the website.

  • Alert—allows the URL and generates a log entry in the URL filtering log.

  • Reject—the browser displays an alert and resets the connection to the server. There is no way to differentiate if this is due to the delayed response from the server or if the firewall resets access to the website.

  • Block—the URL is blocked. Users will not see a response page and cannot continue with the website. This also generates a log in the URL filtering log.

  • Ask—the browser presents an information page that allows users to either cancel the operation by clicking Cancel or continue with the operation after clicking OK for http/https.

  • Inform—the browser presents an information page that allows users to continue after clicking OK for http/https.

  • Justify—the browser presents an information page that allows users to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK for http/https.

  • Override—specifies that a password is required to allow access to the website in the category. This generates an entry in the URL filtering log.

In the example use case below, we will:
 

  • Review and set up a URL filtering profile (Task 1).

  • Demo where to find white list, black list, category, and reputation settings.

  • Review and set up a rule to enforce the URL filtering built in the profile (Task 2).
Note: CenturyLink may have already defined some standard security settings as originally requested in the initial deployment. Before making additional changes, be sure to review your existing settings.

Task 1—configuring a URL filtering profile

  1. Log in to the SD-WAN portal.
  1. In the Director Context, click the Config Templates tab.

  2. In the Services tab (shown with the gear icon), select Next Gen Firewall > Security > Profiles > URL Filtering.

  3. From the Organization list, select an entity.

  4. Verify the correct template is selected in the template list in the upper left of the window.

  5. Click the +  sign to add a new URL filter.
  1. In this use case, we describe how to fill out the fields and show options for completing the profile. These selections are used as an example and may not apply to your setup.

    • In the Name field, type a name for the URL filter. We named ours Guest_URL_Filtering.

    • In the Description field, type a description that explains the purpose of the URL filter.

    • In the Tags field, type keywords or phrases that allow you to filter the URL. This is useful when you have many policies.

    • From the Default Action list, select a default action you want to impose on the URL filter. In most cases you’ll use allow or block, in this case we selected block.

    • From the Cloud Lookup Mode list, select the cloud lookup mode for searching the URL filter classification over cloud. We selected never. You can select from these options:

      • No predefined matches—cloud lookup is performed only when the URL does not match any predefined URL category.

      • No user defined matches—cloud lookup is performed only when the URL does not match any user-defined URL category.

      • No pre user defined matches—cloud lookup is done only when the URL does not match any predefined URL category.

      • Always—perform a cloud lookup for this profile.

      • Never—do not perform a cloud lookup for this profile.
         
  2. From the LEF Profile list, select an LEF profile to register logs for this filter.
  1. Click the Blacklist tab:

    1. From the Action list, select a URL action when you encounter a blacklisted URL.

    2. In the Pattern section, click the + sign to block specific URLs. You can specify a fixed string or a regex pattern to match the blacklisted URL.

    3. In the Strings section, click the + sign to specify the complete URL string you want to block. We blocked www.youtube.com.

  2. Click OK.
  1. Click the Whitelist tab:

    1. Select the Enable Logging checkbox to enable logging the whitelist configuration.

    2. In the Pattern section, click the + sign to allow specific URLs. You can specify a fixed string or a regex pattern to match the whitelisted URL.

    3. In the Strings section, click the + sign to specify the complete URL string that you want to allow. We allowed www.google.com.
       
  2. Click OK.
  1. Click the + sign to add a category-based action. 
  1. Fill in the information for category-based actions:

    1. In the Name field, type a name for the category-based action. We named ours BlockedCategories.

    2. From the Action list, select a URL action. We selected block.

    3. In the Predefined Categories section, click the + sign to select from a list of predefined categories. We selected gambling.

    4. In the User-defined Categories section, click the + sign to select from the list of user defined categories.
  1. Click OK.

  2. In the Reputation Based Action tab:

    1. Click the + sign to add reputation-based actions. 
  1. Fill in the information for reputation-based actions:

    1. In the Name field, type a name for the reputation-based action. We named ours Sample. 

    2. From the Action list, select a URL action when you encounter a URL in this reputation. We selected reject.

    3. In the Predefined Reputations section, click the + sign to select from a list of predefined reputations. We selected high-risk.
       
  2. Click OK, then click OK again.

Task 2—configuring security policies:
 

  1. In the Director Contextclick the Config Templates tab.

  2. In the Services tab (shown with a gear icon), select Next Gen Firewall  > Security > Policies > Rules. 

  3. From the Organization list, select an entity. Be sure you select the correct template list in the upper left of the window.

  4. Click the + sign to add a new security policy, known as a rule.
Note: CenturyLink created a default policy for you during the initial setup.   

In this use case, we describe how to fill out the fields and show options for completing the profile.

  1. Fill in the information to add a rule:

    1. In the Name field, type a name for the policy rule. We named ours Guest_URL_Rule.

    2. In the Description field, type a description that explains the purpose of the URL filter.

    3. In the Tags field, type keywords or phrases that allows you to filter rule. This is useful when you have many policies.
  1. Click the Enforce tab.

    1. In the Actions section, select a button for the action that applies to the rule. We selected Apply Security Profile.

    2. In the Profiles section, select the checkbox next to URL-Filtering and select the URL filter from the list that you created in Task 1. We selected Guest_URL_Filtering.

    3. In the Log section, select a button for events to log and the associated logging profile. We selected Never.

  2. Click OK.

TAGS: