WGCS Path Based Whitelisting for HTTPS Sites When Managing with ePO Cloud
Using MWG to manage your WGCS policy opens up almost all of the granular filtering options that are available on premise. However, many customers especially smaller companies with limited security staffs prefer the simplicity of managing WGCS policy through ePO cloud. The simplified interface there currently only provides a subset of the features available when MWG is managing WGCS policy. One of the limitations is with the way that category filtering and URL whitelists are handled for HTTPS sites.
First, as with any filtering of HTTPS that includes URL path, SSL scanning must be enabled for the site in question as SSL scanning can only be enabled or disabled on the initial CONNECT. WGCS allows for SSL inspection to be enabled or disabled by category(using hostname) or URL list (actually only host and domain names).
Second, once the HTTPS site is decrypted and the CONNECT is allowed, although blacklisting a particular URL by path within an allowed category will work as expected, whitelisting by path within a blocked category will not without the approach described here because the category blacklist will block the initial CONNECT.
So how do we handle the situation where we want to whitelist a specific path on a site that is in a blocked category? For example if www.example.com was in the social networking category and I wanted to only allow https://www.example.com/example and block all other paths on example.com and all other social media,
To do this:
1. Enable ssl inspection for example.com with all subdomains enabled or simply enable inspection for the category it is in (in this example Social Networking)
2. Add a Web Category URL Whitelist Rule for example.com/example with all subdomains enabled (this won't apply until after the connection is established with SSL decryption enabled)
3. Below that (2), add a Web Category URL Blacklist Rule for example.com/ with all subdomains enabled (this won't apply until after the connection is established with SSL decryption enabled)
4. Below that (3), Add a Web Category URL Whitelist Rule for example.com with all subdomains enabled (this will apply when the connection is initially established)
5. Block Social Networking in the web category filter.