4 Replies Latest reply on Oct 27, 2015 7:34 AM by aish29

    How to Monitor URL site and how to block custom URL

    aish29

      Hi guys,

       

      Good day,  may you please help me how to configure the NGFW 325 - layer 2 inline passive mode in Monitoring and custom blocking of the URL sites? I try to read the Product guide but I cannot see their on how to do this. Thank You in advance for those will give answers and ideas.

       

      additional information: my current license is evaluation and the version of my SMC is 5.9 and the appliance is 5.7 and  my existing rules is any.

        • 1. Re: How to Monitor URL site and how to block custom URL
          vnippula

          Hello,

           

          From the description I'm not completely sure whether you have the device configured in Layer 2 firewall or IPS role. For this task relevant is whether device is inline or only monitoring traffic ie. has capture interface where network traffic is forwarded. Device has to be inline to be able actively block traffic. Passive mode on other hand refers to generic option turned on only to log even configuration is set to Discard/terminate.

           

          To block specific web site you should create HTTP URL Filtering Situation and use that in Inspection policy. Direct link to Online Help: http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.9.2/GUID-6A4811A6-C8D6-4922 -B7BD-5F4F3A93FF9C.html

          NGFW can also do category based web filtering.

           

          Best regards,

          Virpi

          • 2. Re: How to Monitor URL site and how to block custom URL
            aish29

            Hi Sir Vnippula,

             

            Good day, first of all thank you for the response in my question, and also sorry if my English is bad and my description to my issue is vague. I'm new on this product and I only know how to install the smc and connect the appliance to the smc.

             

            My current setup is layer 2 firewall:

             

            interface 0 - firewall appliance in Layer 2 Firewall Role

            Interface 1(inline to interface 2) - My laptop

            Interface 2 - Internal network (test laboratory)

             

            My goal to achieve is to Monitor all the visited website of my laptop and also the workstation in the test laboratory, then that's the time I will look in the report logs on what website that are not related to the work then block it.

             

            For the HTTP URL filtering situation in the Inspection policy, I already do the configuration but it's not working and until now I'm trying to troubleshoot my config but I cannot fix it, also I tried to Run a Report logs in TOP URL Categories but there is no output.

             

             

            Again many thank you for the response.

            • 3. Re: How to Monitor URL site and how to block custom URL
              lnurmi

              Hi,

               

              for the firewall to log the visited websites, you need to use the "HTTP (with URL logging)" service in your access rule. This creates additional HTTP_URL-Logged log entry when an URL is detected and this data can be used in reports. For example "Top HTTP requests" shows the ranking based on full URL (hostname + URI). You can add "HTTP entries by request host" (Add new section > Create from item) to a report and that shows the ranking per domain (hostname).

               

              To get any data on URL Categories you need to have web filtering enabled. This requires that traffic is inspected and some URL filtering situations in inspection policy are set to permit/terminate or log. This is a separately licensed feature but should be included in trial license. It also requires that DNS server is specified in firewall properties and that the fw has access to internet on TCP ports 443 and 2316.

               

              BR,

              Lauri

              • 4. Re: How to Monitor URL site and how to block custom URL
                aish29

                Hi Sir Inurmi,

                 

                Thank you for the reply and giving solutions.

                 

                I will try the solution that you gave tomorrow and post here if it will work or not("my configuration is wrong").

                 

                By the way this is my last configuration in


                IPv4 Access rule:

                rule 1  Interface - any, source - any, destination - any, service - any,  Action - Continue, Logging - Stored Accounted, User enforced, Application Enforced, No executable with Payload

                rule 2 : Interface - any, source - any, destination - any, service - HTTP with URL logging, Logging, Action - Continue, Logging - Stored Accounted, User enforced, Application Enforced, No executable with Payload

                 

                Inspection rule:

                Traffic Identification- Action - Permit, Logging - Alert

                URL Filtering-Action - Permit, Logging - Alert



                I have a question regarding on this ("It also requires that DNS server is specified in firewall properties and that the fw has access to internet on TCP ports 443 and 2316.")


                Based on my understanding I need to create an IPv4 Access Rule for allowing the TCP ports 443 and 2316?


                And Lastly based on what I remember before I connect the NGFW appliance 325 to the SMC, I put the DNS server in our test laboratory to the SMC and in the Firewall appliance.




                Again thank you very much for giving ideas to solve my issues.



                Regards,