Got it

HTTPS URL Filtering problem

Created: Dec 5, 2019 07:05:19Latest reply: Feb 12, 2020 03:13:56 529 5 0 1
  Rewarded HiCoins: 0 (problem resolved)

Hi Everyone,


I need to filter traffic/websites but I'm not successful to block HTTPS traffic..

Tried to follow steps on this link: https://forum.huawei.com/enterprise/en/dr-wow-q-a-how-can-i-configure-https-url-filtering/thread/462893-867 but no success as I can't find the SSL decryption certificate link on my USG6330. What am I missing on my device?


Please see the image and version for reference..

USG_image01

USG_image02


  • x
  • convention:

Featured Answers

Recommended answer

chenhui
Admin Created Dec 5, 2019 08:16:43 Helpful(1) Helpful(1)

by the way, The function(SSL-encrypted traffic detection) takes effect only after the content security group license is valid and the content security component package is loaded dynamically. If the license and component package are not loaded, this function is unavailable on the web UI and cannot be configured on the CLI.

please check this http://support.huawei.com/hedex/hdx.do?docid=EDOC1100013380&id=sec_admin_ssldecrypt_0004&lang=en
View more
  • x
  • convention:

All Answers
chenhui
chenhui Admin Created Dec 5, 2019 08:06:02 Helpful(1) Helpful(1)

@siopawman hi,
how about trying the URL Filtering on Encrypted HTTPS Traffic http://support.huawei.com/hedex/hdx.do?docid=EDOC1100013380&id=vsp_url_filter_cfg_0028_new&lang=en
URL Filtering on Encrypted HTTPS Traffic doesn't request the SSL decryption certificate.
View more
  • x
  • convention:

yogijain
yogijain MVE Created Dec 5, 2019 08:14:40 Helpful(3) Helpful(3)

URL Filtering Does Not Work on HTTPS Websites

URL filtering supports HTTP and HTTPS URL requests. To filter HTTPS URL requests, configure either encrypted traffic filtering or SSL-encrypted traffic detection. If URL filtering does not work on HTTPS websites, the possible causes are as follows:

Possible Causes

  1. Encrypted traffic filtering is disabled in the URL filtering profile.

  2. SSL-encrypted traffic detection is not configured.

  3. The required certificate is not installed.

  4. One of the domain names that share one certificate is blocked.

  5. The websites that should be permitted are not added to the SSL whitelist.

Procedure

  1. Check whether encrypted traffic filtering is disabled in the URL filtering profile.


    Run the display profile type url-filter name command to check the configuration of the URL filtering profile. The Https-Filter field indicates the status of encrypted traffic filtering.

    [sysname] display profile type url-filter name a  --------------------------------------------------------------------------------  Name        : a  Description : -  Referenced  : 1  --------------------------------------------------------------------------------  Default Action : Allow  --------------------------------------------------------------------------------  Action Mode : Strict  --------------------------------------------------------------------------------  Malicious URL  : Disable  --------------------------------------------------------------------------------  Https-Filter : Disable

    If the value is Enable, encrypted traffic filtering is enabled. In this case, you do not need to perform other steps.

    If the value is Disable, encrypted traffic filtering is disabled. To enable this function, run the https-filter enable command in the URL filtering profile view. If you do not use this function, go to step 2.


  2. Check whether SSL-encrypted traffic detection is configured.


    Run the display decryption-policy rule all command to view the configuration of SSL-encrypted traffic detection policy rules.

    [sysname] display decryption-policy rule all  Total:2           RULE ID  RULE NAME                         STATE      ACTION       HITS             -------------------------------------------------------------------------------  1        ssl_policy                        enable     -            0                                                                  0        default                           enable     no-decrypt 0      -------------------------------------------------------------------------------

    If SSL-encrypted traffic detection is not configured, configure it by referring to the product manual.

    If SSL-encrypted traffic detection has been configured, go to step 3.


  3. Check whether the required certificate has been installed.


    If SSL decryption is configured, the certificate needs to be imported into the user browser. If the SSL decryption certificate downloaded from the FW is not installed on the user device, the user device cannot verify the server certificate replied by the FW.

    For all HTTPS websites, the security certificate error or HSTS error message is displayed on the browser, or a few websites cannot be accessed. In this case, check whether the certificate exported from the FW has been installed.

    If the certificate is not installed, install it by referring to the manual. For details, see "Appendix: Installing the SSL Decryption Certificate".

    If the certificate has been installed, go to step 4.


  4. Check whether one of the domain names that share one certificate is blocked.


    If a certificate contains multiple URLs (that is, multiple websites share one certificate), all the URLs are decoded and sent to the URL module for processing. If one URL is blocked, this flow is blocked and other URLs cannot be accessed. Choose Monitor > Log > URL Log on the web UI to check URL logs. If the device does not have hard disks or SD cards, choose Monitor > Log > System Log List to view the latest URL logs.

    If such a URL log exists, use another certificate.

    If the URL log does not exist, go to step 5.


  5. Check whether the websites that should be permitted are added to the SSL whitelist.


    You need to add a website to the SSL whitelist in either of the following scenarios:

    If a website should be but not added to the SSL whitelist, the website may not to be accessed.

    Run the display ssl whitelist all command to view the SSL whitelist on FW and check whether the website has been added to the SSL whitelist.

    <sysname> display ssl whitelist all    Total SSL whitelist(s): 1   -----------------------------------------    IP              PORT        SNI    10.1.1.1        443         www.test.com

    If the website is not in the SSL whitelist, add it to the SSL whitelist by referring to the product manual.


  • The client application program (for example, Windows Update) performs in-depth verification on the server certificate. In this case, the server certificate generated by the FW cannot be verified by the client. Therefore, you need to add the website to the SSL whitelist.

  • The customer plans some websites that do not require SSL decryption, such as the search website www.google.com.




https://support.huawei.com/enterprise/en/doc/EDOC1000179232/5adf748/url-filtering-does-not-work-on-https-websites

View more
  • x
  • convention:

chenhui
chenhui Admin Created Dec 5, 2019 08:16:43 Helpful(1) Helpful(1)

by the way, The function(SSL-encrypted traffic detection) takes effect only after the content security group license is valid and the content security component package is loaded dynamically. If the license and component package are not loaded, this function is unavailable on the web UI and cannot be configured on the CLI.

please check this http://support.huawei.com/hedex/hdx.do?docid=EDOC1100013380&id=sec_admin_ssldecrypt_0004&lang=en
View more
  • x
  • convention:

siopawman
siopawman Created Dec 11, 2019 02:35:33 Helpful(1) Helpful(1)

Thanks for your help, I'll be tryng to set this up later today and hopefully this works.
View more
  • x
  • convention:

siopawman
siopawman Created Feb 12, 2020 03:13:56 Helpful(0) Helpful(0)

Hi everyone, instead of creating another forum thread i want to add another problem with regards to the url filtering as this was also related to what we are using which is the Huawei Firewall.

We have tried to use the URL filtering on another model which is the USG6515E, the url blocking works but it also blocks other url like "google search" which is used by our major users. Even if we put the url of google in the whitelist, the blocking still in effect on google? Can you provide me some inputs on this issue?
View more
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community