The administrator can use content filtering rules to allow or block certain content transmitted using the HTTP or HTTPS protocols (HTTPS inspection needs to be configured in the latter case). Более того, NGFW может блокировать HTTPS-трафик без дешифрования контента, но только в случае применения правил блокирования по категориям контентной фильтрации NGFW URL filtering или по спискам URL, в которых указаны только имена хостов. В этих случаях NGFW использует SNI (Server Name Indication), а при отсутствии SNI --- значения хоста из SSL-сертификата из пользовательских запросов для определения домена.
You can use the following as conditions for a rule:
-
Users and groups
-
Specific words and phrases (morphology) present on the webpage
-
Website category
-
URL.
-
Source zone and IP address
-
Destination zone and IP address
-
The type of the content.
-
Referrer information
-
Time
-
Useragent of the user browser
-
HTTP method.
Чтобы создать правило контентной фильтрации, необходимо нажать на кнопку Добавить в разделе Политики безопасности ➜ Фильтрация контента и указать необходимые параметры.
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the rule. |
|
Name |
The name of the rule. |
|
Description |
A description of the rule. |
|
Action |
Запретить --- блокирует веб-страницу. Предупредить --- предупреждает пользователя о том, что страница нежелательна для посещения. It is up to the user to decide whether to visit the page or not. If they do proceed to the page, the visit is logged. Разрешить --- разрешает посещение. |
|
Enable logging |
If this is enabled, instances of the rule being triggered will be recorded in the corresponding statistics log. |
|
UserGate stream virus check |
Доступно только для правил с действием Запретить, т.е. при наличии вируса на странице ресурс будет запрещен. If the rule has other conditions (categories, time, etc.), the virus check will be done only when all conditions are matched. |
|
Scenario |
The scenario that must be active for the rule to be triggered. For more details on how scenarios work, see the Scenarios section. Important! A scenario is an additional condition. If the scenario was not triggered (one or more scenario triggers did not occur), the rule will not be triggered. |
|
Blocking page |
Specifies the block page that will be shown to the user when their access to the resource is blocked. Можно использовать внешнюю страницу, указав Использовать внешний URL, либо указать страницу блокировки NGFW. In the latter case, you can select the desired block page template, which can be created in the Response Pages section. |
|
Source |
The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source. The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value. Important! The maximum number of GeoIPs that can be specified is limited to 15. Important! The traffic processing logic is as follows:
|
|
Destination |
The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic destination. The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value. Important! Существует ограничение на количество GeoIP, которое может быть указано: не более 15. Important! The traffic processing logic is as follows:
|
|
Users |
The list of users and user groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the Users and Devices chapter. |
|
Categories |
UserGate URL Filtering 4.0 category lists. To use URL categories, an appropriate license is required. UserGate URL Filtering 4.0 is a massive database of web resources classified for convenience into 72 categories. The administrator can control access to categories such as pornography, malicious websites, online casinos, gaming and entertainment websites, social networks, and many others. Важно! Начиная с версии UserGate 5.0.6R6 администратор может переопределить категорию на любой сайт, на который, по его мнению, категория назначена не верно или не назначена совсем. For more details on overriding a website's category, see the Requests for White List section. Важно! Блокировка по категориям сайтов может быть применена к трафику HTTPS без его дешифрования, но без показа страницы блокировки. |
|
URL |
URL lists. If you have the corresponding license, various URL lists maintained by the UserGate developer team are available to you, such as UserGate's "Black list" and "White list", "Black list of Phishing sites", and "List of search engines without safesearch capability". Administrators can also create custom URL lists. For more details on working with URL lists, see the URL Lists chapter. Важно! Блокировка по спискам URL может быть применена к трафику HTTPS без его дешифрования, если в списках указаны только имена хостов (доменов), но без показа страницы блокировки. |
|
Content types |
The content type lists. Video, audio, images, executables, and other types of content can be controlled. Administrators can also create custom content type groups. For more details on working with content types, see the Content Types chapter. |
|
Morphology |
The list of morphological dictionary databases that will be used to check webpages. If you have the corresponding license, various dictionaries maintained by UserGate are available to you, including dictionaries on topics such as "Suicide", "Terrorism", "Pornography", "Profanity", "Gambling", "Drugs". The dictionaries are available in Russian, English, German, Japanese, and Arabic. Administrators can also create custom dictionaries. For more details on working with morphological dictionaries, see the Morphology chapter. |
|
Time |
The time when this rule will be active. The administrator can add the required time period in the Time Sets section. |
|
Useragent |
The user browser useragents for which this rule will be applied. The administrator can add the desired useragents in the Browser Useragent section. |
|
HTTP method |
The method used in HTTP requests, usually POST or GET. |
|
Referrers |
The list of referrer URLs for the current page. The rule will be triggered if the referrer URL for the page matches the list. This functionality offers a convenient way to allow access to CDNs (content delivery networks) only when specific websites are visited but not when users try to open CDN content directly. |
|
Usage |
The trigger statistics for the rule: the total trigger count and the time of the first and last trigger. Важно! При настроенном инспектировании данных, передаваемых по протоколу TLS/SSL, и срабатывании правила контентной фильтрации Default allow, созданного по умолчанию, счётчик будет срабатывать только для правила инспектирования SSL. To reset the trigger count, select the rules in the list and click Reset hit counts. |
|
History |
The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc. |