Chapter 4 Firewall

used to determine whether a Web site may be accessed or not. You must specify all rules to permit or block access to specific Web sites.

Web Filter Service is a subscription service that provides filtering based on classifications of Web sites. Web sites are classified into Core Categories or Productivity Categories. You control Web site access by permitting or blocking access to these categories.

If you apply both types of filtering, custom filters takes precedence over Web Filter category filters. Therefore, you can use a custom filter to override the Web Filter Service for a particular web site.

Note For the X family device to use Web filtering, you must set up a firewall rule with an action of “Web Filter.” This rule must be positioned in the firewall rule table to ensure it matches the web traffic before any other rule that would also allow Web traffic (a “permit LAN==>WAN ANY” rule, for example). For more information about firewall rules, see “How Firewall Rule Enforcement Works” on page 64.

On the X family device, user authentication can be implemented in conjunction with firewall rules to allow selected users to bypass web filtering. User authentication is a method of verifying the identity of a user and associating the user with privilege rights configured on the device. For example, if you want to allow a certain group of users unrestricted access to all Web sites, you can assign those users to a Privilege Group with access rights to bypass web filtering. For details, see “How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates” on page 251.

For additional information, see the following topics:

“How Web Filtering Works” on page 86

“How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates” on page 251

“Setting Up Web Filtering” on page 87

“Custom Filter List” on page 92

“Web Filter Service” on page 90

“Web Filter Service” on page 281

How Web Filtering Works

The following description provides an overview of how a client request is handled by X family device for Web filtering.

STEP 1 The browser forms a connection to the desired web site. It then issues an HTTP GET request over the connection. The device inspects the session header of the request and identifies the IP address of the pc running the web browser.

STEP 2

STEP 3

STEP 4

The device checks whether there is a user logged in from this PC with Bypass web filtering as a user privilege. If so, the request is served and access is permitted.

The device checks whether the Custom Filter list options are enabled. If so, it checks the Custom Filter URL Permit List for a pattern match. If there is a match, the request is served and access is allowed.

If there is no match in the URL Permit List, the device checks the URL Block List for a pattern match. If there is a match, the filter blocks the request.

86 X Family LSM User’s Guide V 2.5.1