7.4. URL Filtering¶
Note
- URL filtering is used via Service Interconnectivity. You need to apply separately for Service Interconnectivity.
- URL Filtering filters communication from the client (VPN) to the Server Segments targeted for protection.
7.4.1. Available Features¶
| Feature | Overview |
| URL filtering | A feature that controls website access by either issuing a warning or blocking websites according to website categories supplied by URL filtering. |
7.4.2. URL Filtering Feature¶
Note
- HTTPS communication is determined based on the URL in the Common Name of the server certificate.
| Item | Process | Information Recorded in Logs |
| Allow | Allows communication. | None |
| Alert | Allows communication. | URL of access-restricted website |
| Continue | If users access websites that are registered in those categories, a warning screen indicating that they have accessed a restricted website is displayed.
If users click the “Continue” button on the displayed warning screen, they can access the website in question.
|
URL of access-restricted website |
| Block | If users access websites that are registered in those categories, a screen indicating that they have accessed a restricted website is displayed and the website is blocked.
The user cannot access the relevant website.
|
URL of access-restricted website |
| Feature | Overview |
| Allowed URL (White list) | From the group of websites that are registered to categories that are set as “Continue” or “Block”, you can specify URLs as an exception and allow access.
A maximum of 100 URLs can be registered.
|
| Prohibited URL (Blacklist) | From the group of websites that are registered to categories that are set as “Allow” or “Alert”, you can specify URLs as an exception and prohibit access (block).
You can register a URL that is not registered in any category and prohibit access (block).
A maximum of 100 URLs can be registered.
|
- The communication addressed to Server Segments targeted for detection is set so that it is routed by vFirewall/Integrated Network Appliance to the Service Interconnect Gateway used for URL Filtering.
- The communication from the Virtual Machine is set so that it is routed by the Virtual Machine on the Server Segment targeted for detection to the Service Interconnect Gateway used for URL Filtering.
- If you perform Ping monitoring on the Virtual Machine, you will require an additional Server Segment for direct connection between vFirewall/Integrated Network Appliance and the Virtual Machine.
Note
- Please do not connect the Server Segments targeted for detection directly to vFirewall/Integrated Network Appliance.
| Item | Performance | Remarks | |
|---|---|---|---|
| Per service | Maximum(5 services used) | ||
| Traffic Processing Capacity | 200 Mbps | 1 Gbps | The total value of uplink and downlink. |
| Number of concurrent sessions | 40,000 | 200,000 | The number of sessions that can be connected simultaneously. |
Note
- You can increase the traffic volume up to 1 Gbps, 200,000 sessions (when 5 services used) by applying additional services. When using more than 2 of service, please contact each NTT Communications affiliate beforehand.
7.4.3. Important Points¶
Used IP Addresses- In order to connect the Service Interconnect Gateway with URL Filtering, you must have two IP address blocks available. If the IP address block is already being used, we might ask you to change it.
- NTT Communications will manage the assigned IP address blocks, and assign IP addresses to the devices that require them.
When the actual traffic volume exceeds the contracted traffic volume, the excess traffic might be discarded.
When the URL in Common Name of the server certificate matches the URL categorized as Block/Continue the blocking/warning screen is not displayed (it is displayed as a browser error).
When you select “Continue” as an action for a web site categories,
- When you use a proxy server, the “Continue” action is applied only to the communication from the client (VPN) to the proxy server. It is not applied to the communication from the proxy server to the Internet from security standpoint.
- Please add the IP address blocks of the target server segment to the proxy exception setting of a client browser. Otherwise, a warning screen will not be displayed.
- Please set vFirewall/Integrated Network Appliance so that the communication addressed to port 6080 of the proxy server passes through it.
- You cannot use port 6080 for service communication which goes through URL Filtering, because port 6080 is used to display a warning screen.
Packets which break TCP/UDP/IP protocol rules or abnormal packets are discarded as a standard function regardless of customer’s configuration.
(Examples)
- When the IP header is cut off in the middle
- When the Port number is 0 (zero)
- When the TCP flag combination is abnormal and others
If devices making up this feature are replaced due to malfunction etc., you will not be able to check device logs or event reports from prior to the replacement via the Security Web Portal. In addition, if the regular server and the standby server are switched for a redundantly configured device and they are restored without replacing the device, you cannot check the log or the event reports for the period during which the switching occurred from the Security Web Portal.
URL Filtering does not guarantee that the URL filtering feature has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the URL identification algorithms provided by the developers or distributors of the devices making up the URL Filtering feature is not guaranteed.
The following information might be provided to the developers or distributors of the devices making up the URL Filtering feature.
- Configuration information obtained from providing URL filtering
- Information concerning controls etc., for URL filtering
We cannot guarantee recovery from failures that might occur due to incompatibility between URL Filtering and your environment, or failures that occur due to your operations other than those specified by NTT Communications.
There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.