5.14. HTTPS Filter
The HTTPS filter module is used for filtering HTTP over SSL, including IP address, net address, server side certificate, SSL version and so on. Following shows a [HTTPS Filter Config] dialog:
- Select a group which you want to configure in list [Group].
- Fill the edit blanks, select a policy, and then press <Add>.
- Select an item in the list, press <Up> or <Down> to adjust the order of the filters.
- Select an item in the list, right click the mouse and press [Delete] in the popup menu to delete the item.
- Add IP filtering: select [IP] tab, input IP address, select a policy and then press <Add>.
- Add subnet filtering: select [Net] tab, input a network number and a length of mask, select a policy, and then press <Add>.
- [Cert]: in the [Cert] tab, input a certificate into [Cert] blank, select a policy, and then press <Add>. When the computers in this group visit a server which certificate matches this item, the policy will be applied. [Cert] filter applies wildcard match.
- [Deny https proxy tunnel]: When selecting this option, it will ban the users from using https tunnel. Only the standard HTTPS protocol can pass through.
- [Deny server without certificate]: When selecting this option, it will ban the users from visiting a server which use the standard SSL protocol but has no certificate.
- [Disable SSL 2.0]: When selecting this option, it will ban the users from using SSL version 2.0 protocol.
- [Disable SSL 3.0]: When selecting this option, it will ban the users from using SSL version 3.0 protocol.
- [Disable TLS 1.0]: When selecting this option, it will ban the users from using TLS version 1.0 protocol.
- Press <OK> or <Cancel>.
- [Subnet]: CIDR network prefix presentation (RFC 1878) is used for recording IP address. For example, a network address 126.96.36.199, with its mask 255.255.255.0, can be recorded as 188.8.131.52/24; a network address 184.108.40.206, with its mask 255.255.0.0, can be recorded as 220.127.116.11/16; a network address 192.168.0.0, with its mask 255.255.255.240, can be recorded as 192.168.0.0/28, etc.
- The order of IP/Net filtering is from narrow to wide range. For example, IP "18.104.22.168" policy is "Pass", and subnet "22.214.171.124/24" policy is "Deny", which means that the only IP "126.96.36.199" can be passed in the subnet "188.8.131.52/24", all the other IP addresses are denied.
- [Cert] filters are running in the order of top-down and apply wildcard match. For example, in the first policy (certificate is "*.paypal.*", policy is "Deny"), in the second policy (certificate is "*", policy is "Pass Record"), it means all the servers which certificate match "*.paypal.*" will be denied, and the other servers will be passed and recorded.
|Tip: Since HTTPS is the most common protocol on the Internet, many software go through HTTPS tunneling to contact with outside in order to transpierce a firewall. Please enable the option [Deny https proxy tunnel] and [Deny server without certificate] to deny https tunnel.
Active Network CO., Ltd