Contents

Related Topics

HTTPS-Proxy: Domain Names

You can configure your device to allow or deny access to a site, perform content inspection, or bypass content inspection based on the Domain Names rules you create. To match the specified pattern in your Domain Names rules against the name specified in the connection server, the SNI (Server Name Indication), the certificate common name (CN), or the IP address of the server is used.

Because it can determine the actual server name from the HTTPS traffic headers, the SNI is the most accurate option. A certificate CN is often shared between several services from the same site. For example, many Google services such as YouTube and Google Maps share the same certificate CN. If you block access to YouTube based on the certificate CN, access is also blocked to Google Maps and other services with the same CN. The certificate CN is used if the SNI is not available.

When you create your domain name rules, make sure to review the HTTPS entries in the traffic log messages for the correct SNI/CN information.

If your Firebox runs Fireware OS v11.9.3 or lower, you can configure the Certificate Names settings to filter content for an entire site. For more information, see the Certificate Names section.

Domain Names and WebBlocker

You can associate a WebBlocker configuration with your HTTPS-proxy to allow, block, or inspect websites based on the WebBlocker category. WebBlocker checks only occur when there is no Domain Rule match, and the action to take if no rule is matched is Allow. For more information on WebBlocker, see HTTPS-Proxy: WebBlocker.

Domain Names Rule Examples

To deny traffic from any site in the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Deny.

To block a connection to the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Block. In this case, the server IP address associated with example.com is blocked for the default time duration of your Blocked Sites configuration. For more information on blocked sites, see About Blocked Sites.

To allow a connection and bypass content inspection for any site in the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Allow. A default rule on the Firebox bypasses content inspection and allows connections for WatchGuard services to *.watchguard.com. When you specify a domain in a Domain Names rule, do not include any characters after the domain name. For example, *.example.com/ is not a valid domain name.

To perform content inspection for any site in the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Inspect.

You must enable content inspection and configure Domain Names rules with the Inspect action, or use the Inspect action with a WebBlocker category for content inspection to occur.

Add Domain Names Rules

To add Domain Names rules:

  1. In the HTTPS proxy action configuration, select Domain Names.
    The Rules (simple view) list appears.
  2. Configure the rule action.
    For more information, see Add, Change, or Delete Rules.
  3. To change settings for another category in this proxy, see the topic for that category.
  4. Save the settings.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

Domain Names Rules Order

Domain Names rules are processed in the rule order as listed if multiple rules match for a domain. To change the order of precedence, select a rule, then use the Move Up or Move Down buttons.

In Fireware OS v11.10.x and lower, the strongest action (Deny/Drop/Block > Inspect > Allow) is applied if multiple rules match for a domain.

Certificate Names

In Fireware OS v11.9.3 and lower, certificate names are used to filter content for an entire site. The Firebox allows or denies access to a site if the domain of an HTTPS certificate matches an entry in this list.

For example, to deny traffic from any site in the example.com domain, add a Certificate Names rule with the pattern *.example.com and set the If matched action to Deny.

  1. In the HTTPS proxy action configuration, select Certificate Names.
    The Rules (simple view) list appears.
  2. Configure the rule action.
    For more information, see Add, Change, or Delete Rules.
  3. To change settings for another category in this proxy, see the topic for that category.
  4. Save the settings.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

See Also

About the HTTPS-Proxy

Give Us Feedback     Get Support     All Product Documentation     Technical Search