WebBlocker could deny connections to a website that is necessary for your business, based on the website category. To override WebBlocker, you can define a website usually denied by WebBlocker as an exception.
For example, suppose employees in your company frequently use websites that contain medical information. WebBlocker could deny connections to some of these websites because they fall into the sex education category. To override WebBlocker, you specify the website domain name. You can also deny sites that WebBlocker usually allows.
WebBlocker exceptions apply only to HTTP and HTTPS traffic. WebBlocker denies connections to a site, the site is not automatically added to the Blocked Sites list.
To add WebBlocker exceptions, see Configure WebBlocker Exceptions.
Define the Action for Sites that do not Match Exceptions
In the WebBlocker action page, on the Exceptions tab, below the list of exception rules, you can configure the action to occur if the URL does not match the exceptions you configure. By default, the Use the WebBlocker category list to determine accessibility option is selected, and WebBlocker compares sites against the categories you selected on the Categories tab to determine accessibility.
To use exception rules to restrict website access instead of the categories, select Deny website access.
Select this option to send an alarm when the Firebox denies a WebBlocker exception. To set parameters for the alarms, select the Alarm tab. For information on the Alarm tab options, see Set Logging and Notification Preferences.
Log this action
Select this option to send a message to the log file when the Firebox denies a WebBlocker exception.
Many web sites include references to content located on other sites, or use a content delivery network (CDN) to host content. Users might not see a deny message in the web browser when WebBlocker denies access to referenced content. If you select the Deny website access option, select the Log this action check box so that you can see log messages about denied URLs in Traffic Monitor. If users report problems with missing content on an allowed website, you can look at the log messages to see if you need to add another exception to allow the referenced content.
Components of Exception Rules
Exception rules are based on IP addresses or a pattern based on IP addresses. You can have the Firebox allow or deny a URL with an exact match. Usually, it is more convenient to have the Firebox look for URL patterns. The URL patterns do not include the leading "http://". To match a URL path on all websites, the pattern must have a trailing “/*”.
The host in the URL can be the host name specified in the HTTP request, or the IP address of the server.
Network addresses are not supported, but you can use subnets in a pattern (for example, 10.0.0.*).
For servers on port 80, do not include the port. For servers on ports other than 80, add “ :port”, for example: 10.0.0.1:8080. You can also use a wildcard for the port—for example,10.0.0.1:*—but this does not apply to port 80.
Exceptions with Part of a URL
You can create WebBlocker exceptions with any part of a URL. You can set a port number, path name, or string that must be denied for a specific website. For example, if it is necessary to deny only www.sharedspace.com/~dave because it has inappropriate photographs, you type “www.sharedspace.com/~dave/*”. This gives the users the ability to browse to www.sharedspace.com/~julia, which could contain content you want your users to see.
To deny URLs that contain the word “sex” in the path, you can type “*/*sex*”. To deny URLs that contain “sex” in the path or the host name, type “*sex*”.
You can deny ports in an URL. For example, look at the URL
http://www.hackerz.com/warez/index.html:8080. This URL has the browser use the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can deny the port by matching *8080.