HTTPS-Proxy: Domain Names

If your Firebox or XTM device runs Fireware XTM v11.9.4 or higher, you can configure your device to allow or deny access to a site, perform content inspection, or bypass content inspection based on the Domain Names rules you create. To match the specified pattern in your Domain Names rules against the name specified in the connection server, the SNI (Server Name Indication), the certificate common name (CN), or the IP address of the server is used.

Because it can determine the actual server name from the HTTPS traffic headers, the SNI is the most accurate option. A certificate CN is often shared between several services from the same site. For example, many Google services such as YouTube and Google Maps share the same certificate CN. If you block access to YouTube based on the certificate CN, access is also blocked to Google Maps and other services with the same CN. The certificate CN is used if the SNI is not available.

When you create your domain name rules, make sure to review the HTTPS entries in the traffic log messages for the correct SNI/CN information.

If your Firebox or XTM device runs Fireware XTM v11.9.3 or lower, you can configure the Certificate Names settings to filter content for an entire site. For more information, see the Certificate Names section.

Domain Names and WebBlocker

You can associate a WebBlocker configuration with your HTTPS-proxy to allow, block, or inspect websites based on the WebBlocker category. WebBlocker checks only occur when there is no Domain Rule match, and the action to take if no rule is matched is Allow. For more information on WebBlocker, see HTTPS-Proxy: WebBlocker.

Domain Names Rule Examples

To deny traffic from any site in the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Deny.

To block a connection to the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Block. In this case, the user IP address that tries to get access to example.com is blocked for the default time duration of your Blocked Sites configuration. For more information on blocked sites, see About Blocked Sites.

To allow a connection and bypass content inspection for any site in the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Allow.

To perform content inspection for any site in the example.com domain, add a Domain Names rule with the pattern *.example.com and set the If matched action to Inspect.

You must enable content inspection and configure Domain Names rules with the Inspect action for the content inspection to occur.

To configure Domain Names rules:

  1. On the Edit proxy action page, select the Domain Names tab.
    The Domain Names panel expands.
  2. Configure the rule action.
    For more information, see Add, Change, or Delete Rules.
  3. To change settings for another category in this proxy, see the topic for that category.
  4. Click Save.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

Certificate Names

In Fireware XTM OS v11.9.3 and lower, certificate names are used to filter content for an entire site. The Firebox or XTM device allows or denies access to a site if the domain of an HTTPS certificate matches an entry in this list.

For example, to deny traffic from any site in the example.com domain, add a Certificate Names rule with the pattern *.example.com and set the If matched action to Deny.

  1. On the Edit proxy action page, select the Certificate Names tab.
    The Certificate Names panel expands.
  2. Configure the rule action.
    For more information, see Add, Change, or Delete Rules.
  3. To change settings for another category in this proxy, see the topic for that category.
  4. Click Save.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

See Also

About the HTTPS-Proxy

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base