Web filtering allows you to control web access. To limit access to certain types of websites and restrict requests from specific dedicated networks or users, configure URL filtering policies. You can also exempt certain users and IP addresses from filtering, log which requests are allowed and denied, and specify the types of statistics that are generated for the service.
On the Barracuda CloudGen Firewall, you can use the Barracuda URL Filter for web filtering. The Barracuda URL Filter is included for free with a valid Energize Updates subscription. It uses a category database but does not store a local copy of the database on the Barracuda CloudGen Firewall. Instead, every URL is requested through the cloud and the categories for the URLs are stored on the Barracuda CloudGen Firewall.
You can also configure authentication for the web filter and display blocked URL categories with an external HTTP server.
Before You Begin
Verify that the URL-Filter Service is activated. For more information, see How to Assign Services.
Enable the Barracuda Web Filter. For more information, see How to Configure URL Filtering in the Firewall.
Configure Web Filtering
To configure web filtering, complete these steps:
Step 1. Configure Web Filter Settings
You can configure the following settings for the web filter:
URL Filter Policies
Configure each policy to grant or deny access to specific URL categories. To determine the category of a specific website, go to http://www.barracudacentral.org/lookups. A policy can also be restricted to only certain networks and users that access the HTTP Proxy. If a request matches any networks, user groups, or users that are specified in a policy, the policy is applied to it.
Policies are processed in an order that is determined by their name, which must be numerical. For example, a policy named 0000123 will be listed before a policy named 023. If you want to add a policy at the top of the processing list, include leading zeroes in its name.
Policies must include a restriction, which is evaluated in the order of a configured user, an IP/network address, or a group.
By default, an allow listing policy named 999999 is included in the table. This policy can not be deleted. However, you can edit or clone this policy. If no other policy is configured, this policy will be evaluated in any case.
To create a URL filter policy:
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
Click Lock.
From the Web Filter Type list, select the filter that you want to use.
In the Timeout [s] field, enter the maximum duration of a URL category lookup.
Select the Enable Custom Categories check box.
In the Categorization Policies table, add (click +) or edit your URL filtering policy. For more details on the settings that you can configure for the policy, see Categorization Policy Settings.
To block requests that exceed the user limit of the URL Filter license, select the Block If User Limit Exceeded check box.
To block requests when the URL Filter service is down, select the Block If Service Down check box.
Click Send Changes and Activate.
Deny Message
To inform users that their URL request has been denied, you can either configure an HTML page locally or specify the URL of an external HTTP server that can display the deny message.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config
In the left menu, select Deny Message.
Click Lock.
To configure an HTML page locally:
From the Notification Method list, select Message.
In the Displayed Message Text field, configure the HTML page. To display information about the denied request, use the
$$MESSAGE$$
variable.
To specify the URL of an external HTTP server for the deny message:
From the Notification Method list, select URL.
In the Displayed URL field, enter the URL of an external HTTP server capable of CGI that will display the deny page. In the URL of the message server, you must specify the server protocol and IP address. The port can be optionally specified. For example,
http://msgsrv.com:80
.To append information about the denied request, select Yes from the Append Deny Query list.
Click Send Changes and Activate.
Exempt Users and IP Addresses
In the allow list, you can add users or IP addresses that are allowed to bypass the web filter. All page requests from this IP address will be delivered regardless from the user and the filter settings. If you want to allow users to bypass the web filter, add them to the Allow Listed Users table. This is especially useful if certain users often switch between networks of have dynamically assigned IP addresses.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
In the left menu, select Allow Lists.
Click Lock.
In the Allow Listed IPs table, add allow-listed IP addresses.
In the Allow Listed Users table, add allow-listed users.
Click Send Changes and Activate.
Logging and Statistics
You can enable the logging of denied and/or allowed URL requests, and select the types of statistics data that should be generated for the HTTP Proxy URL filter.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
Click Lock.
To configure logging:
Select Log Policy in the left menu.
To log denied URL requests, select the Log Denied URLs check box.
To log allowed URL requests, select the Log Allowed URLs check box.
To configure statistics:
Select Statistics Policy in the left menu.
Select the check box of each statistics data type that should be generated.
Click Send Changes and Activate.
Additional Scanning with Third Party Software
For additional scanning with third party software products that are installed on the Barracuda CloudGen Firewall (such as virus scanning), you can optionally cascade the redirector.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
In the left menu, select Cascaded Redirector.
Select Switch to Advanced View from the Configuration Mode menu.
Click Lock.
To specify the cascaded redirector as the primary component in the scanning chain, select the Cascaded is Primary check box. The URL request will be routed through the additional scanner before it is routed through the URL Filter.
In the Cascaded Redirector field, enter the full path to the cascaded redirector in the Barracuda CloudGen Firewall.
Click Send Changes and Activate.
Step 2. Activate the Web Filter
You can limit searches to use Google Safe Search. Google Safe Search is a third-party content filtering solution to make using Google safe for children and users who do not want adult or explicit search results included. For more information on Google SafeSearch, search for "google safesearch" on the Internet and consult the information in one or more of the many articles from Google.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > HTTP Proxy Settings.
In the left menu, select Web Filter.
Click Lock.
From the Enable Content Filtering list, select Yes.
To activate Google Safe Search for the HTTP Proxy service, select the filtering level from the Google Safe Search list:
Moderate – Default setting. Excludes most explicit images from Google Images results but does not filter ordinary web search results.
Strict – Applies SafeSearch filtering to all search results (i.e. both image search and ordinary web search).
Very Safe Search – Strictest level for limiting search results and potential exposure to graphic content.
If you want to increase the number of simultaneously working redirectors for high-traffic processing:
Select Switch to Advanced View from the Configuration Mode menu.
In the Number of Redirectors field, enter the number of simultaneously working redirectors (default: 5).
Click Send Changes and Activate.
Configure Web Filter Authentication
Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
In the left menu, select Web Security Gateway.
Click Lock.
From the Activate Scheme list, select Yes to start the authentication processes.
In the Server Setting table, add the settings for your web filter servers. For each entry, specify the following settings:
IP Address – The IP address of the web filter server.
Passphrase – The password for the web filter server. (If you are using the Barracuda Web Filter, enter the API Password that is configured on the BASIC > Administration page of the Barracuda Web Filter)s.
NOTE: The password can consist of small and capital characters, numbers, and non-alpha-numeric symbols, except the hash sign (#).Sync Interval (s) – The synchronization interval between your Barracuda CloudGen Firewall and your web filter.
Click OK.
In the Auto Logout After (d) field, enter the timeout (in days).
If you want to enable extensive logging for maintenance purposes, select Moderate or Full from the Debug Log list.
From the Filter Type list, select the type of authentication that should be synced.
Click Send Changes and Activate.
Display Blocked URL Categories Using an External HTTP Server
For URL filtering with the Barracuda CloudGen Firewall and an external HTTP server, the server must act as a Common Gateway Interface (CGI). The block web page on the external HTTP server must include a parameter to display the reason why the connection was blocked.
Parameters
You can use the following parameters:
category=[1-63], 99 – Indicates which URL categories caused the block (Category 99 indicates that a category was not found).
Other reasons include:
urlfd_not_running – The URL Filter Daemon is not running.
urlfd_read_error – Could not read from URL Filter Daemon.
no_more_memory – The machine is running out of memory.
udp_not_received – Could not receive an answer for the requested URL. Please try later.
filter_timeout – Could not receive an answer for the requested URL. Please try later.
request_not_correct – The proxy has sent an incorrect request.
black_list – This site is on the BLOCK LIST.
no_category – This domain is in no category.
timestamp_not_active – Sorry, but at this time the access is blocked.
user_limit_exeeded – Sorry, but the URL Filter user limit was exceeded.
user – If applicable, the user that requested the blocked website.
peerip – Client IP that requested the blocked website.
url=www.[url].com – The URL of the blocked page.
Examples
Example 1
Example 1 shows how a parameter line that is included in a custom block page can look. In the example, www.msgsrv.com is the external HTTP server displaying the customized block page:
www.msgsrv.com/block_page?filter_timeout&url=www.forbidden.com www.msgsrv.com/block_page?categories=1,6,35& url=www.forbidden.com
Example 2
Example 2 shows how a blocked URL is displayed together with the user ID and IP address:
} [category] => 35,67 [urlfilter] => 1 [url] => www.gotomeeting.com [user] => jdoe [peerip] => 10.0.10.20 ) request_uri_ /?category=35,67&urlfilter=1&url=www.gotomeeting.com&user=jdoe&peerip=10.0.10.20
Categorization Policy Settings
The following table provides more detailed descriptions for settings that you can configure for URL Filter Policies.
Section | Settings | |
---|---|---|
Categorization Policy Configuration |
| |
Domain Exceptions Handling |
| |
Network and User Restrictions | When configuring additional policies network and user restrictions must be set or the policies will never match.
If values have been specified for all three parameters in the Network and User Restrictions section, they will be linked with OR, and access to a requested URL will be granted or denied according to the default policy and based on the first value applying. | |
Time Settings |
|