It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure URL Filtering in the HTTP Proxy

  • Last updated on

Web filtering allows you to control web access. To limit access to certain types of websites and restrict requests from specific dedicated networks or users, configure URL filtering policies. You can also exempt certain users and IP addresses from filtering, log which requests are allowed and denied, and specify  the types of statistics that are generated for the service. 

On the Barracuda CloudGen Firewall, you can use the Barracuda URL Filter for web filtering. The Barracuda URL Filter is included for free with a valid Energize Updates subscription. It uses a category database but does not store a local copy of the database on the Barracuda CloudGen Firewall. Instead, every URL is requested through the cloud and the categories for the URLs  are stored on the Barracuda CloudGen Firewall.

You can also configure authentication for the web filter and display blocked URL categories with an external HTTP server.

Before You Begin

Verify that the URL-Filter Service is activated. For more information, see How to Assign Services.

Enable the Barracuda Web Filter. For more information, see How to Configure URL Filtering in the Firewall.

Configure Web Filtering

To configure web filtering, complete these steps:

Step 1. Configure Web Filter Settings

You can configure the following settings for the web filter:

URL Filter Policies

Configure each policy to grant or deny access to specific URL categories. To determine the category of a specific website, go to http://www.barracudacentral.org/lookups. A policy can also be restricted to only certain networks and users that access the HTTP Proxy. If a request matches any networks, user groups, or users that are specified in a policy, the policy is applied to it.

Policies are processed in an order that is determined by their name, which must be numerical. For example, a policy named 0000123 will be listed before a policy named 023. If you want to add a policy at the top of the processing list, include leading zeroes in its name.

By default, an allow listing policy named 999999 is included in the table. You can edit, clone, or delete this policy.

To create an URL filter policy:

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
  2. Click  Lock.
  3. From the Web Filter Type list, select the filter that you want to use.
  4. In the Timeout [s] field, enter the maximum duration of a URL category lookup.
  5. Select the Enable Custom Categories check box.
  6. In the Categorization Policies table, add (click +) or edit your URL filtering policy. For more details on the settings that you can configure for the policy, see Categorization Policy Settings.

    Always set Network and User Restrictions or additional policies network and user restrictions must be set or the policies will never match.

  7. To block requests that exceed the user limit of the URL Filter license, select the Block If User Limit Exceeded check box.
  8. To block requests when the URL Filter service is down, select the Block If Service Down check box.
  9. Click Send Changes and Activate.
Deny Message

To inform users that their URL request has been denied, you can either configure an HTML page locally or specify the URL of an external HTTP server that can display the deny message.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config
  2. In the left menu, select Deny Message.
  3. Click Lock.
  4. To configure an HTML page locally:
    1. From the Notification Method list, select Message.
    2. In the Displayed Message Text field, configure the HTML page. To display information about the denied request, use the $$MESSAGE$$ variable.
  5. To specify the URL of an external HTTP server for the deny message:
    1. From the Notification Method list, select URL.

    2. In the Displayed URL field, enter the URL of an external HTTP server capable of CGI that will display the deny page. In the URL of the message server, you must specify the server protocol and IP address. The port can be optionally specified. For example, http://msgsrv.com:80.
    3. To append information about the denied request, select Yes from the Append Deny Query list.
  6. Click Send Changes and Activate.
Exempt Users and IP Addresses

In the allow list, you can add users or IP addresses that are allowed to bypass the web filter. All page requests from this IP address will be delivered regardless from the user and the filter settings. If you want to allow users to bypass the web filter, add them to the Allow Listed Users table. This is especially useful if certain users often switch between networks of have dynamically assigned IP addresses.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
  2. In the left menu, select Allow Lists.
  3. Click Lock.
  4. In the Allow Listed IPs table, add allow-listed IP addresses.
  5. In the Allow Listed Users table, add allow-listed users.
  6. Click Send Changes and Activate.
Logging and Statistics

You can enable the logging of denied and/or allowed URL requests, and select the types of statistics data that should be generated for the HTTP Proxy URL filter.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
  2. Click Lock.
  3. To configure logging:
    1. Select Log Policy in the left menu.
    2. To log denied URL requests, select the Log Denied URLs check box.
    3. To log allowed URL requests, select the Log Allowed URLs check box.
  4. To configure statistics:
    1. Select Statistics Policy in the left menu.
    2. Select the check box of each statistics data type that should be generated.
  5. Click Send Changes and Activate.
Additional Scanning with Third Party Software

For additional scanning with third party software products that are installed on the Barracuda CloudGen Firewall (such as virus scanning), you can optionally cascade the redirector.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > Web Filter Config.
  2. In the left menu, select Cascaded Redirector.
  3. Select Switch to Advanced View from the Configuration Mode menu.
  4. Click Lock.
  5. To specify the cascaded redirector as the primary component in the scanning chain, select the Cascaded is Primary check box. The URL request will be routed through the additional scanner before it is routed through the URL Filter.
  6. In the Cascaded Redirector field, enter the full path to the cascaded redirector in the Barracuda CloudGen Firewall.
  7. Click Send Changes and Activate.
Step 2. Activate the Web Filter

You can limit searches to use Google Safe Search. Google Safe Search is a third party content filtering solution to make using Google safe for children and users who do not want adult or explicit search results included. For more information on Google SafeSearch, search for "google safesearch" on the Internet and consult the information in one or more of the many articles from Google.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > HTTP Proxy Settings.
  2. In the left menu, select Web Filter.
  3. Click Lock.
  4. From the Enable Content Filtering list, select Yes

  5. To activate Google Safe Search for the HTTP Proxy service, select the filtering level from the Google Safe Search list:

    • Moderate – Default setting. Excludes most explicit images from Google Images results but does not filter ordinary web search results.
    • Strict – Applies SafeSearch filtering to all search results (i.e. both image search and ordinary web search).
    • Very Safe Search – Strictest level for limiting search results and potential exposure to graphic content.
  6. If you want to increase the number of simultaneously working redirectors for high traffic processing: 
    1. Select Switch to Advanced View from the Configuration Mode menu.
    2. In the Number of Redirectors field, enter the number of simultaneously working redirectors (default: 5).

      If you change the default value for the Number of Redirectors setting, specify the same value for the Max URL Filter Processes setting for the URL Filter service.
  7. Click Send Changes and Activate.

Configure Web Filter Authentication

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
  2. In the left menu, select Web Security Gateway.
  3. Click Lock.
  4. From the Activate Scheme list, select Yes to start the authentication processes.
  5. In the Server Setting table, add the settings for your web filter servers. For each entry:
    1. Specify the following settings:
      • IP Address – The IP address of the web filter server.
      • Passphrase – The password for the web filter server. (If you are using the Barracuda Web Filter, enter the API Password that is configured on the BASIC > Administration page of the Barracuda Web Filter.)

        The password can consist of small and capital characters, numbers, and non alpha-numeric symbols, except the hash sign (#).

      • Sync Interval (s) – The synchronization interval between your Barracuda CloudGen Firewall and your web filter.
    2. Click OK.
  6. In the Auto Logout After (d) field, enter the timeout (in days).
  7. If you want to enable extensive logging for maintenance purposes, select Moderate or Full from the Debug Log list.
  8. From the Filter Type list, select the type of authentication that should be synced.

    If you change the default value for the Number of Redirectors setting, specify the same value for the Max URL Filter Processes setting for the URL Filter service.
  9. Click Send Changes and Activate.
Display Blocked URL Categories Using an External HTTP Server

For URL filtering with the Barracuda CloudGen Firewall and an external HTTP server, the server must act as Common Gateway Interface (CGI). The block web page on the external HTTP server must include a parameter to display the reason why the connection was blocked.

Parameters

You can use the following parameters:

category=[1-63], 99 – Indicates which URL categories caused the block (Category 99 indicates that a category was not found).

Other reasons include:

  • urlfd_not_running – The URL Filter Daemon is not running.
  • urlfd_read_error – Could not read from URL Filter Daemon.
  • no_more_memory – Machine is running out of memory.
  • udp_not_received – Could not receive an answer for the requested URL. Please try later.
  • filter_timeout – Could not receive an answer for the requested URL. Please try later.
  • request_not_correct – The proxy has sent an incorrect request.
  • black_list – This site is on the BLOCK LIST.
  • no_category – This domain is in no category.
  • timestamp_not_active – Sorry, but at this time the access is blocked.
  • user_limit_exeeded – Sorry, but the URL Filter user limit exceeded.
  • user – If applicable, the user that requested the blocked website.
  • peerip – Client IP that requested the blocked website.

url=www.[url].com – The URL of the blocked page.

Examples

Example 1

Example 1 shows how a parameter line that is included in a custom block page can look. In the example, www.msgsrv.com is the external HTTP server displaying the customized block page:

www.msgsrv.com/block_page?filter_timeout&url=www.forbidden.com www.msgsrv.com/block_page?categories=1,6,35& url=www.forbidden.com
Example 2

Example 2 shows how a blocked URL is displayed together with the user ID and IP address:

} [category] => 35,67 [urlfilter] => 1 [url] => www.gotomeeting.com [user] => jdoe [peerip] => 10.0.10.20 ) request_uri_ /?category=35,67&urlfilter=1&url=www.gotomeeting.com&user=jdoe&peerip=10.0.10.20

Categorization Policy Settings

The following table provides more detailed descriptions for settings that you can configure for URL Filter Policies:

SectionSettings
Categorization Policy Configuration
  • Category Policy – From this list, select Allow Listing or Block Listing to specify if the categories that are added to this policy are allowed or blocked.
  • Categories – In this table, add the types of websites to be blocked or allowed.
  • Exempted Categories – In this table, add the types of websites that are exempt from the category policy.
Domain Exceptions Handling
  • Domain Allow List – In this table, add domains that are always granted access, notwithstanding the domain's categorization. Subdomains are not included into the list automatically; you must specify them explicitly instead. For each entry, specify the following settings:
    • Domain Allow List – The domain name or a term in the URL. (When entering the domain name, do not specify the protocol identifier. For example, enter www.domain.com instead of http://www.domain.com/ )
    • Search String – If the filter should search URLs for the name or term that is entered in the field, select this check box.
  • Domain Block List – In this table, add the names of domains that are always denied access, notwithstanding the domain's categorization. Subdomains are not included into the list automatically but must be specified explicitly instead. For each entry, specify the following settings:
    • Domain Block List – The domain name or a term in the URL. (When entering the domain name, do not specify the protocol identifier. For example, enter www.domain.com instead of http://www.domain.com/ .)

    • Search String – If the filter should search URLs for the name or term that is entered in the field, select this check box.
Network and User RestrictionsWhen configuring additional policies network and user restrictions must be set or the policies will never match.
  • Affected Networks – In this table, add networks to which the category policy will be applied. To apply the category policy to all networks, leave this table blank.
  • Affected Groups | Affected Users – In these tables, add users and groups to which the category policy will be applied. To apply the category policy to all groups or users, leave these tables blank. Group and user names may contain space characters and are case-insensitive. The syntax of group and user names depends on the authentication method used:
    • For MSNT or RSAACE, the Affected Groups settings do not apply because these authentication methods do not provide group names.
    • RADIUS servers provide group names that must be entered exactly as they are provided.
    • LDAP and MSAD provide distinguished names that must be entered exactly as they are provided. For example, CN=Group,OU=Unit,DC=Company,DC=com.

If values have been specified for all three parameters in the Network and User Restrictions section, they will be linked with OR, and access to a requested URL will be granted or denied according to the default policy and on the basis of the first value applying.

Time Settings
  • Use Local Time – To use the time settings of the system to determine when to apply time restrictions, select this check box. To explicitly specify a time zone, clear this check box.
  • Time Zone – From this list, you can select the time zone that is used to determine when to apply time settings. To select a time zone from this list, you must clear the Use Local Time check box.
  • Time Settings – To select days and times during which the URL filter should be activated or deactivated, click Always and then select the required times from the Time Interval window. By default, the category policy is always active. If time restrictions apply to a profile, the label of the Always button changes to Restricted!