We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How does the Barracuda Web Filter handle HTTPS filtering?

  • Type: Knowledgebase
  • Date changed: 5 years ago
Solution #00003316

Scope:
All Barracuda Web Filters, firmware versions 3.3 and above.

Answer:
As of firmware version 3.3, the Barracuda Web Filter can filter HTTPS in addition to regular HTTP traffic with no additional certificates or other configuration. HTTP and HTTPS traffic can be detected by content category filters, domain filters, and URL pattern blacklists, as well as for blocking exceptions for all Web traffic, content category filters, domain filters, and URL pattern blacklists. This option is disabled by default.

There are some limitations with HTTPS traffic filtering:
  • When HTTPS access is denied, users will not be presented with a block page.
  • If HTTPS access to a particular domain name is denied, HTTPS access to any subdomain under that same domain will also be denied for the same user(s).
To enable HTTPS traffic filtering for content categories and domains, set the Enable HTTPS Filtering option on the Block/Accept > Configuration page to Yes. Immediately after enabling this option, any client PCs that had previously established an HTTPS session will not be blocked. In this situation, the HTTPS website's IP address remains in the user's local DNS cache (as well as in the DNS table on the core router or domain controller) until the DNS request time-to-live (TTL) expires. This can take up to a day or two, depending upon how the HTTPS sites configure TTL. What this means is that until the user performs another DNS lookup of a website's domain name, the Barracuda Web Filter won't automatically know which domain is associated with the IP address and won't be able to perform any domain blocks on those connections.

Because the Barracuda Web Filter only sees the IP of encrypted HTTPS packets, it is not able to read the URL and therefore does not apply any URL pattern filters to the file path of HTTPS traffic. It can, however, apply URL patterns to the base domain because the Barracuda maintains a database of IP to domain associations. The Web Filter will still use all content category filters, custom categories, and domain lists normally.

When traffic is encrypted over HTTPS, the Barracuda Web Filter is unable to see the domain being accessed due to confidentiality offered by SSL. To get around this issue and to be able to apply policy to HTTPS traffic, the Barracuda Web Filter monitors IP and domain associations, and performs reverse look-ups. When HTTPS filtering is enabled, the Barracuda Web Filter maintains a table of IP address and domain associations in its database. So when it sees an HTTPS request to a particular IP, it will compare this IP to the table to determine which domain is being accessed and apply policy accordingly. With HTTPS filtering, the Barracuda Web Filter does not control the TCP connection, it only monitors the traffic and blocks or allows the packet to pass. Therefore a block page is not presented when a page is blocked due to policy. This feature is only available when the connection is processed by the Barracuda's proxy engine. If this functionality is required, please consider utilizing the SSL Inspection feature if supported on your Barracuda Web Filter model. This is offered on 610s and above. More information on SSL Inspection can be found in our TechLib article here.

Link to This Page:
https://campus.barracuda.com/solution/50160000000H9tKAAS