Jump to:navigation, search
Wiki

Webfilter

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden









































































Webfilter configuration on the UTM

Last adaptation to the version: 14.1.1(11.2025)

New:
notempty
This article refers to a Beta version

12.7.0 12.5 11.7 11.6.12 11.5

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Applications Webfilter


Prerequisite

In order for the UTM to "see" the network traffic it is supposed to filter, the proxy of the UTM must also be used for https.
Therefore either

  • the SSL interception ( Applications HTTP proxy  Area SSL interception)
    and
    the transparent mode for https must be activated (menu Applications HTTP proxy  Area Transparent mode).

    or
    on every host the UTM is set up as a proxy in every browser


Overview

  • In the rule sets, the entire access or individual domains, URLs or categories are blocked or allowed
  • The validity of the rule sets can be limited according to the day of the week and time of the day
  • The rule sets are assigned to profiles
  • The profiles are assigned to network or user groups
  • The rule sets are checked in sequence to see whether they apply (in terms of content and time)


Webfilter

General settings

General
Caption Value Description Webfilter UTMuser@firewall.name.fqdnApplications Webfilter Log Webfilter overview
Webfilter: On Activates (default) or deactivates (Off) the Webfilter functionality of the UTM
No matching profile found: Allows data traffic for network and user groups for which no Webfilter profile has been created, as well as for groups whose profiles do not contain rule sets with a matching time stamp.
Blocks data traffic for network and user groups for which no Webfilter profile has been created, as well as for groups whose profiles do not contain rule sets with a matching time stamp.
No matching rule found: Allows data traffic if no matching rule was found in the profile
  • This default behaviour can be overwritten in a rule set
    • Blocks data traffic if no matching rule was found in the profile
  • This default behaviour can be overwritten in a rule set
    • Category irresolvable: Allows data traffic if the category has not been resolved.
    (For example, if no connection to the server could be established.)
  • This default behaviour can be overwritten in a rule set
    • Blocks data traffic if the category has not been resolved.
    (For example, if no connection to the server could be established.)
  • This default behaviour can be overwritten in a rule set
    • Review all rule sets: No The first rule set (if applicable, the first with a valid time profile) is searched.
    If no matching rule is found, the default behaviour of this rule set is applied.
    Yes All rule sets (if applicable, provided they have a valid time profile) are checked in sequence until a suitable rule is found.
    If no suitable rule is found, the default behaviour of the last rule set is applied (if applicable, the last rule set with a valid time profile).
    Schutz durch Ähnlichkeitserkennung:
    notempty
    New as of v14.1.1 Experimentell
    		 No Standardmäßig ist die Überprüfung deaktiviert, ob eine Domain einer bekannten Domain ähnelt und somit womöglich ein Risiko darstellt
    Yes Bei Aktivierung dieser Einstellung blockiert der Webfilter bei aktiviertem HTTP Proxy den Zugriff auf potenziell gefährliche Domains, die den vertrauenswürdigen Domains der Ähnlichkeitserkennung ähneln.
  • Diese Feature ist experimentell und sollte daher nur mit Bedacht verwendet werden!
    • Das ist ein Test











    Das ist auch ein Test

    Profiles

    Profiles
    General profile
    In the individual profiles, the rule sets are linked to
    • Network groups (transparent proxy mode) or
    • User groups (dedicated proxy mode with authentication)
     For profiles applies:
    • Only one profile can exist for each user group or for each network object
      But: Each user can be a member of several groups!
    • Due to possible overlapping of groups, it should also be noted here that the profiles are processed from top to bottom.
    • A profile can contain several sets of rules, e.g. exceptions for lunch break.
    Arrange The elements can be moved.
    notempty
    New as of v14.1.1
     Additional options available by right-clicking on the icon





































    Move list items up or down with the mouse

    Right click on Icon

    • Group Select how
      wg0-network
      If available
    • Position determine
      7
      • Via direct input or
      • Using the arrows

    Finally, click “Save” or “Cancel” .

    		Webfilter UTMuser@firewall.name.fqdnApplications Webfilter Log Webfilter - Profiles section
    security notempty
    New as of v14.1.0
     Rule sets are displayed as labels.
    Blue: Rule set is applied
    security Gray: Rule set is decativated
    security Rule set is overlaid by… This rule set is completely or partially overlaid by another rule set and is therefore completely or partially not applied
    Details in the responsive hovertext
    Edit Opens the dialog for editing the profile.
    You can:
    • the network or user group can be changed
    • notempty
      New at this point from v14.1.0
      further rule sets can be added
    Delete Deletes the profile
    Add profileAdd profile
    		Opens the dialogue for adding a profile
    Network or user group: administrator Network or user group to which the profile is to be applied Add profile UTMuser@firewall.name.fqdnApplicationsWebfilter
    Generate new rule set: Yes
    Default    		 If Yes, automatically creates a new rule set assigned to this profile
    • The rule set is given the name of the network or user group with an appended _ruleset_#
    • The rule set contains the default settings
    Ruleset:
    (Only if generate new rule set No is deactivated)    		 filter_ruleset Existing rule set to apply in this profile
    Information as in the following section edit Profile
    Edit profile
    Edit profile
    Network or user group: May nothing Network or user group to which the profile is to be applied Edit profile UTMuser@firewall.name.fqdnApplicationsWebfilter
    Ruleset: filter_ruleset notempty
    New at this point
    		Existing rule set to be added to this profile with the button
    Status On Activates or deactivates Off a rule set
    Suitable for testing or temporary deactivation
    Delete Removes the rule set from the profile

    Rule sets

    Rule sets
    The rule sets define which websites and categories are blocked and released. The rule sets can also be limited for a period of time, e.g. to allow employees to surf privately during their lunch break. Webfilter UTMuser@firewall.name.fqdnApplications Webfilter Log Rule sets
    Copy rule set
    notempty
    New as of v12.7.0
    		 Opens the dialogue for editing a rule set with the copied properties of the selected rule
    Edit Opens the settings of the rule set for editing
    Delete Deletes a rule set
    Add Rule set Opens the dialogue for creating a new rule set
    Rule set details
    Rule set details
    General
    General
    Name: security Unique name Edit rule set UTMuser@firewall.name.fqdnApplicationsWebfilter Display when adding a new rule set or editing an existing rule set
    Block access: No All websites will be blocked
    SafeSearch: Off Content that is not suitable for minors is not filtered.
    strict Text, images and videos that are not suitable for minors are filtered out of the search results.
    moderat Pictures and videos that are not suitable for minors are filtered out of the search results, but corresponding texts are not.
    URL-Shortener: allow
    block
    resolve    		 Defines access to websites whose host names use URL shortener services. Here, you can choose whether these are blocked or allowed regardless of the actual destination or whether the host name is resolved and then handled according to existing rules.
    Securepoint Allowlist: On Access to URLs that Securepoint designates as trusted
    The Securepoint Allowlist contains, for example:
    Reputable addresses, public and corporate websites, technical services that should not be blocked.
  • URL filter rules are prioritised and can override the Allowlist
    • No matching rule found: default Adopts the global settings from Webfilter general
    block Blocks the data traffic if no suitable rule was found in the rule set
    allow Allows data traffic if no suitable rule was found in the rule set
  • Data traffic can be blocked by additional rule sets in a profile if the option Search all rule sets is enabled
    • Category irresolvable: default Adopts the global settings from Webfilter general
    block Blocks data traffic if the category has not been resolved.
    (For example, if no connection to the server could be established.)
    allow Allows data traffic if the category has not been resolved.
    (For example, if no connection to the server could be established.)
    Valid
    Valid
    Here one or more time periods can be assigned to the rule set, during which it is valid
    Rules
    Rules
    Define here which websites are allowed or not to be reached.
  • The rules are processed in this order:
    1. URL
    2. URL Regex
    3. Domain
    4. Categories
      An overview of all categories can be found here
    • If a URL is allowed, data traffic is possible even if the corresponding category is blocked
    • If a URL regex is blocked, no data traffic is possible even if the domain is allowed
    • notempty
      New as of v14.1.0
       International domain names (IDN) are supported.
      The entry of umlauts (äöü), for example, is possible.
    Arrange The elements can be moved.
    notempty
    New as of v14.1.1
     Additional options available by right-clicking on the icon





































    Move list items up or down with the mouse

    Right click on Icon

    • Group Select how
      wg0-network
      If available
    • Position determine
      7
      • Via direct input or
      • Using the arrows

    Finally, click “Save” or “Cancel” .

    allow Allows data traffic
    block Blocks data traffic
    Delete Deletes the rule
    Add Rule
    Add Rule
    Type Domain anyideas.com Domain in plain text notation. All subdomains and subpages are filtered. Add Rule UTMuser@firewall.name.fqdnApplications Filter rules
    Type URL *.anyideas.com/pages/* Only the exact URL is filtered (wildcard * is possible).
    Type URL Regex .*\.anyideas\.com URL in regex format, which allows numerous placeholders
    Syntax of regular expressions - Regex
    Type Category Unknown
    • Content filter list maintained by Securepoint.
      An overview with all categories can be found here.
  • Category: Unknown
    This allows you to block access to all websites that have not yet been classified by Securepoint.
    • Reporting of accidentally wrongly categorised pages here.
    Allowlisting example
    Allowlisting example
    In this example, the URL www.google.de and the category Education were added to the allowlisting via the function + Add rule.
     Since the web filter processes the rules from top to bottom, in this example the category Education had to be manually pushed to the first position.     		Edit rule set UTMuser@firewall.name.fqdnApplicationsWebfilter


    Detailed application examples can be found on a separate page.

    Examples of exceptions for Windows update server

    For more examples on setting up the Webfilter, authentication exceptions, virus scanner and SSL interception regarding Windows updates, see the Knowledge Base article Windows Updates with HTTP proxy and webfilter

    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Webfilter&oldid=99651"