This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block all web sites, allow a few URLs

Hello,

We are trialing this endpoint system.  With our current platform I can set a deny all, but allow just Office 365 URL's to allow outlook/webmail only.  Is this possible?  I don't really see any options to set that up?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Adrian,

    In general, the Endpoint Web Control is more meant to prevent access to specific websites with a default allow. You could achieve this goal, but it would be cumbersome.

    A better product for that sort of thing is the SFOS (Sophos Firewall) since it can sit at the demarc and can have more robust filtering options - such as acting as a web proxy. https://www.sophos.com/en-us/products/next-gen-firewall.aspx 

  • Thanks. This is a simple check box in Kaspersky endpoint.  We have an XG, but the procedures to do that is really involved,  with user sync and logins, enable SSL inspection.certificate etc. 

  • You don't need to use all related XG features to do what you want, which I think lowers the complication factor a lot.

    All you need to do is have one Firewall rule to drop all HTTP/HTTPS traffic destined for the WAN, and above it place a rule that allows HTTP/HTTPS traffic but only to the websites you want to allow. Have these two rules early in the Firewalls Rules so that HTTP/HTTPS traffic is dropped before other rules that might allow it due to other factors.

    For the HTTP/HTTPS traffic that you allow, you should impost the appropriate CFS, IPS, and decryption conditions that make sense.

  • Thanks.  But it's not for everyone, just a few PC's so that does involve either restricting by the user log in or statically assigning/reserving an address etc.  Comparably, I just wish there was a feature that could handle it along with blocking ZIP/Archives in the allowed downloads options with ease.

  • FormerMember
    0 FormerMember in reply to Adrian Henderson

    we are currently updating our Web Control offering. I will talk to the PM and dev team and see if we can include something like this or if the new offering will have an easier way of configuring it.

  • Thanks Richard. If you have their ear, can they add an option to block/warn/allow archive files like zips etc?

    Also, I can't block downloads like exe's etc under the policy.  It still allows them like downloading a driver exe from HP downloads and opens and runs :/. The web filtering on the policy is kind of working, I get an SSL error for blocled pages, but not a nice error that this page was blocked, and maybe company logo.