Best Whitelisting Method: Web Policies vs Firewall Rules

Hello!

The best method for Web whitelisting is number 2, this method also gives you power to do fine tuning, such as selecting a user or group and giving whitelist permissions to them, and also utilizes the DPI Engine to identify Web traffic correctly.

Method 1 can be faulty sometimes, as it relies on FQDN's (DNS). Even then It's not recommended as it doesn't use the DPI Engine for allowing/blocking Web traffic.

iamroot said:

If I need to whitelist FTP traffic outbound. I imagine Method 1 is my only option, correct?

Yes, you will need to use a combination of FQDN's + Port.

Thanks!

Hello!

The best method for Web whitelisting is number 2, this method also gives you power to do fine tuning, such as selecting a user or group and giving whitelist permissions to them, and also utilizes the DPI Engine to identify Web traffic correctly.

Method 1 can be faulty sometimes, as it relies on FQDN's (DNS). Even then It's not recommended as it doesn't use the DPI Engine for allowing/blocking Web traffic.

iamroot said:

If I need to whitelist FTP traffic outbound. I imagine Method 1 is my only option, correct?

Yes, you will need to use a combination of FQDN's + Port.

Thanks!

Thanks Prism . That makes sense!

On a side note. When should Web Exceptions generally be used for "whitelisting"?

I'm looking at a configuration I inherited and some sites aren't whitelisted via web policies. Instead, they are entered via exceptions with the Policy checks skipped (alongside HTTPS decryption and Malware and content scanning)

To me, this seems dangerous and can allow users to navigate to some potentially malicious or compromised sites without being inspected or filtered through a Web Policy.

There's two ways to "whitelist" a website.

First you can create a URL Group and apply it on a Web Policy, the second method is to use the "Exceptions" page at the Web tab.

The first method is recommended to allow websites that was been blocked by the Web Policy filtering.

The second method is recommended to apply bypasses for Malware and content scanning (AV), or HTTPS Decryption.

Even then, for HTTPS Decryption you should use a URL Group and apply it over a TLS Decryption Rule, that's if you're using the DPI Engine.

If you're still using the Web Proxy, then the "Exceptions" page should be used.

iamroot said:

To me, this seems dangerous and can allow users to navigate to some potentially malicious or compromised sites without being inspected or filtered through a Web Policy.

It's indeed dangerous, you should only skip AV Scanning if really, really necessary. Even then you should be careful on what you're allowing/byppas.

Hi,

a couple of items to consider when choosing to use exceptions or not.

Some sites do not like being inspected 

Some sites do not have FQDNs but use IP addressing only.

Ian

If you want to allow a website because category would normally block it, the recommendation is to use a URL Group.
If you want a website to "always work no matter what" that you trust, the recommendation is an Exception.
So for example you block gambling sites but want to allow the one website your company uses for a hockey pool, use a URL Group.  But Microsoft gets an Exception.

Note: Exceptions are written in RegEx.  Putting in a bare hostname (eg trusted.com) into the exception is not good because it applies to "evil.com/mal.exe?trusted.com" as well as being less cpu efficient.

When you use an FQDN Host in a firewall rule there is a cpu cost (as it has to look up if the destination IP is a member of the FQDN) every connection.  For a single FQDN Host that is not bad, but if you have dozens it adds up.  The same operation within the web proxy (or DPI mode) is much more efficient.

You could also use a custom category rather than a URL group, roughly the same "cost".  But URL groups are used more commonly.