Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Whitelisting Method: Web Policies vs Firewall Rules

Hello everyone,

I'm trying to understand what the best or correct whitelisting method is.

Scenario: I need to whitelist URLs for a new application.

Method 1: Firewall Rule

1) Create FQDN Host: *.example.com

2) Create Firewall rule

Source: LAN

Source Networks: ANY

Destination: WAN

Destination Networks: *.example.com

Services: HTTP / HTTPS

Method 2: Web Policy

1) Create URL Group: Example Group

2) Create a Web Policy

- Add URL group to Web Policy (Allow)

3) Add Web Policy to a new or existing Firewall Rule

I'd like to know which method is best practice moving forward. I'm specifically whitelisting web traffic in this scenario.

If I need to whitelist FTP traffic outbound. I imagine Method 1 is my only option, correct?



This thread was automatically locked due to age.
Parents
  • Hello!

    The best method for Web whitelisting is number 2, this method also gives you power to do fine tuning, such as selecting a user or group and giving whitelist permissions to them, and also utilizes the DPI Engine to identify Web traffic correctly.

    Method 1 can be faulty sometimes, as it relies on FQDN's (DNS). Even then It's not recommended as it doesn't use the DPI Engine for allowing/blocking Web traffic.

    If I need to whitelist FTP traffic outbound. I imagine Method 1 is my only option, correct?

    Yes, you will need to use a combination of FQDN's + Port.

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Thanks  . That makes sense!

    On a side note. When should Web Exceptions generally be used for "whitelisting"?

    I'm looking at a configuration I inherited and some sites aren't whitelisted via web policies. Instead, they are entered via exceptions with the Policy checks skipped (alongside HTTPS decryption and Malware and content scanning)

    To me, this seems dangerous and can allow users to navigate to some potentially malicious or compromised sites without being inspected or filtered through a Web Policy.

  • There's two ways to "whitelist" a website.

    First you can create a URL Group and apply it on a Web Policy, the second method is to use the "Exceptions" page at the Web tab.

    The first method is recommended to allow websites that was been blocked by the Web Policy filtering.

    The second method is recommended to apply bypasses for Malware and content scanning (AV), or HTTPS Decryption.

    Even then, for HTTPS Decryption you should use a URL Group and apply it over a TLS Decryption Rule, that's if you're using the DPI Engine.

    If you're still using the Web Proxy, then the "Exceptions" page should be used.

    To me, this seems dangerous and can allow users to navigate to some potentially malicious or compromised sites without being inspected or filtered through a Web Policy.

    It's indeed dangerous, you should only skip AV Scanning if really, really necessary. Even then you should be careful on what you're allowing/byppas.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Hi,

    a couple of items to consider when choosing to use exceptions or not.

    Some sites do not like being inspected 

    Some sites do not have FQDNs but use IP addressing only.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    a couple of items to consider when choosing to use exceptions or not.

    Some sites do not like being inspected 

    Some sites do not have FQDNs but use IP addressing only.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data