Best Whitelisting Method: Web Policies vs Firewall Rules

Question

Hello everyone, 
 
 I'm trying to understand what the best or correct whitelisting method is. 
 
 Scenario: I need to whitelist URLs for a new application. 
 
 Method 1: Firewall Rule 
 1) Create FQDN Host: *.example.com 
 2) Create Firewall rule 
 Source: LAN 
 Source Networks: ANY 
 Destination: WAN 
 Destination Networks: *.example.com 
 Services: HTTP / HTTPS

Method 2: Web Policy 
 1) Create URL Group: Example Group 
 2) Create a Web Policy 
 - Add URL group to Web Policy (Allow) 
 3) Add Web Policy to a new or existing Firewall Rule

I'd like to know which method is best practice moving forward. I'm specifically whitelisting web traffic in this scenario. 
 If I need to whitelist FTP traffic outbound. I imagine Method 1 is my only option, correct?

Michael Dunn · Accepted Answer

If you want to allow a website because category would normally block it, the recommendation is to use a URL Group.
If you want a website to "always work no matter what" that you trust, the recommendation is an Exception.
So for example you block gambling sites but want to allow the one website your company uses for a hockey pool, use a URL Group. But Microsoft gets an Exception.

Note: Exceptions are written in RegEx. Putting in a bare hostname (eg trusted.com) into the exception is not good because it applies to "evil.com/mal.exe?trusted.com" as well as being less cpu efficient.

When you use an FQDN Host in a firewall rule there is a cpu cost (as it has to look up if the destination IP is a member of the FQDN) every connection. For a single FQDN Host that is not bad, but if you have dozens it adds up. The same operation within the web proxy (or DPI mode) is much more efficient.

You could also use a custom category rather than a URL group, roughly the same "cost". But URL groups are used more commonly.

Prism · Answer

Hello! 
 The best method for Web whitelisting is number 2, this method also gives you power to do fine tuning, such as selecting a user or group and giving whitelist permissions to them, and also utilizes the DPI Engine to identify Web traffic correctly. 
 Method 1 can be faulty sometimes, as it relies on FQDN's (DNS). Even then It's not recommended as it doesn't use the DPI Engine for allowing/blocking Web traffic. 
 iamroot said: If I need to whitelist FTP traffic outbound. I imagine Method 1 is my only option, correct? 
 Yes, you will need to use a combination of FQDN's + Port. 
 Thanks!

rfcat_vk · Answer

Hi, 
 a couple of items to consider when choosing to use exceptions or not. 
 Some sites do not like being inspected 
 Some sites do not have FQDNs but use IP addressing only. 
 Ian

Prism · Answer

There's two ways to "whitelist" a website. 
 First you can create a URL Group and apply it on a Web Policy, the second method is to use the " Exceptions " page at the Web tab. 
 The first method is recommended to allow websites that was been blocked by the Web Policy filtering. 
 The second method is recommended to apply bypasses for Malware and content scanning (AV), or HTTPS Decryption. 
 Even then, for HTTPS Decryption you should use a URL Group and apply it over a TLS Decryption Rule, that's if you're using the DPI Engine. 
 If you're still using the Web Proxy, then the "Exceptions" page should be used. 
 iamroot said: To me, this seems dangerous and can allow users to navigate to some potentially malicious or compromised sites without being inspected or filtered through a Web Policy. 
 It's indeed dangerous, you should only skip AV Scanning if really, really necessary . Even then you should be careful on what you're allowing/byppas.

Best Whitelisting Method: Web Policies vs Firewall Rules

Top Replies