Blocking URLs – Not Just the Subdomain, but Also the Path

Question

Hello everyone, We are currently experiencing many phishing attacks, and the links go through https://apis.google.com. However, I don&rsquo;t want to block the entire (sub)domain but rather restrict access based on the path or specific parameters. All blocking attempts via the firewall or directly through endpoint protection only apply to the entire domain. For example, if the URL is: " ">apis.google.com/.../l , I would like to block either "apis.google.com/additnow/l?applicationid=180181176205"or "apis.google.com/additnow/l?". Blocking via URL groups or categorization only allows restrictions at the subdomain level, but it doesn&rsquo;t support specific path definitions, or the rules don&rsquo;t take effect. 
 Does anyone have any tips on how to achieve this? 
 Thanks!

Michael Dunn · Answer

1) for your SCAM definition - delete everything in the left box with is for domains. Put everything including the domain name into the right box, which will match against entire url. 2) Make sure that the web policy you are using will block SCAM as a rule higher than other rules in the policy 3) Go to Policy tester. Put in the url you are testing and the web policy. Make sure the action is a block. If it isn't, you have a problem in your policy 4) Make sure you are decrypting HTTPS. How to configure this changes depending on whether you are using proxy or DPI mode. Otherwise the system cannot see path. 5) Do your test. Look at the Log viewer for your traffic. 
 Did it include the path? (If no then you have decryption problem) Did it hit the firewall rule and web filter policy that you expected? (if no then you have a firewall rule problem)

Vivek Jagad · Answer

Hi c0m , Thank you for reaching out to the community, please refer the following useful docs/kba below: > Block content using a list of terms - Sophos Firewall > Sophos Firewall: Allow/block websites using custom categories and/or URL groups

Mayur Makvana · Answer

Hello c0m , 
 This is not feasible currently with the web proxy or DPI. We block the website based on CN and not by looking at the exact path.

LuCar Toni · Answer

Two things to understand: First: SFOS can only understand a path, if there is a proxy involved. That means, firewalling is only able to do something based on FQDN (DNS) or IP. Because URLs are based on the layer above firewalling (Proxy). Therefore you can only interact with a URL with a Proxy. 
 Second: The proxy can in fact do something about this, but you need TLS Inspection for it. The reason is: without TLS Inspection, you only see the SNI: https://en.wikipedia.org/wiki/Server_Name_Indication See: Sophos Firewall: HTTPS Decrypt and Scan FAQ 
 This section describes what is happening: When HTTPS decrypt and scan aren&rsquo;t turned on, and a client browser makes the first HTTPS request to a website, the web browser will start negotiating a TLS/SSL connection with SNI information that has the website's domain name. For example, the browser may request www.google.com/search , but the proxy will only see a TLS/SSL connection with SNI for www.google.com. Or it may be requesting innocentsite.com/.../malware.exe, and the proxy only sees innocentsite.com. After the TLS/SSL connection is fully established and there&rsquo;s an encrypted tunnel, the proxy can't see the HTTP requests and responses within it. Therefore, it can only perform blocks based on the domain category in the SNI while the connection is still being established. It can't categorize or block based on the path or virus scan of any downloaded files. It does know the total bytes transmitted and the connection time.

Blocking URLs – Not Just the Subdomain, but Also the Path

Top Replies