Configure > Security > Access Control > Filtering

Filtering rules can be used to:

  • Deny or allow URL requests
  • Insert custom headers
  • Allow specified applications, or requests to specified websites to bypass user authentication
  • Keep or strip header information from client requests
  • Prevent specified applications from transiting the proxy

Rules are ordered checked prior to user authentication (if configured). Rules are applied based on first match in a top-down traversal of the list. If no rule matches, the request is allowed to proceed.

Rules are stored in filter.config.

After adding, deleting, or modifying a rule, restart Content Gateway.

For complete information about filtering rules, see Content Gateway filtering rules.

Filtering

Displays an ordered list of filtering rules.

Three filtering rules are configured by default. The first denies traffic on port 25 to all destinations. The second and third bypass user authentication for connections to 2 file sandbox destinations.

Refresh Updates the table to display the most up-to-date rules in the filter.config file.
Edit File

Opens the configuration file editor for the filter.config

file.

  filter.config Configuration File Editor
rule display box Lists the rules currently stored in filter.config. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.
Add Adds a new rule to the rule display box at the top of the configuration file editor page. Click Add after selecting or entering values for the rule.
Set Updates the rule display box at the top of the configuration file editor page.
Rule Type

Specifies the rule type:

Select allow to allow particular URL requests to bypass authentication.

Select deny to deny requests for objects from specific destinations. When a request is denied, the client receives an access denied message.

Select keep_hdr to specify which client request header information you want to keep.

Select strip_hdr to specify which client request header information you want to strip.

Select add_hdr to cause a custom header to be added to the request. This rule type requires that values be defined for Custom Header and Header Value. Add custom headers to satisfy specific requirements of a destination domain. See Content Gateway filtering rules.

The radius rule type is not supported.

Primary Destination Type

Lists the primary destination types: dest_domain is a requested domain name. dest_host is a requested host name. dest_ip is a requested IP address.

url_regex is a regular expression to be found in a URL.

Primary Destination Value Specifies the value of the Primary Destination Type. For example, if the Primary Destination Type is dest_ip, the value for this field might be 123.456.78.9.
Additional Specifiers: Header Type

Specifies the client request header information that you want to keep or strip.

This option applies to only keep_hdr or strip_hdr

rule types.

Additional Specifiers: Realm (optional) Not supported.
Additional Specifiers: Proxy Port (optional) Specifies the proxy port to match for this rule.
Additional Specifiers: Custom Header (optional) For use when the rule type is add_hdr. Specifies the custom header name that the destination domain expects to find in the request.
Additional Specifiers: Header Value (optional) For use when the rule type is add_hdr. Specifies the custom header value that the destination domain expects to be paired with the custom header.
Secondary Specifiers: Time Specifies a time range, such as 08:00-14:00.
Secondary Specifiers: Prefix Specifies a prefix in the path part of a URL.
Secondary Specifiers: Suffix Specifies a file suffix in the URL.
Secondary Specifiers: Source IP Specifies the IP address of the client.
Secondary Specifiers: Port Specifies the port in a requested URL.
Secondary Specifiers: Method

Specifies a request URL method:

  • get
  • post
  • put
  • trace
Secondary Specifiers: Scheme

Specifies the protocol of a requested URL. Options are:

  • HTTP
  • HTTPS
  • FTP (for FTP over HTTP only)

rtsp and mms are not supported.

Secondary Specifiers: User-Agent

Specifies the Request header User-Agent value.

Use this field to create application filtering rules that:

  • Allow applications that don’t properly handle authentication challenges to bypass authentication
  • Block specified client-based applications from accessing the Internet
Apply Applies the configuration changes.
Close

Exits the configuration file editor.

Click Apply before you click Close; otherwise, all configuration changes will be lost.