Creating filtering rules

Steps

  1. In the Content Gateway manager, go to the Configure > Security > Access Control > Filtering tab.
  2. Click Edit File to open filter.configin the file editor.
  3. Select a Rule Type from the drop down list. The Rule Type specifies the action the rule will apply. The supported options are:

    allow: allows particular URL requests to bypass authentication; the proxy serves the requested content.

    deny: denies requests for objects from specific destinations. When a request is denied, the client receives an access denied message.

    keep_hdr: specifies which client request header information to keep.

    strip_hdr: specifies which client request header information to strip.

    add_hdr: causes a custom header-value pair to be inserted. Requires that Custom Header and Header Value are specified. Provides support for destination hosts that require a specific header-value pair. For an example, see Creating an add_hdr rule to allow Google enterprise gmail below.

    Note: The “radius” rule type is not supported.
  4. Select a Primary Destination Type and then enter a corresponding value in the Primary Destination Value field. Primary Destination Types include: dest_domain: a requested domain name. The value is a domain name.

    dest_host: a requested hostname. The value is a hostname.

    dest_ip: a requested IP address. The value is an IP address.

    url_regex: a regular expression to be found in a URL. The value is a regular expression.

  5. If the Primary Destination Type is keep_hdr or strip_hdr, select the type of information to keep or strip from the Header Type drop down list. Options include:
    • date
    • host
    • cookie
    • client_ip
  6. If the rule applies to only inbound traffic on a specific port, enter a value for Proxy Port.
  7. If the rule type is add_hdr, specify the Custom Header and Header Value. The Custom Header and Header Value must be values that the destination host expects. See the example for Google Business Gmail below.
  8. Provide values for any required or desired Secondary Specifiers. They include:

    Time: specifies a time range, such as 08:00-14:00. Prefix: specifies a prefix in the path part of a URL. Suffix: specifies a file suffix in the URL.

    Source IP address: specifies a single client IP address, or an IP address range of clients.

    Port: specifies the port in a requested URL.

    Method: specifies a request URL method:
    • get
    • post
    • put
    • trace
    Scheme: specifies the protocol of a requested URL. Options are:
    • HTTP
    • HTTPS
    • FTP (for FTP over HTTP only)

    User-Agent: specifies a request header User-Agent value. This is a regular expression (regex).

    You can use the User-Agent field to create application filtering rules that:

    • Allow applications that don’t properly handle authentication challenges to bypass authentication
    • Block particular client-based applications from accessing the Internet

    See the knowledge base article titled “When authentication prevents devices, browsers, and custom applications from working with the proxy” for more information and several examples.

  9. When you have finished defining the rule, click Add to add the rule and then Apply to save the rule.
  10. When you are done adding rules, click Apply to save all the changes and then click Close to close the edit window.