Configuring traffic filtering

To ensure correct processing of HTTPS traffic, you must configure interception of SSL connections on an external proxy server (when the application is installed from an RPM- or DEB package) or on a built-in proxy server (when the application ISO image is deployed). If interception of SSL connections is not configured, the traffic filtering criteria will not be applied and the web resource will not be scanned by the Anti-Virus and Anti-Phishing modules.

To configure traffic filtering:

  1. In the application web interface window, select one of the following sections:
    • For actions with rules of an individual workspace, in the section used for switching between workspaces, select the name of this workspace.
    • For actions with rules applied in all workspaces, select Global in the section used for switching between workspaces.

    Applicable only if you have access rights to multiple workspaces.

  2. Select the Rules section.
  3. Select one of the following tabs:
    • Bypass.
    • Access.
    • Protection.

    The traffic processing rules table opens.

  4. Select the rule for which you want to configure filtering criteria.

    This opens a window containing information about the rule.

  5. Click Edit.
  6. Click kwts_button_plus under Traffic filter.
  7. A drop-down list appears, select one of the following options:

    The following criteria are available for bypass rules: URL, MIME type of HTTP message, Traffic direction, HTTP method, HTTP Content Length, and KB.

    • Category.

      You can use this criterion to control user access to web resources based on their categories. For example, you can prohibit access to social networks by selecting the Social networks category. Refer to Appendix 6 for a list of web categories supported by the application.

    • URL.

      In addition to URLs, you can also add the protocol or port of network connections to the filtering criteria.

      • If you want to add URLs to the filtering criteria, type them in the field in the URL window and click Add.

        If a URL has not been normalized, it will not be added to the list, and an error message will appear.

        Make sure that any part of the URL does not contain the ? and # symbols, and that the Domain and Port parts do not contain the @ symbol. Otherwise, the complete URL will not be imported.

      • To add a protocol or port of network connections to filtering criteria, enter any value in the box in the URL window and click Add. In Protocol and Port boxes that appear below, enter the required values.

        For example, you can prohibit access to all web resources over the HTTP protocol.

    • File name.

      You can add a specific file name to filtering criteria or use regular expressions. For example, you can prohibit downloading executable files with the exe extension by entering *.exe.

    • File type.

      Viruses or other malware can be spread in executable files renamed to have a different extension, for example, txt. If you selected the File name criterion and entered *.exe, such a file is not processed by the application. However, if you selected file filtering by format, the application checks the true format of the file regardless of the extension. If the check reveals that the file has the EXE format, the application processes it in accordance with the rule.

    • File size, KB.

      You can use this criterion to control the network traffic volume of your organization. For example, you can prohibit downloading files over 700 MB in size.

    • MIME type of HTTP message part.

      You can use this criterion to control access to multipart objects depending on the contents of their component parts.

    • MIME type of HTTP message.

      You can use this criterion to control access to objects depending on their content. For example, you can prohibit playing video streams by entering video/*. For examples of MIME types of objects, please refer to Appendix 4.

      If you specify multipart/*, the Content-Type header of the object is taken into account. Individual component parts of the object are not processed. To filter traffic based on the component parts of a multipart object, you must use the MIME type of HTTP message part criterion.

    • MD5.

      You can prohibit access to an object by entering its MD5 hash. This can be necessary if you receive information about a virus or other malware from a third-party system and you know only its MD5 hash.

    • SHA256.

      You can prohibit access to an object by entering its SHA2 hash. This can be necessary if you receive information about a virus or other malware from a third-party system and you know only its SHA2 hash.

    • Traffic direction.

      You can use this criterion to configure processing of all inbound or outbound connections.

    • HTTP Method.

      You can use this criterion to control access to traffic depending on the utilized HTTP method.

    • HTTP Content-Length, KB.

      You can use the Content-Length HTTP header to control access to traffic depending on the length of the HTTP message body. If the Content-Length header is available, the application uses its value for applying traffic filtering criteria. If this header is absent, the Content-Length value is considered to be empty and is not taken into account when processing traffic.

      It is available only for bypass rules.

  8. In the field to the right of the drop-down list, enter the value for the selected setting.
  9. If you added more than one criterion, select a logical operator in the drop-down list next to Traffic filter:
    • If you want the rule to trigger when at least one of the conditions is satisfied, select any of.
    • If you want the rule to trigger only when all added conditions are satisfied simultaneously, select all of.
  10. Click Save.

Traffic filtering is now configured.

Page top