Skip to main content
McAfee Enterprise MVISION Cloud

URL Filter Settings

The URL Filter settings are used for configuring the URL Filter module, which handles activities related to URL filtering on a Secure Web Gateway appliance.

Instances of the URL Filter settings include the following:

  • Default settings — Default settings
    These settings are used when working with the default rule set for URL filtering. This rule set is named Default and nested within the URL Filtering rule set.
  • Special URL Filtering Group settings — Settings used when working with the nested Special URL Filtering Group ruleset

Extended List

Settings for extended lists.

Option Definition
Use the extended list

Provides a list for selecting an extended list.

Add 

Opens the Add List window for adding an extended list.

Exit

Opens the Edit List (Extended List) window for editing the selected extended list.

 

Ratings Settings

Settings for retrieving rating information on URLs based on categories and reputation scores

Option Definition

Search the CGI parameters for rating

When selected, CGI parameters are included in the search for information.

CGI (Common Gateway Interface) parameters in a URL trigger scripts or programs when the URL is accessed. Information on CGIs is considered when categorizing a URL.

Search for and rate embedded URLs

When selected, embedded URLs are included in the search for information and rated.

Information on an embedded URL is considered when categorizing the embedding URL.

NOTE: Searching for embedded URLs can impact performance.

Do a forward DNS lookup to rate URLs

When selected, a DNS lookup is performed for a URL that no relevant information has been found for.

The IP address that was looked up is used for another search.

Do a backward DNS lookup for unrated IP-based URLs

When selected, a backward DNS lookup, based on its IP address, is performed for a URL that no relevant information has been found for.

The host name that was looked up is used for another search.

Use the built-in keyword list

When selected, the built-in keyword list is included in the search.

Disable local GTI database

When selected, no information about web reputation and categories is retrieved from the local Global Threat Intelligence database.

Use online GTI web reputation and categorization services if local rating yields no result

When selected, information on URL categories and reputation scores is only retrieved from the Global Threat Intelligence service if the search in the internal database yielded no results.

Use default server for online GTI web reputation and categorization services

When selected, the appliance connects to the default server for retrieving information on URL categories and reputation scores from the Global Threat Intelligence system.

  • IP of the server — Specifies the IP address of the server used to connect to the Global Threat Intelligence system when the default server is not used.

    Format: <domain name> or <IPv4 address> or <IPv4 address mapped to IPv6 address>

    Regular IPv6 addresses cannot be specified here.
     
  • Port of the server — Specifies the port number of the port on this server that listens to requests from the appliance.

    Allowed range: 1–65535

Enabke the Dynamic Content Classifier if GTI web categorization yields no result

When selected, the Dynamic Content Classifier is involved in the URL filtering process if a search performed by the Global Threat Intelligence service yielded no results.

Advanced Settings

Advanced settings for the URL Filter module.

Option Definition

Treat connection problems to the cloud as errors

When selected, problems arising on the connection from the appliance to the Global Threat Intelligence server are logged as errors.

Properties for error handling are set and eventually rules from an Error Handler rule set are executed.

Do a backward DNS lookup also for private addresses

When selected, private IP addresses are included in the backward DNS lookup.

Excluding these addresses from the lookup leads to an increase in performance for URL filtering.

This option is disabled by default.

The lookup includes the following types of addresses:

  • IPv4
    • Private addresses
    • Zeroconf addresses
  • IPv6
    • Link local addresses
    • Site local addresses
    • Unique local addresses

 

Proxy Settings

Option Definition

Use upstream proxy

When selected, the appliance uses a proxy for connecting to the Global Threat Intelligence server on which lookups for URL category information, also known as “in-the-cloud” lookups, can be performed.

IP or name of the proxy

Specifies the IP address or host name of the proxy.

Port of the proxy

Specifies the number of the port on the proxy that listens for lookup requests from the appliance.

User name

Specifies a user name for the appliance when logging on to the proxy.

Password

Sets a password for an appliance.

Set

Opens a window for setting a password.

Connect to GTI cloud via host name also when a proxy is configured

When selected, Secure Web Gateway connects to a cloud service for performing GTI lookups using the host name of the server where the cloud service resides, regardless of whether a proxy is also configured.

Try to bypass the proxy if unreachable

When selected, Secure Web Gateway tries to bypass a proxy that has been set up if this proxy cannot be reached.

Trust server certificate

When selected, a certificate sent under HTTPS by a cloud service for performing GTI lookups is trusted on Secure Web Gateway.

  • Subject, Issuer, Validity, Extensions, Fingerprint, Private Key — Provide information about the certificate that is sent by the cloud service.
  • Import — Opens a window for importing a server certificate.

Provide client certificate

When selected, Secure Web Gateway provides a certificate when connecting as a client under HTTPS to a cloud service for performing GTI lookups.

  • Subject, Issuer, Validity, Extensions, Fingerprint, Private Key — Provide information about the certificate that Secure Web Gateway sends to the cloud service.
  • Import, Export, Export Key — Open windows for importing a client certificate and for exporting a client certificate and key.

 

Logging

Option Definition

Enable logging

When selected, URL filtering activities are logged on the appliance.

If this option is not selected, the following logging options are grayed out.

Log level

Provides a list for selecting the log level.

Log levels are as follows:

  • 00 FATAL — Logs only fatal errors.
  • 01 ERRORS — Logs all errors.
  • 02 WARNING — Logs errors and warnings.
  • 03 INFO — Logs errors, warnings, and additional information.
  • 04 DEBUG1 ... 013 DEBUG9 — Log information required for debugging URL filtering activities.
    The amount of logged information increases from level DEBUG1 to DEBUG9.
  • 14 TRACE — Logs information required for tracing URL filtering activities.
  • 15 ALL — Logs all URL filtering activities
(Log area)

Provides a set of options for including different areas of URL filtering activities into the logging.

  • LOG_AREA_ALL — When selected, all URL filtering activities are logged.
  • LOG_AREA_NETWORK — When selected, activities regarding the network connections used for URL filtering are logged.
  • LOG_AREA_DATABASE_SEARCH — When selected, activities regarding the retrieval of data for URL filtering from the internal database are logged.
  • LOG_AREA_DNS — When selected, activities regarding a DNS lookup that is performed for URL filtering are logged.
  • LOG_AREA_URL — When selected, activities for handling URLs, such as parsing them, are logged.
  • LOG_AREA_CLOUD — When selected, activities regarding the retrieval of information from the Global Threat Intelligence system are logged.

 

Cloud Settings

Option Definition

Connection count (maximum)

Limits the number of connections that can be active at the same time.

Maximum number of connections by default: 4

Request timeout

Limits the time between retries of requests on a connection.

Maximum time by default: 2000 ms

Request attempts

Limits the number of retries.

Maximum number of retries: 3

 

Troubleshooting

Settings for troubleshooting issues with URL filtering.

Option Definition

Automatic air-gap mode

An automatic air-gap mode can be enabled for connections from a Secure Web Gateway appliance to a Global Threat Intelligence (GTI) server when issues impacting response time arise.

Enabling this mode prevents increased response times on GTI server connections from creating overload issues elsewhere, for example, on the anti-malware or the proxy working queue.

Traffic resulting from queries sent to and received from the GTI server is reduced in air-gap mode to the minimum that is required to monitor response times in order to recognize a return to normal. When a return to normal is recognized, the automatic air-gap mode is disabled.

What is considered a normal response time here can be configured.

While the automatic air-gap mode is enabled, information about URL categories and reputation scores can still be retrieved from the local database on Secure Web Gateway.

Monitoring functions can be enabled with or without the automatic air-gap mode.

The following can be selected for the automatic air-gap mode:

  • Off — When selected, no monitoring is performed on GTI server connections and the automatic air-gap mode is never enabled.
    This option is selected by default.
  • Monitor only — When selected, GTI server connections are monitored, but the automatic air-gap mode is still never enabled.
    When these connections are monitored, issues impacting response time are logged like this:
    • When the maximum average response time exceeds a configured threshold as long as or longer than a time interval that is also configured, a warning message is logged, as a possible trigger to taking appropriate measures.
    • When response times return to normal again, falling below the threshold as long as or longer than configured, an information message is logged.
      Default values are configured for the threshold and the time intervals. You can modify these values to adapt them to your network conditions.
  • Active — When selected, GTI server connections are monitored and the automatic air-gap mode is enabled and disabled depending on how response times on these connections develop.
    The configured threshold and time intervals are then evaluated for both enabling the air-gap mode and logging warnings and information messages.

Maximum average delay threshold

Sets a threshold value that marks the acceptable maximum average response time (in ms) on connections to a GTI server.

Default: 250 ms

 

Retention time enable air gap

Sets the time interval (in seconds) over which the average response time on GTI server connections must exceed the configured threshold before a warning message is logged and the automatic air-gap mode is enabled if available and activated.

Default: 10 seconds

Retention time disable air gap

Sets the time interval (in seconds) over which the average response time on GTI server connections must fall below the configured threshold before a back-to-normal message is logged and the automatic air-gap mode is disabled if previously enabled.

Default: 120 seconds

Probing rate if enabled

Sets the percentage of requests for web access submitted by users for which queries are sent to a GTI server to a minimal value that applies when the automatic air-gap mode is enabled.

Keeping a minimal amount of traffic on the connections to the GTI server is required to monitor this traffic in order to recognize when response times return to normal, so the automatic air-gap mode can be disabled.

Default: 1 %

  • Was this article helpful?