Skip to main content

Zenarmor Web Control Rules on OPNsense

Web Controls are web-specific controls that you can apply to web browsing activities.

info

The difference between Application Controls and Web Controls is that Web Controls provide a more specific and focused policy management for HTTP and HTTPS (Web) based connections.

Application Controls, on the other hand, work for all protocols and connection types and a more generalized control mechanism.

For instance, if you want to block a specific website or category that you know operates over HTTP protocol, you are advised to control access through Web Controls.

If you want to create an access policy for Tor Browser which can operate in any TCP port, your best bet will be to do it via Application Controls.

The engine processes the request, queries to SVN Cloud in real-time, and decides whether it will be blocked or allowed. We check against 300+ Million Websites, under 60+ categories in milliseconds.

If TLS Inspection is not enabled, HTTPS filtering is based on SNI and FQDN information. If TLS Inspection is enabled, URL and HTTP protocol headers are also analyzed.

Popular search engines like Google, Bing, Duckduckgo, Yandex, and YouTube provide a Safe Search feature optionally for a safer browsing experience. Safe Search removes offensive or inappropriate content from search results. YouTube's Restricted Mode is analogous but only applies to their videos. When Safe Search is enabled, sexually explicit videos and images, as well as results that may link to explicit content, are filtered from Search result pages. Restricted Mode was created to give YouTube users more control over the content they see and the option to choose a purposefully limited YouTube experience.

Typically, the Safe Search feature is activated per user or endpoint. Nevertheless, Zenarmor allows you to activate Safe Search enforcement per policy for all network users. This feature is ideal for school networks where Safe Search is enabled by default for students but not for instructors and other staff. This feature allows IT departments to control Safe Search globally and efficiently across the network.

You may easily enable/disable the Safe Search feature by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Switch on/off the Enforce Safe Search option on the Enhanced Safe Search Enforcement pane.

    Enable Safe Search on Zenarmor

    Figure 1. Enable Safe Search on Zenarmor

Enabling/Disabling Block ECH

Zenarmor enables you to prevent the use of TLS 1.3 Encrypted Client Hello (ECH), a privacy feature that conceals domain names in HTTPS connections. Zenarmor can inspect traffic metadata for improved policy enforcement and visibility by blocking ECH. ECH is prohibited by default. To enable TLS 1.3 Encrypted Client Hello, disable the Block TLS Encrypted Client Hello ECH toggle bar in the General Web Protection Controls pane.

Disabling Block ECH Option

Figure 2. Disabling Block ECH Option

Selecting Web Profiles

Zenarmor facilitates the disabling of entire website categories, such as gambling and social media, in order to enforce company policies and guarantee productive internet use. Websites are categorized by type and listed in a click-to-open tree view for convenient access. There are four different types of predefined Web Profile:

  • Permissive: There are no restrictions on web browsing in this profile.
  • Moderate Control: Only dangerous/highly risky web categories such as Illegal Drugs, Adult, Pornography, Violence, and Advertisements are blocked in this profile.
  • High Control: Forums, Alcohol, Blogs, Gambling, Chats, Dating, Games, Job Search, Online Storage, Social Networks, Software Downloads, Weapons, Military, Swimsuits, Tobacco, and Warez Sites are among the categories blocked in this profile, in addition to the ones blocked in the Moderate profile.
  • Custom: By creating a new profile, you can perform fully customized web filtering.

You can configure the web filtering on your node by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.
  2. Click on the Category Based Controls pane. This will display the available web profiles and web categories.
  3. Select the web profile that meets your needs from the Profile drop-down menu.

Zenarmor: Web Controls module

Figure 2. Zenarmor Web Control Profiles

Searching Web Category

You may use the search feature to find a web category by following the next steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the Category Based Controls pane. This will display all available web categories.

  3. Type the name of the web category whose filtering status you wish to view or set into the search field. The outcome will be promptly displayed below.

    Searching Web Category

    Figure 3. Searching Web Category

Defining Custom Web Category

Zenarmor's user-oriented approach puts you at the center of the control universe. You can define your own web categories, add sites under them, and manage their status with just one click.

tip

You can enter domains and subdomains. No need to use an asterisk, Zenarmor will match all subdomains and fully qualified domain names under this domain. If you would like anything under domain.com (sub.domain.com, host.sub.domain.com) to be allowed or blocked, just put domain.com and we'll match them all.

To create a custom web category you can enter each website by adding them one by one or you can add them in bulk via importing from a file.

note

The Custom Web Category feature is only available for Premium Zenarmor Editions.

Adding a new user-defined category

If the category does not exist in the list you can esaily define a new web category. To add a new user-defined category, you may follow the next steps given below:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the Category Based Controls pane.

  3. Click on the + Create Custom Web Category button. It will pop up a window to define a custom web control.

  4. Enter the name of the new category in the Web Category Name field.

    Create Custom Web Category on Zenarmor

    Figure 3. Creating Custom Web Category on Zenarmor

  5. Click on the +Add Site button to add a domain.

    Add Site to Custom Web Category on Zenarmor

    Figure 4. Adding Site to Custom Web Category on Zenarmor

  6. Type the site domain and click the + Add Site button. You can add as many sites as you want.

    tip

    You may also add several websites into a web category in bulk via importing from a file. To import websites from a file, you may follow the next steps:

    1. Click the menu button with the 3-dot ... icon next to the + Add Site button.
    2. Click Import Sites in the drop-down menu. This will pop up a file explorer.

    Add Sites From a File

    Figure 5. Adding Site From a File

    1. Browse and select the file to import websites in bulk.
    2. Click Open.

  7. You may check the Send this re-categorization as feedback to the Zenarmor team to improve web categorization option.

  8. Click the Create button to save a new web category.

Viewing or Editing a user-defined category

To edit or delete a user-defined web category you may follow the steps given below:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the Category Based Controls pane.

  3. Switch on the Display custom web controls only toggle button. This will show the custom web categories that you added before.

  4. Click on the user-defined category name that you want to update. You'll see a pen icon next to the category name.

  5. Click the Edit with a pen icon to update or delete the web category. This will open up the modal dialog.

    Editing a user-defined web category

    Figure 6. Editing a user defined web category

  6. You may delete a website domain by clicking on the X cross icon next to it.

  7. You may add a new domain by clicking on the +Add Site button.

  8. You may save changes by clicking on Update button.

  9. Click the Delete cross icon to delete your custom web category. After your confirmation, this will delete the whole category with all sites under it.

    Updating/Deleting a user-defined web category

    Figure 7. Updating/Deleting a user-defined web category

Blocking a Category

Custom Web Profile of Zenarmor allows you to block individual categories by clicking the toggle button located on the Status column of each web category.

Blocking A Category

Figure 8. Blocking Web Category Individually

URL Blocking

For ZTNA, SSE, and SASE subscriptions, Zenarmor provides URL and URL regex-based blocking capabilities, enabling users to implement more stringent security measures by preventing access to particular websites or patterns within URLs. This protects their clients against known threats and unauthorized entry.

The URL Blocking capability is closely integrated with the TLS inspection feature. URL Blocking enables you to restrict URLs at a more detailed level by using (*) wildcard options in your URL. This allows you to specifically target subdomains or pathways throughout the whole system.

caution

In order for the URL Blocking feature to function, your policy must have Full TLS Inspection enabled (TLS decrypt/re-encrypt).

You may easily block a URL by following the next steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the URL Blocking pane.

  3. Type the URL, including http or https, into the URL field.

  4. Type a descriptive name into the Description field.

  5. Click Block.

    Blocking URL on Zenarmor

    Figure 9. Blocking URL on Zenarmor

Editing Blocked URLs

You may quickly edit or update manually blocked URLs by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the URL Blocking pane. All blocked URLs that you previously defined will be listed here.

  3. Find the URL that you need to edit.

    Blocked URL List

    Figure 10. Blocked URL List

  4. Click on the menu with the 3-dot ... icon under the Action column. This will open a task menu.

    Edit Blocked URL

    Figure 11. Edit Blocked URL

  5. Click Edit menu. This will pop up a window for updating URL fields.

  6. Update the URL information depending on your need.

    Editing Blocked URL

    Figure 12. Updating Blocked URL information

  7. Click Save.

Enabling / Disabling Blocked URLs

You may quickly enable or disable the manually blocked URLs by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the URL Blocking pane. All blocked URLs that you previously defined will be listed here.

  3. Find the URL that you need to enable or disable. Enabled URLs have a green circle icon at the beginning of the URL line in the list while disabled URLs have a gray circle icon.

  4. Click on the menu with the 3-dot ... icon under the Action column. This will open a task menu.

  5. Click Enable or Disable menu. After disabling the blocked URL, it will be accessible to the clients.

  6. Update the URL information depending on your need.

    Disabled Blocked URL

    Figure 13. Disabled Blocked URL

Removing Blocked URLs

You may quickly remove the manually blocked URLs by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.
  2. Click on the URL Blocking pane. All blocked URLs that you previously defined will be listed here.
  3. Find the URL that you need to remove permanently.
  4. Click on the menu with the 3-dot ... icon under the Action column. This will open a task menu.
  5. Click Remove menu. This will display a notification window for confirmation.
  6. Click on the Remove button to confirm URL removal.

Activating the rules

When you're ok with the changes you made, click on the Apply Changes button top right corner of the screen and activate the rules.

Here is a video about the Zenarmor Web Security Controls.

Last updated on by Zenarmor