Skip to main content

Web Control Rules

Web Controls are web-specific controls that you can use while browsing the web.

info

The distinction between Application Controls and Web Controls is that Web Controls give more specific and focused policy management for HTTP and HTTPS (Web) connections.

Application Controls, on the other hand, are a more generalized control mechanism that works for all protocols and connection types.

For example, if you want to block a specific website or category that you know uses the HTTP protocol, you should use Web Controls to do so.

If you want to create an access policy for Tor Browser that can run on any TCP port, you should use Application Controls.

The Zenarmor® processes the request, performs real-time queries to SVN Cloud, and determines whether it should be blocked or allowed. In milliseconds, we check against 300+ million websites in 120+ categories.

HTTPS filtering is based on SNI and FQDN information if TLS Inspection is not enabled. URL and HTTP protocol headers are also examined if TLS Inspection is enabled.

Popular search engines like Google, Bing, Duckduckgo, Yandex, and YouTube provide a Safe Search feature optionally for a safer browsing experience. Safe Search removes offensive or inappropriate content from search results. YouTube's Restricted Mode is analogous but only applies to their videos. When Safe Search is enabled, sexually explicit videos and images, as well as results that may link to explicit content, are filtered from Search result pages. Restricted Mode was created to give YouTube users more control over the content they see and the option to choose a purposefully limited YouTube experience.

Typically, Safe Search feature is activated per user or endpoint. Nevertheless, Zenarmor allows you to activate Safe Search enforcement per-policy for all network users. This feature is ideal for school networks where Safe Search is enabled by default for students but not for instructors and other staff. This feature enables IT departments to control Safe Search globally and efficiently across the network.

You may easily enable/disable the Safe Search feature by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Switch on/off the Enforce Safe Search option on the General Web Protection Controls pane.

    Enforcing Safe Search

    Figure 1. Enforcing Safe Search

Enabling/Disabling Block ECH

Zenconsole enables you to prevent the use of TLS 1.3 Encrypted Client Hello (ECH), a privacy feature that conceals domain names in HTTPS connections. Zenarmor can inspect traffic metadata for improved policy enforcement and visibility by blocking ECH. ECH is prohibited by default. To enable TLS 1.3 Encrypted Client Hello, disable the Block TLS Encrypted Client Hello ECH toggle bar in the General Web Protection Controls pane.

Disabling Block ECH Option

Figure 2. Disabling Block ECH Option

Selecting Web Profiles

Zenarmor facilitates the disabling of entire website categories, such as gambling and social media, in order to enforce company policies and guarantee productive internet use. Websites are categorized by type and listed in a click-to-open tree view for convenient access.

There are four different types of predefined Web Profile:

  1. Permissive: There are no restrictions on web browsing in this profile.

  2. Moderate Control: Only dangerous/high risky web categories such as Illegal Drugs, Adult, Pornography, Violence and Advertisements are blocked in this profile.

  3. High Control: Forums, Alcohol, Blogs, Gambling, Chats, Dating, Games, Job Search, Online Storage, Social Networks, Software Downloads, Weapons, Military, Swimsuits, Tobacco, and Warez Sites are among the categories blocked in this profile, in addition to the ones blocked in the Moderate profile.

  4. Custom: By creating a new profile, you can perform fully customized web filtering.

You can configure the web filtering on your node by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the Category Based Controls pane. This will display the available web profiles and web categories.

  3. Select the web profile that meets your needs from the Profile drop-down menu.

    Zenconsole Web Controls

    Figure 3. Web Control Profiles

Searching Web Category to Filter

There are a lot of web categories on the Web controls page, and it can be difficult to scroll down and navigate through all of them. You can look for and find a specific web category by using the Search field. Simply type the name of a category into the search form to find it in the list.

Search a web category in Web Controls

Figure 4. Search a web category in Web Controls

Defining Custom Web Control

The user-friendly approach of Zenarmor places you at the center of the control universe. You have the option of creating your own web control rules. To define a custom web profile, you may follow next steps:

  1. Select Custom from the Profile drop-down menu on Web Controls page.

  2. Click the toggle button next to the web category that you want to block.

info

By default, all web categories are Allowed in Custom web profile.

note

The Custom Web Profile is only available for Premium Zenarmor Editions.

Blocking a Category

Custom Web Profile on Zenconsole allows you to block individual categories by clicking the toggle button located on the Status column of each web category.

Blocking A Category

Figure 5. Blocking Web Category Individually

URL Blocking

For ZTNA, SSE, and SASE subscriptions, Zenconsole provides URL and URL regex-based blocking capabilities, enabling users to implement more stringent security measures by preventing access to particular websites or patterns within URLs. This protects their clients against known threats and unauthorized entry.

The URL Blocking capability is closely integrated with the TLS inspection feature. URL Blocking enables you to restrict URLs at a more detailed level by using (*) wildcard options in your URL. This allows you to specifically target subdomains or pathways throughout the whole system.

caution

In order for the URL Blocking feature to function, your policy must have Full TLS Inspection enabled (TLS decrypt/re-encrypt).

You may easily block a URL by following the next steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the URL Blocking pane.

  3. Type the URL, including http or https, into the URL field.

  4. Type a descriptive name into the Description field.

  5. Click Block.

    Blocking URL on Zenconsole

    Figure 6. Blocking URL on Zenconsole

Editing Blocked URLs

You may quickly edit or update manually blocked URLs by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the URL Blocking pane. All blocked URLs that you previously defined will be listed here.

  3. Find the URL that you need to edit.

    Blocked URL List

    Figure 7. Blocked URL List

  4. Click on the menu with the 3-dot ... icon under the Action column. This will open a task menu.

    Edit Blocked URL

    Figure 8. Edit Blocked URL

  5. Click Edit menu. This will pop up a window for updating URL fields.

  6. Update the URL information depending on your need.

    Editing Blocked URL

    Figure 9. Updating Blocked URL information

  7. Click Save.

Enabling / Disabling Blocked URLs

You may quickly enable or disable the manually blocked URLs by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.

  2. Click on the URL Blocking pane. All blocked URLs that you previously defined will be listed here.

  3. Find the URL that you need to enable or disable. Enabled URLs have a green circle icon at the beginning of the URL line in the list while disabled URLs have a gray circle icon.

  4. Click on the menu with the 3-dot ... icon under the Action column. This will open a task menu.

  5. Click Enable or Disable menu. After disabling the blocked URL, it will be accessible to the clients.

  6. Update the URL information depending on your need.

    Disabled Blocked URL

    Figure 10. Disabled Blocked URL

Removing Blocked URLs

You may quickly remove the manually blocked URLs by following these steps:

  1. Navigate to the Web Controls tab on the policy configuration page.
  2. Click on the URL Blocking pane. All blocked URLs that you previously defined will be listed here.
  3. Find the URL that you need to remove permanently.
  4. Click on the menu with the 3-dot ... icon under the Action column. This will open a task menu.
  5. Click Remove menu. This will display a notification window for confirmation.
  6. Click on the Remove button to confirm URL removal.

Activating the rules

When you're satisfied with your changes, click the synchronization button next to the policy to synchronize with the firewall and activate the rules on the policies list view.

Here is a video about the Zenarmor Web Security Controls.

Last updated on by Zenarmor