F1020 firewall uses Feature 9345P18 version + 1.0.47 URL signature library, configure URL blacklist test to block youtube and facebook unsuccessfully, URL filtering logs show successful, but the terminal can still access the website.
The current firewall and corresponding version is implemented by URL filtering blacklist. The mechanism is: when HTTPS traffic filtering is enabled, the SNI (Sever Name Indication extension) field in the Client HELLO message sent by the client is directly detected without decrypting HTTPS traffic. Get the server domain name from which the user is accessing, and use the obtained domain name to match the URL filtering policy.
By capturing the complete process of website access by the client, it is found that there are more SNI fields in youtube and facebook when the terminal initiates the access to the above sites. In addition to the domain name of the main site, there are also several sub-sites accessing the below sites. The firewall failed to block the specified traffic.
1. when you need to block HTTPS traffic to a site, such as only configuring the master domain name does not take effect, you need to grab packets to view the SNI field in the client hello message of https. The blacklist is configured by extracting the relevant SNI and using regular expressions. As in this example: *ytimg* *googlevideo* *fb* *fbcdn* .
2. or you can block youtube and facebook with the APR signature via security policy. current signature V7-ACG-APR-1.0.109 doesn"t have https signature for youtube and facabook, so you can"t block youtube and facebook with the APR signature. plan next version V7-ACG-APR-1.0.110 would be incorporated. Please update to the latest version of the signature library after the release.