Web Filter FAQs

From Edge Threat Management Wiki - Arista
Revision as of 21:09, 26 December 2016 by Dmorris (talk | contribs)
Jump to navigationJump to search


Can I grant privileged access to some users while still blocking sites for everyone else?

There are several ways to accomplish this:

  • Policy Manager can be used to create multiple policies, which allows you to have separate filtering settings for individuals or groups of users or times of day, etc. The easiest example is a school, where you would want Teachers to have more relaxed internet filter settings than the students. Different settings can be applied to any individual or group in your organization such as CEOs, Administrative Assistants or Accounting Departments.
  • The Passed Client IPs List allows you to exempt specific client IPs from all filtering inside Web Filter.
  • The Unblock option displays a button that, when clicked, will allow users to bypass the block page. Web Filter has an additional option to require a password for this.

How do I submit a mis-categorized or uncategorized site?

You can go to zvelo and submit the correct (or new) categorization. It will be reviewed immediately by a human. Once the new categorization takes effect you may need to flush your category cache in Web Filter to see the new categorization.


Does Web Filter use a lot of memory and CPU?

If your Untangle Server is operating well without Web Filter, then you won't see much of a difference if you run Web Filter. Web Filter doesn't use much memory, and its cloud-based architecture adds very little to CPU utilization.


How do real-time updates work?

When a client first vists a site, Web Filter accesses the zveloDB to get the categories the site is under to make a decision to block or pass based on your configuration. The category information is also written to a local cache so it doesn't have to be checked the next time a user visits that site.


How long does Web Filter cache category information for sites?

Several days. Web Filter flushes non-frequently used cache. The website that you visit daily will not be cleared from cache.


Can I add additional categories?

Custom categories are not available, however we provide over 140 categories for granular control over what your clients can access. If you feel there are categories that we can add to make it even better, just let us know.


How should I handle false positives?

While the fastest way to allow clients to access a site that is currently blocked is to add the site to your pass list, you can request recategorization of sites here - the turnaround time is usually less than two days.


Can I use Web Filter to block HTTPS/SSL sites?

Yes - because Web Filter has access to a separate database of IP addresses, it can categorize HTTPS traffic based on certificate, SNI, or the destination IP address. This is not done by individual domain, but by category - for example, if you simply block 'facebook.com'. Please note that this does not mean Web Filter can parse HTTPS content as it is encrypted. This means other forms of blocking like URI, file-type, mime-type, etc can not be done on HTTPS as the stream is encrypted and these require parsing of the HTTP protocol.

To accomplish this level of blocking SSL Inspector is required. More options about handling SSL are described here.


Can I block all web sites except certain ones?

Yes, simply block all categories (including "Uncategorized"). Then add whatever sites you'd like to pass to the Pass List. Please be aware that the complex nature of the web and the fact that many applications communicate over HTTP can make this approach difficult.

Alternatively, the rules can be used. Just add a rule to block all web traffic, then explicitly add any sites to the pass list or in rules above the block rule.


Why can i access a site using HTTPS when I've added it to the block list?

Web Filter scans and categorizes HTTPS traffic by IP address because the session itself is encrypted and cannot be scanned. As a result, if you add "example.com" to the block list and go to "https://example.com" it will not be blocked because Untangle can only see the IP address. However, if you block the category "example.com" is in, then go to "https://example.com" it will not connect and you will see a block event in the Event Log.


Why is Web Filter still blocking an HTTPS site even after I added it to the pass list?

This should only be a problem with older browsers that do not provide SNI information in the HTTPS stream - if your browser provides SNI information, adding the domain to the pass list should allow the site to load. Older browsers that do not provide SNI information can run into this problem, however. If this is the case, it is because Web Filter does categorization of HTTPS traffic by IP address. HTTPS encrypts the hostname and request, so all we can see is the destination IP. This means if https://example.com/ is getting blocked, adding "example.com" to the passlist will have no effect because HTTPS is categorized by IP address. If you add the IP address of example.com to the passlist then HTTPS traffic to example.com will be allowed.


Why did 'Youtube for Schools' disappear?

Google/Youtube stopped supporting the their youtube for schools features. This features relied on Untangle adding an identification header to HTTP requests and then youtube would enforce the policy on the server. Since this feature is no longer supported by their servers the feature has been removed.


Windows computers showing "No Internet Access" but everything is fine. Why?

Make sure you're not blocking access to the domain www.msftncsi.com; this is part of a test that Microsoft runs to see if there is an active internet connection. Once you've verified this domain is not blocked, simply restart the PC and that should take care of it.

Retrieved from "https://wiki.edge.arista.com/index.php?title=Web_Filter_FAQs&oldid=4328"