Web Filter FAQs

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

Can I grant privileged access to some users while still blocking sites for everyone else?

There are several ways to accomplish this:

  • Policy Manager can be used to create multiple policies, which allows you to have separate filtering settings for individuals or groups of users or times of day, etc. The easiest example is a school, where you would want Teachers to have more relaxed internet filter settings than the students. Different settings can be applied to any individual or group in your organization such as CEOs, Administrative Assistants or Accounting Departments.
  • The Passed Client IPs List allows you to exempt specific client IPs from all filtering inside Web Filter.
  • The Unblock option displays a button that, when clicked, will allow users to bypass the block page. Web Filter has an additional option to require a password for this.

Can I let users access certain sites during lunch or after hours?

You can leverage Policy Manager to set up specific filtering settings for different days or time periods, such as allowing Facebook during breaks or after work hours.

Create a new policy for lunch or after hours, then create policy rules to send traffic to be processed by those policies during the desired hours.

How do I submit a mis-categorized or uncategorized site?

You can go to BrightCloud's website and submit the correct (or new) categorization. It will be reviewed immediately by a human. Once the new categorization takes effect you may need to flush your category cache in Web Filter to see the new categorization.

Does Web Filter use a lot of memory and CPU?

If your NG Firewall server is operating well without Web Filter, then you won't see much of a difference if you run Web Filter. Web Filter does not use much memory, and its cloud-based architecture adds very little to CPU utilization.

How do real-time updates work?

When a client first vists a site, Web Filter queries Webroot Brightcloud® to get the categories the site is under to make a decision to block or pass based on your configuration. The category information is also written to a local cache so it doesn't have to be checked the next time a user visits that site.

How long does Web Filter cache category information for sites?

Several days. Web Filter flushes non-frequently used cache. The websites that you visit daily will not be cleared from cache.

Can I add additional categories?

Custom categories are not available, however we provide over 140 categories for granular control over what your clients can access. If you feel there are categories that we can add to make it even better, just let us know.

How should I handle false positives?

While the fastest way to allow clients to access a site that is currently blocked is to add the site to your pass list, you can request recategorization of sites here - the turnaround time is usually less than two days.

Can I use Web Filter to block HTTPS/SSL sites?

Yes - because Web Filter has access to a separate database of IP addresses, it can categorize HTTPS traffic based on certificate, SNI, or the destination IP address. This is not done by individual domain, but by category - for example, if you simply block 'facebook.com'. Please note that this does not mean Web Filter can parse HTTPS content as it is encrypted. This means other forms of blocking like URI, file-type, mime-type, etc can not be done on HTTPS as the stream is encrypted and these require parsing of the HTTP protocol.

To accomplish this level of blocking SSL Inspector is required. More options about handling SSL are described here.

Can I block all web sites except certain ones?

Yes, simply block all categories (including "Uncategorized"). Then add whatever sites you'd like to pass to the Pass List. Please be aware that the complex nature of the web and the fact that many applications communicate over HTTP can make this approach difficult.

Alternatively, the rules can be used. Just add a rule to block all web traffic, then explicitly add any sites to the pass list or in rules above the block rule.

Why did 'Youtube for Schools' disappear?

Google/YouTube stopped supporting their YouTube for schools features. These features relied on NG Firewall adding an identification header to HTTP requests and then YouTube would enforce the policy on the server. Since this feature is no longer supported by their servers the feature has been removed.

Windows computers showing "No Internet Access" but everything is fine. Why?

Make sure you're not blocking access to the domain www.msftncsi.com; this is part of a test that Microsoft runs to see if there is an active internet connection. Once you've verified this domain is not blocked, simply restart the PC and that should take care of it.

Why is a site not being properly displayed even though I added it to the Pass List?

It's common for a web site to display links, banners and content from other web sites as part of their web pages. There are two easy methods to re-integrate the content while maintaining your access controls. A good example is Facebook - when you go to 'facebook.com', much of the site is loaded from 'fbcdn.net'. Sometimes additional sites must be added to the pass list. To fix these problems, look at the Blocked Web Events in Reports to see what is being blocked. Continue to add related sites that are being blocked to the pass list until it works as desired.