Web Monitor: Difference between revisions
(Page created with copy of Web Filter contents) |
(Updated lots of stuff to reflect Web Monitor instead of Web Filter) |
||
Line 1: | Line 1: | ||
[[Category:Applications]] | [[Category:Applications]] | ||
<span style="display:none" class="helpSource | <span style="display:none" class="helpSource web_monitor">Web_Monitor</span> | ||
<span style="display:none" class="helpSource | <span style="display:none" class="helpSource web_monitor_categories">Web_Monitor#Categories</span> | ||
<span style="display:none" class="helpSource web_monitor_block_sites">Web_Monitor#Flag_Sites</span> | |||
<span style="display:none" class="helpSource web_monitor_pass_sites">Web_Monitor#Pass_Sites</span> | |||
<span style="display:none" class="helpSource | <span style="display:none" class="helpSource web_monitor_pass_clients">Web_Monitor#Pass_Clients</span> | ||
<span style="display:none" class="helpSource | <span style="display:none" class="helpSource web_monitor_rules">Web_Monitor#Rules</span> | ||
<span style="display:none" class="helpSource web_monitor_advanced">Web_Monitor#Advanced</span> | |||
<span style="display:none" class="helpSource | |||
<span style="display:none" class="helpSource | |||
<span style="display:none" class="helpSource | |||
{| width='100%' | {| width='100%' | ||
|- | |- | ||
| align="center" | [[Image:WebFilter_128x128.png]] '''Web | | align="center" | [[Image:WebFilter_128x128.png]] '''Web Monitor''' | ||
| align="center" | | | align="center" | | ||
{| | {| | ||
Line 21: | Line 16: | ||
| Other Links: | | Other Links: | ||
|- | |- | ||
|[http://www.untangle.com/store/web- | |[http://www.untangle.com/store/web-monitor-conf.html Web Monitor Description Page] | ||
|- | |- | ||
|[http://www.untangle.com/videos/ Web | |[http://www.untangle.com/videos/ Web Monitor Video Demo] | ||
|- | |- | ||
|[http://www.untangle.com/store/web- | |[http://www.untangle.com/store/web-monitor-conf.html Web Monitor Screenshots] | ||
|- | |- | ||
|[http://forums.untangle.com/web- | |[http://forums.untangle.com/web-monitor/ Web Monitor Forums] | ||
|- | |- | ||
|[[Web | |[[Web Monitor Reports]] | ||
|- | |- | ||
|[[Web | |[[Web Monitor FAQs]] | ||
|} | |} | ||
|} | |} | ||
Line 38: | Line 33: | ||
== About Web | == About Web Monitor == | ||
Web | Web Monitor monitors HTTP traffic on your network to monitor user behavior and flag inappropriate content. Web Monitor also appeals to customers who require an added level of protection or are subject to regulations, for example Web Monitor helps libraries comply with the [http://en.wikipedia.org/wiki/Children%27s_Internet_Protection_Act Children's Internet Protection Act]). Need to flag Pornography or Hate Speech on your network? Web Monitor is your answer. | ||
* '''Real-time classification and updates''': When your users visit a site, Untangle sends the URL to the [http://zvelo.com/technology/zvelodb-url-database cloud] to be categorized. When the data is returned, Untangle keeps a temporary local cache of the site and category to speed up the process the next time the URL is requested. This data is then used to | * '''Real-time classification and updates''': When your users visit a site, Untangle sends the URL to the [http://zvelo.com/technology/zvelodb-url-database cloud] to be categorized. When the data is returned, Untangle keeps a temporary local cache of the site and category to speed up the process the next time the URL is requested. This data is then used to flag or allow users access to the site they have requested, all without any appreciable increase in load time. If a site is not categorized upon request, it is autocategorized by our partners at [http://zvelo.com zVelo] and put into a queue to be verified by a human. Because this is done dynamically, new sites and updated URLs are allowed or flagged according to your settings without additional intervention, plus you have the option of requesting [http://zvelo.com/partners/test-a-site recategorization] of sites. | ||
* '''HTTPS Filtering''': Web | * '''HTTPS Filtering''': Web Monitor has multiple techniques to deal with HTTPS, SSL-encrypted HTTP. HTTPS traffic is encrypted so only some information is visible and this information is used to categorize the session. More information on how this is down below. | ||
* '''Detailed categorization''': Web | * '''Detailed categorization''': Web Monitor offers over 140 categories and over 450 million categorized sites. The Web Monitor database is over 100 times larger and more accurate. The abundance of categories means that you can narrow your scope - maybe you want to flag websites related to Sex, but allow sites dealing with Sexual Education or Pregnancy. | ||
* '''Advanced features''': Force safe-search on search engines, log user searches, restrict google domains, and more! | * '''Advanced features''': Force safe-search on search engines, log user searches, restrict google domains, and more! | ||
Line 53: | Line 48: | ||
== Settings == | == Settings == | ||
This section reviews the different settings and configuration options available for Web | This section reviews the different settings and configuration options available for Web Monitor. | ||
=== | === Categories === | ||
Categories allows you to customize which categories of sites will be flagged. Categories categories that are flagged will allow the user to access the site, but will be silently flagged as a violation for event logs and [[Reports]]. These flag actions operate the same way for all of the different Web Monitor options. | |||
[[Image:WF_blockCategories.png|center|frame|Block categories]] | [[Image:WF_blockCategories.png|center|frame|Block categories]] | ||
Line 68: | Line 63: | ||
:NOTE: This is only a suggestion and may not be accepted. If accepted it may take a few days to become active. | :NOTE: This is only a suggestion and may not be accepted. If accepted it may take a few days to become active. | ||
=== | === Flag Sites === | ||
Under | Under Flag Sites you can add individual domain names you want to be flagged - just enter the domain name (e.g. youtube.com) and specify your chosen action. This list uses [[URL Matcher]] syntax. | ||
[[Image:WF_blockList.png|center|frame|A few sites entered into the Block List]] | [[Image:WF_blockList.png|center|frame|A few sites entered into the Block List]] | ||
=== Pass Sites === | === Pass Sites === | ||
Pass Sites is used to pass content that would have otherwise been | Pass Sites is used to pass content that would have otherwise been flagged. This can be useful for "unflagging" sites that you don't want flagged according to flag settings. Any domains you add to the Passed Sites list will be allowed, even if flagged by category or by individual URL - just add the domain and save. Unchecking the pass option will allow the site to be flagged as if the entry was not present. This list uses [[URL Matcher]] syntax. | ||
[[Image:WF_PassList.png|center|frame|A few sites entered into the Pass List]] | [[Image:WF_PassList.png|center|frame|A few sites entered into the Pass List]] | ||
Line 91: | Line 76: | ||
=== Pass Clients === | === Pass Clients === | ||
If you add an IP address to this list, Web | If you add an IP address to this list, Web Monitor will not flag any traffic from that IP regardless of the flagged categories or sites. Just add the IP and save. Unchecking the pass option will have the pass lists affect the user as if they were not entered into the Passed Client IPs list. This list uses [[IP Matcher]] syntax. | ||
:If you have a few users that need to completely bypass Web | :If you have a few users that need to completely bypass Web Monitor controls, consider using pass lists. If you have users that simply need different Web Monitor settings, you should set up a separate rack using [[Policy Manager]]. When using this feature, please remember that DHCP IPs can change, so you'll probably want to set up either a Static IP or a Static DHCP Lease for the machine in question. | ||
Line 100: | Line 85: | ||
=== Advanced === | === Advanced === | ||
The Advanced section allows you to configure additional | The Advanced section allows you to configure additional Web Monitor options. | ||
* '''Process HTTPS traffic by SNI (Server Name Indication) if present''': If this option is enabled, HTTPS traffic will be categorized using the "Server Name Indication" in the HTTPS data stream, if present. More details in [[#HTTPS Options]]. | * '''Process HTTPS traffic by SNI (Server Name Indication) if present''': If this option is enabled, HTTPS traffic will be categorized using the "Server Name Indication" in the HTTPS data stream, if present. More details in [[#HTTPS Options]]. | ||
Line 107: | Line 92: | ||
* '''Process HTTPS traffic by server IP if both SNI and certificate hostname information are not available''': If this option is enabled ''and'' neither of the previous options worked, HTTPS traffic will be categorized using the IP address. More details in [[#HTTPS Options]]. | * '''Process HTTPS traffic by server IP if both SNI and certificate hostname information are not available''': If this option is enabled ''and'' neither of the previous options worked, HTTPS traffic will be categorized using the IP address. More details in [[#HTTPS Options]]. | ||
* '''Clear Category URL Cache''': This option will clear the local cache of categorized sites and URLs. After clearing the cache all new web visits will be looked up fresh using the categorization service. The cache automatically cleans itself as entries become old or stale, so this is mostly for testing. | * '''Clear Category URL Cache''': This option will clear the local cache of categorized sites and URLs. After clearing the cache all new web visits will be looked up fresh using the categorization service. The cache automatically cleans itself as entries become old or stale, so this is mostly for testing. | ||
Line 130: | Line 99: | ||
== Reports == | == Reports == | ||
{{:Web | {{:Web Monitor Reports}} | ||
== HTTPS Options == | == HTTPS Options == | ||
Line 139: | Line 108: | ||
* Process HTTPS traffic by IP Address when SNI information not present. | * Process HTTPS traffic by IP Address when SNI information not present. | ||
If ''Process HTTPS traffic by SNI (Server Name Indication) if present'' encrypted port-443 traffic will be scanned by Web | If ''Process HTTPS traffic by SNI (Server Name Indication) if present'' encrypted port-443 traffic will be scanned by Web Monitor. Most modern browsers on modern OSs will send the hostname of the server in cleartext - this is called "Server Name Indication" or SNI. SNI is an optional cleartext field in the HTTPS request that shows the hostname of the server. If this option is enabled and the SNI information is present in the HTTPS request, this hostname will be used as the URL for this request and all categorization, flag lists, and pass lists, will be processed as if this were a regular HTTP request to that URL. | ||
If the SNI-based categorization determines the page should be passed (and/or flagged) then the session is allowed and the appropriate event based on the SNI information is logged ("https://example.com/"). | |||
<blockquote> | <blockquote> | ||
For example, if the user visits "https://wellsfargo.com/welcome" in the browser, Web | For example, if the user visits "https://wellsfargo.com/welcome" in the browser, Web Monitor will see "wellsfargo.com" as the SNI information. If enabled, the request will be handled exactly like "http://wellsfargo.com" would be. If "Banking" is flagged it will be flagged, unless "wellsfargo.com" is in the pass list or the client IP is in the client IP pass list. If "wellsfargo.com" is flaggeed it will be flagged, unless "wellsfargo.com" is in the pass list or the client IP is in the client IP pass list. | ||
</blockquote> | </blockquote> | ||
If ''Process HTTPS traffic by IP Address when SNI information not present'' is disabled and no SNI information is present the session will be allowed as there is no information available to process the traffic. | If ''Process HTTPS traffic by IP Address when SNI information not present'' is disabled and no SNI information is present the session will be allowed as there is no information available to process the traffic. | ||
If ''Process HTTPS traffic by IP Address when SNI information not present'' is enabled and no SNI information is present the session will be processed and categorized by IP address. If the IP-based processing and categorization of the web requests determines the session should be | If ''Process HTTPS traffic by IP Address when SNI information not present'' is enabled and no SNI information is present the session will be processed and categorized by IP address. If the IP-based processing and categorization of the web requests determines the session should be flagged, the session is reset and no more processing of this session will be done. If the IP-based processing and categorization determines the page should be passed (and/or flagged) then the session is allowed and the appropriate event based on its IP is logged ("https://1.2.3.4"). | ||
<blockquote> | <blockquote> | ||
For example, if the user visits "https://wellsfargo.com/welcome" in a non-SNI enabled browser, then there is no SNI information for Web | For example, if the user visits "https://wellsfargo.com/welcome" in a non-SNI enabled browser, then there is no SNI information for Web Monitor to use. In this case if ''Process HTTPS traffic by IP Address when SNI information not present'' is enabled Web Monitor will use the IP address instead. So it will process/categorize this web request as 'http://1.2.3.4' if 1.2.3.4 is the IP of wellsfargo.com. This will still often result in correct categorization for dedicated web servers, but does poorly when using generic cloud computing servers that offer a wide variety of websites. | ||
</blockquote> | </blockquote> | ||
'''Note:''' Neither HTTPS process (IP-based nor SNI-based) can read the URI information as it is not sent in cleartext. As such the URI will not be used as part of the categorization and the URI is assumed to be "/" when evaluating pass rules. | |||
'''Note:''' Neither HTTPS process (IP-based nor SNI-based) can read the URI information as it is not sent in cleartext. As such the URI will not be used as part of the categorization and the URI is assumed to be "/" when evaluating | |||
To see the HTTPS categorization in action use the "All HTTPS Events" query in the event log. | To see the HTTPS categorization in action use the "All HTTPS Events" query in the event log. | ||
Line 162: | Line 129: | ||
== Related Topics == | == Related Topics == | ||
* [[Web Filter | * [[Web Filter]] | ||
== Web | == Web Monitor FAQs == | ||
{{:Web | {{:Web Monitor Common FAQs}} | ||
{{:Web | {{:Web Monitor FAQs}} |
Revision as of 15:12, 5 December 2016
File:WebFilter 128x128.png Web Monitor |
|
About Web Monitor
Web Monitor monitors HTTP traffic on your network to monitor user behavior and flag inappropriate content. Web Monitor also appeals to customers who require an added level of protection or are subject to regulations, for example Web Monitor helps libraries comply with the Children's Internet Protection Act). Need to flag Pornography or Hate Speech on your network? Web Monitor is your answer.
- Real-time classification and updates: When your users visit a site, Untangle sends the URL to the cloud to be categorized. When the data is returned, Untangle keeps a temporary local cache of the site and category to speed up the process the next time the URL is requested. This data is then used to flag or allow users access to the site they have requested, all without any appreciable increase in load time. If a site is not categorized upon request, it is autocategorized by our partners at zVelo and put into a queue to be verified by a human. Because this is done dynamically, new sites and updated URLs are allowed or flagged according to your settings without additional intervention, plus you have the option of requesting recategorization of sites.
- HTTPS Filtering: Web Monitor has multiple techniques to deal with HTTPS, SSL-encrypted HTTP. HTTPS traffic is encrypted so only some information is visible and this information is used to categorize the session. More information on how this is down below.
- Detailed categorization: Web Monitor offers over 140 categories and over 450 million categorized sites. The Web Monitor database is over 100 times larger and more accurate. The abundance of categories means that you can narrow your scope - maybe you want to flag websites related to Sex, but allow sites dealing with Sexual Education or Pregnancy.
- Advanced features: Force safe-search on search engines, log user searches, restrict google domains, and more!
Settings
This section reviews the different settings and configuration options available for Web Monitor.
Categories
Categories allows you to customize which categories of sites will be flagged. Categories categories that are flagged will allow the user to access the site, but will be silently flagged as a violation for event logs and Reports. These flag actions operate the same way for all of the different Web Monitor options.
Site Lookup
Site Lookup allows you to find the categorization of a URL. Clicking it brings up a dialog. In Site URL specify the URL to find and click Search to find the URL's categorization.
If you feel the current categorization is incorrect, check Suggest a different category, select a new category from the list, and click Suggest to submit the category change for consideration.
- NOTE: This is only a suggestion and may not be accepted. If accepted it may take a few days to become active.
Flag Sites
Under Flag Sites you can add individual domain names you want to be flagged - just enter the domain name (e.g. youtube.com) and specify your chosen action. This list uses URL Matcher syntax.
Pass Sites
Pass Sites is used to pass content that would have otherwise been flagged. This can be useful for "unflagging" sites that you don't want flagged according to flag settings. Any domains you add to the Passed Sites list will be allowed, even if flagged by category or by individual URL - just add the domain and save. Unchecking the pass option will allow the site to be flagged as if the entry was not present. This list uses URL Matcher syntax.
Pass Clients
If you add an IP address to this list, Web Monitor will not flag any traffic from that IP regardless of the flagged categories or sites. Just add the IP and save. Unchecking the pass option will have the pass lists affect the user as if they were not entered into the Passed Client IPs list. This list uses IP Matcher syntax.
- If you have a few users that need to completely bypass Web Monitor controls, consider using pass lists. If you have users that simply need different Web Monitor settings, you should set up a separate rack using Policy Manager. When using this feature, please remember that DHCP IPs can change, so you'll probably want to set up either a Static IP or a Static DHCP Lease for the machine in question.
Advanced
The Advanced section allows you to configure additional Web Monitor options.
- Process HTTPS traffic by SNI (Server Name Indication) if present: If this option is enabled, HTTPS traffic will be categorized using the "Server Name Indication" in the HTTPS data stream, if present. More details in #HTTPS Options.
- Process HTTPS traffic by hostname in server certificate when SNI information not present: If this option is enabled and SNI information is not present, the certificate is fetched from the HTTPS server and the server name on the certificate will be used for categorization and filtering purposes.
- Process HTTPS traffic by server IP if both SNI and certificate hostname information are not available: If this option is enabled and neither of the previous options worked, HTTPS traffic will be categorized using the IP address. More details in #HTTPS Options.
- Clear Category URL Cache: This option will clear the local cache of categorized sites and URLs. After clearing the cache all new web visits will be looked up fresh using the categorization service. The cache automatically cleans itself as entries become old or stale, so this is mostly for testing.
Reports
The Reports tab provides a view of all reports and events for all traffic handled by Web Monitor.
Reports
This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.
Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.
Pre-defined report queries: {{#section:All_Reports|'Web Monitor'}}
The tables queried to render these reports:
HTTPS Options
As described briefly above, there are two HTTPS options.
- Process HTTPS traffic by SNI (Server Name Indication) if present.
- Process HTTPS traffic by IP Address when SNI information not present.
If Process HTTPS traffic by SNI (Server Name Indication) if present encrypted port-443 traffic will be scanned by Web Monitor. Most modern browsers on modern OSs will send the hostname of the server in cleartext - this is called "Server Name Indication" or SNI. SNI is an optional cleartext field in the HTTPS request that shows the hostname of the server. If this option is enabled and the SNI information is present in the HTTPS request, this hostname will be used as the URL for this request and all categorization, flag lists, and pass lists, will be processed as if this were a regular HTTP request to that URL.
If the SNI-based categorization determines the page should be passed (and/or flagged) then the session is allowed and the appropriate event based on the SNI information is logged ("https://example.com/").
For example, if the user visits "https://wellsfargo.com/welcome" in the browser, Web Monitor will see "wellsfargo.com" as the SNI information. If enabled, the request will be handled exactly like "http://wellsfargo.com" would be. If "Banking" is flagged it will be flagged, unless "wellsfargo.com" is in the pass list or the client IP is in the client IP pass list. If "wellsfargo.com" is flaggeed it will be flagged, unless "wellsfargo.com" is in the pass list or the client IP is in the client IP pass list.
If Process HTTPS traffic by IP Address when SNI information not present is disabled and no SNI information is present the session will be allowed as there is no information available to process the traffic. If Process HTTPS traffic by IP Address when SNI information not present is enabled and no SNI information is present the session will be processed and categorized by IP address. If the IP-based processing and categorization of the web requests determines the session should be flagged, the session is reset and no more processing of this session will be done. If the IP-based processing and categorization determines the page should be passed (and/or flagged) then the session is allowed and the appropriate event based on its IP is logged ("https://1.2.3.4").
For example, if the user visits "https://wellsfargo.com/welcome" in a non-SNI enabled browser, then there is no SNI information for Web Monitor to use. In this case if Process HTTPS traffic by IP Address when SNI information not present is enabled Web Monitor will use the IP address instead. So it will process/categorize this web request as 'http://1.2.3.4' if 1.2.3.4 is the IP of wellsfargo.com. This will still often result in correct categorization for dedicated web servers, but does poorly when using generic cloud computing servers that offer a wide variety of websites.
Note: Neither HTTPS process (IP-based nor SNI-based) can read the URI information as it is not sent in cleartext. As such the URI will not be used as part of the categorization and the URI is assumed to be "/" when evaluating pass rules.
To see the HTTPS categorization in action use the "All HTTPS Events" query in the event log.
Related Topics
Web Monitor FAQs
Why is there a pass list if Web Monitor can't block sites?
Web Monitor is useful for monitoring web activity, and as part of that it is often useful to flag certain web activity to make it more visible in reports. Adding a site to the pass list will prevent the site from being flagged even if it otherwise would be because the category is flagged or a rule flags it.
Can I block sites with Web Monitor?
No. Web Monitor is for monitoring web activity only. In order to modify or block web content Web Filter is required.