Use case: URL filtering by using custom URL set
If you are an enterprise customer looking for a way to control access to specific websites and website categories, you can do by using a custom URL set bound to a responder policy. Your organization’s network infrastructure can use a URL filter to block access to malicious or dangerous websites such as websites featuring adult, violence, gaming, drugs, politics, or job portals. In addition to filtering the URLs, you can create a customized list of URLs and import it to the SWG appliance. For example, your organization’s policies might call for blocking access to certain websites such as social networking, shopping portals, and job portals.
Each URL in the list can have a custom category in the form of metadata. The organization can host the list of URLs as a URL set on the Citrix SWG appliance and configure the appliance to periodically update the set without requiring manual intervention.
After the set is updated, the Citrix ADC appliance automatically detects the metadata, and the responder policy uses the URL metadata (category details) to evaluate the incoming URL and apply an action such as allow, block, redirect or notify the user.
To implement this configure in your network, you can perform the following tasks:
- Import a custom URL set
- Add a custom URL set
- Configure a custom URL list in the Citrix SWG Wizard
To import a custom URL Set by using the Citrix SWG CLI:
At the command prompt, type:
import policy urlset <name> [-overwrite] [-delimiter <character>] [-rowSeparator <character>] -url <URL> [-interval <secs>] [-privateSet] [-canaryUrl <URL>]
import policy urlset test1 –url http://10.78.79.80/alytra/top-1k.csv
To add a custom URL set by using the Citrix SWG CLI:
At the command prompt, type:
add urlset <urlset_name>
Add urlset test1
Configure a URL list by using the Citrix SWG wizard
Citrix recommends that you use the Citrix SWG Wizard as the preferred option to configure a URL list. Use the wizard to import a custom URL set and bind it to a responder policy.
- Log on to the Citrix SWG appliance and navigate to Secured Web Gateway > URL Filtering > URL Lists.
- In the details pane, click Add.
- On the URL List Policy page, specify the policy name.
- Select an option to either import a URL set.
- In the URL List Policy tab page, select the Import URL Set check box and specify the following URL Set parameters.
- URL Set Name—Name of the custom URL set.
- URL—Web address of the location at which to access the URL Set.
- Overwrite—Overwrite a previously imported URL set.
- Delimiter—Character sequence that delimits a CSV file record.
- Row Separator—Row separator used in the CSV file.
- Interval—Interval in seconds, rounded off to the nearest 15 minutes, at which the URL set is updated.
- Private Set—Option to prevent exporting the URL set.
- Canary URL—Internal URL for testing if the content of the URL set is to be kept confidential. The maximum length of the URL is 2047 characters.
- Select a responder action from the drop-down list.
- Click Create and Close.
Metadata semantics for custom URL sets
To import a custom URL set, add the URLs to a text file and bind it to a responder policy to block Social networking URLs.
Following are examples of URLs that you might add to the text file:
cnn.com,News
bbc.com,News
google.com,Search Engine
yahoo.com,Search Engine
facebook.com,Social Media
twitter.com,Social Media
Configure a responder policy to block social media URLs by using the Citrix ADC CLI
add responder action act_url_unauthorized respondwith ‘“HTTP/1.1 451 Unavailable For Legal Reasons\r\n\r\nURL is NOT authorized\n”’
add responder policy pol_url_meta_match ‘HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).GET_URLSET_METADATA(“u1”).EQ(“Social Media”)’ act_url_meta_match