Manual Chapter : Using Custom URL Categories and Filters

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Using Custom URL Categories and Filters

How can I control traffic to URL categories?

A custom URL category enables you to group URLs to distinguish different types of web traffic and allow you to control it. Having custom URL categories available enables you to look up the category on a per-request basis. You can configure the per-request policy to specify whether anyone can access a URL category and when.

Example policy: User-defined category-specific access control

In this example per-request policy, only recruiters can access URLs in the user-defined category Employment. The policy also restricts access to entertaining videos during business hours.
Category-specific access restrictions (using user-defined categories)

How can I block access to URLs?

If you have custom URL categories configured, you can also configure URL filters. A URL filter specifies an action (block, allow, or confirm) to take for each custom URL category. Having URL categories and filters available enables you to look up and filter URLs on a per-request basis.

Example policy: URL filter per user group

Each URL Filter Assign item in this per-request policy example needs to specify a filter that applies to the user group.
URL filter based on group membership
Group lookup followed by branches for specific groups and a URL filter assignment for each.

Overview: Configuring user-defined URL categories and filters

On a BIG-IP system without a URL database, if you want to control traffic based on the type of URL being requested, and you have many URLs to consider, you should configure user-defined URL categories and user-defined URL filters. This approach provides good performance, ease-of-use, and the ability to use the
URL Category
and the
URL Filter Assign
agents in a per-request policy.
If you have only a few URLs that you want to treat differently, you can probably skip creating user-defined URL categories and filters and use a simple
URL Branching
agent in a per-request policy. In this case, you specify the URLs that you want to match directly in the
URL Branching
agent.
To configure user-defined URL categories and URL filters, complete these tasks.

Task summary

Configuring user-defined URL categories

Configure a user-defined URL category to specify a group of URLs over which you want to control access.
  1. On the Main tab, click
    Access Policy
    Secure Web Gateway
    URL Categories
    .
    The URL Categories table displays. If you have not created any URL categories, the table is empty.
  2. Click
    Create
    .
    The Category Properties screen displays.
  3. In the
    Name
    field, type a unique name for the URL category.
  4. From the
    Default Action
    list, retain the default value
    Block
    ; or, select
    Allow
    .
    A Confirm Box action in a per-request policy subroutine serves the purpose of enabling appropriate choices in a forward proxy (outbound) configuration. Currently, Access Policy Manager does not support a similar action for reverse proxy.
  5. Add, edit, or delete the URLs that are associated with the category by updating the
    Associated URLs
    list.
  6. To add URLs to the
    Associated URLs
    list:
    1. In the
      URL
      field, type a URL.
      You can type a well-formed URL that the system must match exactly or type a URL that includes globbing patterns (wildcards) for the system to match URLs.
    2. If you typed globbing patterns in the
      URL
      field, select the
      Glob Pattern Match
      check box .
    3. Click
      Add
      .
      The URL displays in the
      Associated URLs
      list.
    These are well-formed URLs:
    • https://www.siterequest.com/
    • http://www.siterequest.com:8080/
    • http://www.sitequest.com/docs/siterequest.pdf/
    • http://www.sitequest.com/products/application-guides/
    This URL
    *siterequest.[!comru]
    includes globbing patterns that match any URL that includes
    siterequest
    , except for
    siterequest.com
    or
    siterequest.ru
    .
    This URL
    *://siterequest.com/education/*
    includes globbing patterns that match any HTTP URL that includes
    siterequest.com/education
    , but that do not match any HTTPS URLs if Category Lookup specifies that the input is SNI or CN.Subject.
    For SNI or CN.Subject input, Category Lookup uses
    scheme
    :://
    host
    for matching, instead of matching the whole URL.
  7. Click
    Finished
    .
    The URL Categories screen displays.
  8. To view the newly created URL category, expand
    Custom Categories
    .
    The custom URL category displays in the Sub-Category column.
Add or edit a URL filter to specify an action (allow, block, or confirm) for the custom category.

Configuring URL filters

You configure a URL filter to specify whether to allow or block requests for URLs in URL categories. You can configure multiple URL filters.
  1. On the Main tab, click
    Access Policy
    Secure Web Gateway
    URL Filters
    .
    You can click the name of any filter to view its settings.
    On a BIG-IP system with an SWG subscription, default URL filters, such as
    block-all
    and
    basic-security
    , are available. You cannot delete default URL filters.
    The URL Filters screen displays.
  2. To configure a new URL filter, click one of these options.
    • Create
      button: Click to start with a URL filter that allows all categories.
    • Copy
      link: Click for an existing URL filter in the table to start with its settings.
  3. In the
    Name
    field, type a unique name for the URL filter.
  4. Click
    Finished
    .
    The screen redisplays. An Associated Categories table displays. It includes each URL category and the filtering action that is currently assigned to it. The table includes a Sub-Category column. Any URL categories that were added by administrators are subcategories within
    Custom Categories
  5. Select the actions to take:
    1. To block access to particular categories or subcategories, select them and click
      Block
      .
      When you select a category, you also select the related subcategories. You can expand the category and clear any subcategory selections.
    2. To allow access to particular categories or subcategories, select them and click
      Allow
      .
    The confirm action is not fully supported in a reverse proxy configuration.
    A Confirm Box action in a per-request policy subroutine serves the purpose of enabling appropriate choices in a forward proxy (outbound) configuration. Currently, Access Policy Manager does not support a similar action for reverse proxy.
To put a URL filter into effect, you must assign it in a per-request policy. A per-request policy runs each time a URL request is made.