The Cisco SD-WAN URL Filtering (URLF) feature allows edge devices to inspect HTTP/HTTPS traffic and enforce URL-based control. URLF leverages the Security Virtual Image required for security capabilities such as IDS, IPS, and Advanced Malware Protection (AMP) on IOS-XE routers. Figure 1 below illustrates the URL Filtering process.
When an end host makes an HTTP(s) request to a website, the edge router intercepts it and sends it to the URL Filtering engine for inspection. URLF then takes the following actions:
- If the URL matches an entry in a user-defined whitelist, the HTTP(s) request is allowed, and no further inspection occurs. If the URL matches an entry in a user-defined blacklist, the router responds with a block page or an HTTP redirect to an URL of an existing block page.
- If the URL doesn't match the whitelist/blacklist, the requested URL is classified into one of the 82 pre-defined Web categories. If the respective Web category is allowed, access is granted. If it is blocked, the request goes to the blocked page.
- If the HTTP(s) request is allowed through the Web Category inspection, the URL engine considers the Web Reputation of the requested URL. Based on the configured strictness level in the configured URL policy, access will either be granted, or the request will be sent to the Block Page.
The URLF engine utilizes either a locally-hosted database or a cloud-hosted one. If the engine makes URL lookups into the cloud, the results are cached locally in memory, and the next exact lookup happens instantaneously.
By default, edge devices do not download the URL database locally. To enable the local db copy, we must check the "Download URL Database on Device" option in the Secure App Hosting template associated with the respective security template that holds the URLF policy.
URL Filtering (URLF) Options
There are three methods to permit/deny HTTP(s) requests to a particular URL.
Based on URL Lists
When an edge router intercepts an HTTP/HTTPS request, the URLF engine first checks whether the requested URL matches an entry in the configured whitelist and blacklist. The following results may occur depending on the lists:
- If the URL matches the whitelist, the request is allowed, and no further processing takes place (even if the URL matches configured Category or Reputation based entries)
- If the URL matches the blacklist, the request is denied, and a Block Page is returned.
- If the URL matches both the whitelist and blacklist, the HTTP request is allowed.
- If the URL does not match both lists, it is subjected to Web Category and Web Reputation filtering (if configured).
Based on URL Web Category
The URLF engine classifies each URL into one of the multiple Web categories, such as Sports, News, Social Networks, Financial Services, Web Emails, Gambling, Adult, and so on. Based on the category, we can configure the URLF engine to permit or deny requests to specific Web categories. Notice that an URL may be associated with multiple categories (up to five).
Based on URL Web Reputation
Additionally, the URLF engine downloads the Web Reputation score to each URL from the cloud. We can permit or deny HTTP(s) requests based on the reputation score associated with the requested URL. The score ranges from 0 through 100 and is categorized as follows:
- Trustworthy (Reputation 81 -100).
- Low-risk (Reputation 61-80).
- Moderate-risk (Reputation 41-60).
- Suspicious (Reputation 21-40).
- High-risk (Reputation 0-20).
Within the URL filtering policy on vManage, we specify a Web reputation threshold. URLs with a score below that threshold are denied, while ones with a higher score are permitted. For example, if we set the Web Reputation to Low-risk, URLs with lower reputation scores below or equal to 80 are denied.