With integrated web filtering, the security device intercepts each HTTP or HTTPS request and then determines whether to permit or block access to a requested site by categorizing its URL and matching the URL category to a web-filtering profile. A web-filtering profile is bound to a firewall policy; it defines, per category, the action the security device takes (permit or block) when it receives a request to access a URL.
Note: You must install the web-filtering license key to use this feature.
Enter the necessary information to configure integrated web-filtering parameters:
Enable Web Filtering via CPA Server: Select this option to enable web filtering with the SurfControl Content Portal Authority (CPA) server.
Use Default CPA Server: Select one of the three SurfControl server locations.
The three SurfControl server locations serve a specific geographic area: Americas, Asia Pacific, and Europe/Middle/East/Africa. The default primary server is the Americas, and the default backup server is Asia Pacific. You can change the primary server, and the security device automatically selects a backup server based on the primary server. (The Asia Pacific server is the backup for the Americas server, and the Americas server is the backup for the other two servers.)
Server Hostname or IP address: Enter the DNS name or the IP address of the web-filtering server. When you select the server name, this field gets updated automatically.
Port: The port number on which the security device communicates with the web-filtering server.
Enable Cache: Select the check box to enable the security device to cache the categorization of URLs. This reduces the overhead of accessing the CPA server each time the device receives a new request for previously requested URLs.
Cache Size: Enter a value between 500 and 1000K to specify the memory size of the categorization cache.
Cache Timeout: Enter a value between 1 and 24 to specify the number of hours the security device stores entries in the categorization cache.
Log Permitted and Blocked URL: Select the check box to enable or disable the logging of both permitted and blocked URLs accessed.
If connectivity to the server is lost: Select an action to perform if the connection to the SurfControl server is lost.
Block: Select this option to block all HTTP/HTTPS requests (configured for the policy) if the connection between the security device and the SurfControl server is lost.
Permit: Select this option to permit all HTTP/HTTPS requests (configured for the policy) if the connection between the security device and the SurfControl server is lost.
Web Filter Deny Message: Enter a custom message up to 500 characters. This is the message the security device returns to the user when the user tries to access a blocked site. ScreenOS displays the following message by default:
Your page is blocked due to a security policy that prohibits access to $URL-CATEGORY.
Click Apply to save the configuration.