Configuring web-service URL classification

About this task

The following example describes how to configure web-service URL classification.

Procedure

  1. Configure the shared resources to be used for the cache.

    In the following example configuration, 100% of shared resources are allocated to web-service URL classification:

    config>isa>aa-grp>shr-res-pool# info detail
    ----------------------------------------------
                web-service-url-filter 100
    ----------------------------------------------
  2. Configure the HTTP redirect policy.

    Traffic that belongs to one of the blocked categories (as defined in the profile activated for the user), is redirected.

    The operator can append the category name and category ID to the redirect URL (that is, the category that resulted in the redirect action).

    The following example displays an HTTP redirect policy configuration:

    config>app-assure>group 1
    ----------------------------------------------
    http-redirect "redirect-ws-filter" create
        description "Redirect for Web Service URL Filtering"
        template 5
        tcp-client-reset
        redirect-https
        redirect-url "http://10.154.90.1/
    redirect.html?catname=$CATNAME&catid=$CATID"
        no shutdown
    exit
    ---------------------------------------------
  3. Configure the URL filter and category profiles.

    The operator defines a new URL filter with the following attributes:

    • classifier = "web-service-1"

      defines the URL categorization database to use

    • category-set-id = 1

      defines the URL categories to use

    • fqdn = nokia-api.webtitancloud.com

      defines the URL categorization database endpoint that the AA connects to

    • dns-server

      defines the DNS server to resolve the FQDN

    • profile

      defines up to eight profile names

    • category

      defines the category to be blocked in the configured profile

    In the following URL filter configuration example, the three profiles defined in Table: Example URL category profile of the Web-service URL classification section are configured. Two classification-overrides entries are also configured:

    configure application-assurance group 1 url-filter "ws-filter" 
    config>app-assure>group>url-filter# info
    ----------------------------------------------
        apply-function-specific-behavior
        web-service
            classifier web-service-1 category-set-id 1
            vlan-id 100
            default-action block-http-redirect "redirect-ws-filter"
            http-redirect "redirect-ws-filter"
            fqdn nokia-api.webtitancloud.com
            dns-server 8.8.8.8
            classification-overrides
            entry 1 expression www.site1.abc category "Phishing/Fraud"
            entry 2 expression www.site2.def category "Illegal Drugs"
            profile low create
                category "Internet Watch Foundation List" block
                category "Spyware And Malicious Sites" block
                category "Phishing/Fraud" block
            profile medium create
                category "Internet Watch Foundation List" block
                category "Spyware And Malicious Sites" block
                category "Phishing/Fraud" block
                category "Illegal Drugs" block
                category "Violence" block
                category "Weapons" block
            profile high create
                category "Internet Watch Foundation List" block
                category "Spyware And Malicious Sites" block
                category "Phishing/Fraud" block
                category "Illegal Drugs" block
                category "Violence" block
                category "Weapons" block
                category "Nudity" block
                category "Alcohol" block
                category "Criminal Skills/Hacking" block
                category "Hate Speech" block
            default-category-profile "low"
        no shutdown
        ----------------------------------------------

    Enabling apply-function-specific-behavior allows the operator to configure a default-action and http-redirect which are specific to web-service URL Classification only. Alternatively, the operator may configure the same default-action and http-redirect for all url-filter functions by disabling the apply-function-specific behavior (which is the default) and configuring a default-action and http-redirect in the config>app-assure>group>url-filter.

  4. Configure the ASO.

    The ASO is used to dynamically allocate a profile to a user.

    The following output displays the configuration of an example ASO:

    config>app-assure>group>policy>aso# info
    ----------------------------------------------
        characteristic "url-filter-policy" create
            value "high" 
            value "medium" 
            value "low" 
            default-value "low"
        exit
    ----------------------------------------------
  5. Configure the AQP.

    The AQP is used to execute the URL filter policy. The URL filter uses the ASO value that is active for the user to select the category profile.

    In the AQP defined in the following example, there is no match condition. Therefore, the web-service URL classification is applied to all subscribers:

    config>app-assure>group>policy>aqp# entry 100 create
    action
        url-filter "ws-filter" characteristic "url-filter-policy"
    exit
    no shutdown
Parent topic: Configuring a group policy