Allow Password Access to Certain Sites
In some cases there may be URL categories that you want to block, but allow certain individuals to browse to on occasion. In this case, you would set the category action to
overrideand define a URL admin override password in the firewall Content-ID configuration. When users attempt to browse to the category, they will be required to provide the override password before they are allowed access to the site. Use the following procedure to configure URL admin override:
- Set the URL admin override password.
- Select.DeviceSetupContent ID
- In theURL Admin Overridesection, clickAdd.
- In theLocationfield, select the virtual system to which this password applies.
- Enter thePasswordandConfirm Password.
- Select anSSL/TLS Service Profile. The profile specifies the certificate that the firewall presents to the user if the site with the override is an HTTPS site. For details, see Configure an SSL/TLS Service Profile.
- Select theModefor prompting the user for the password:
- Transparent—The firewall intercepts the browser traffic destined for site in a URL category you have set to override and impersonates the original destination URL, issuing an HTTP 302 to prompt for the password, which applies on a per-vsys level.The client browser will display certificate errors if it does not trust the certificate.
- Redirect—The firewall intercepts HTTP or HTTPS traffic to a URL category set to override and redirects the request to a Layer 3 interface on the firewall using an HTTP 302 redirect in order to prompt for the override password. If you select this option, you must provide theAddress(IP address or DNS hostname) to which to redirect the traffic.
- (Optional) Set a custom override period.
- Edit the URL Filtering section.
- To change the amount of time users can browse to a site in a category for which they have successfully entered the override password, enter a new value in theURL Admin Override Timeoutfield. By default, users can access sites within the category for 15 minutes without re-entering the password.
- To change the amount of time users are blocked from accessing a site set to override after three failed attempts to enter the override password, enter a new value in theURL Admin Lockout Timeoutfield. By default, users are blocked for 30 minutes.
- (Redirect mode only) Create a Layer 3 interface to which to redirect web requests to sites in a category configured for override.
- Create a management profile to enable the interface to display the URL Filtering Continue and Override Page response page:
- Selectand clickNetworkInterface MgmtAdd.
- Enter aNamefor the profile, selectResponse Pages, and then clickOK.
- Create the Layer 3 interface. Be sure to attach the management profile you just created (on thetab of the Ethernet Interface dialog).AdvancedOther Info
- (Redirect mode only) To transparently redirect users without displaying certificate errors, install a certificate that matches the IP address of the interface to which you are redirecting web requests to a site in a URL category configured for override.You can either generate a self-signed certificate or import a certificate that is signed by an external CA.To use a self-signed certificate, you must first create a root CA certificate and then use that CA to sign the certificate you will use for URL admin override as follows:
- To create a root CA certificate, selectand then clickDeviceCertificate ManagementCertificatesDevice CertificatesGenerate. Enter aCertificate Name, such as RootCA. Do not select a value in theSigned Byfield (this is what indicates that it is self-signed). Make sure you select theCertificate Authoritycheck box and then clickGeneratethe certificate.
- To create the certificate to use for URL admin override, clickGenerate. Enter aCertificate Nameand enter the DNS hostname or IP address of the interface as theCommon Name. In theSigned Byfield, select the CA you created in the previous step. Add an IP address attribute and specify the IP address of the Layer 3 interface to which you will be redirecting web requests to URL categories that have the override action.
- Generatethe certificate.
- To configure clients to trust the certificate, select the CA certificate on theDevice Certificatestab and clickExport. You must then import the certificate as a trusted root CA into all client browsers, either by manually configuring the browser or by adding the certificate to the trusted roots in an Active Directory Group Policy Object (GPO).
- Specify which URL categories require an override password to enable access.
- Selectand either select an existing URL filtering profile orObjectsURL FilteringAdda new one.
- On theCategoriestab, set the Action tooverridefor each category that requires a password.
- Complete any remaining sections on the URL filtering profile and then clickOKto save the profile.
- Apply the URL Filtering profile to the security policy rule(s) that allows access to the sites requiring password override for access.
- Selectand select the appropriate security policy to modify it.PoliciesSecurity
- Select theActionstab and in theProfile Settingsection, click the drop-down forURL Filteringand select the profile.
- ClickOKto save.
- Save the configuration.ClickCommit.
Recommended For You
Recommended videos not found.