Whitelist Website 

Sophos XG Firewall: How to allow/block websites using custom categories and/or URL groups 

KB-0000369012020/02/128 people found this article helpful 

Overview 

This article describes how to allow/block websites regardless of their category using custom categories and/or URL groups. 

The following sections are covered: 

Applies to the following Sophos products and versions 

Sophos Firewall 

Categorization and changing categorization behavior 

If a website has been categorized incorrectly, you can tell Sophos about it so that we can improve the categorization for all Sophos Firewall users. Please submit a sample of the URL. However you can also create additional steps in the Web policy to handle websites differently from their category. 

The most common reason to treat a website differently is because a website is being blocked (or allowed) when it should not be. In Sophos Firewall there are three ways to create objects and policy rules for websites and URLs to achieve the business needs. 

  • Custom category with domain 
  • Custom category with keyword 
  • URL groups 

When using a custom category or URL group, the URL will still maintain its original category. Therefore in addition to adding the URL to either a custom category or URL group, you must also create a Web policy rule to handle it. This rule should at the top of the list so that it takes priority. 

As an example, you can create a custom category called Whitelist for Sales Dept and put into it a list of domains that the sales team should always have access. 

Then in the Web policy, create a rule at the top that only applies to the sales user group and set the Whitelist for Sales Dept category to Allow. 

tidy_fix_alt

In the firewall rule allowing Internet access, make sure to select the appropriate web policy. In this example, it is the Default Policy.  

tidy_fix_alt
tidy_fix_alt

Objects type and wildcards 

RegEx and other forms of wildcards are not supported within the text string. Strings are used verbatim in a substring match. However the three different methods have slightly different automatic wildcarding, allowing for some flexibility in matching. The following table describes how entries (with and without a slash) are matched within the system: 

 URL group Custom category with domain  Custom category with keyword  
  Text is a verbatim string that will match the right side in domain name. Path is not allowed.  Note: This is FQDN aware which parses the URL to match that domain name and subdomains rather than a text string match.    Text is a verbatim string that will match anywhere in the domain name.  If the text contains a slash (/), then it can only match the end of domain name and the beginning of the path.    Text is a verbatim string that will match anywhere in the domain name or path.  
  Entry does not contain a slash (/) Entry contains a slash (/) Entry does not contain a slash (/) Entry contains a slash (/)  
Left side wildcard  Any subdomains (FQDN aware). Any characters in domain name or subdomains. Any characters in domain name or subdomains. Any characters in domain name or subdomains. Any characters in domain name or subdomains. 
Right side wildcard Any path. Any characters in domain name, top level domain or path. Any path. Any characters in domain name, top level domain or path. any path. 
String entered into the GUI example.com example.com example.com/foobar example.com example.com/foobar 
Equivalent RegEx ^([A-Za-z0-9.-]*\.)?example\.com\.?/ ^[^\/]*example\.com.*$ ^[^\/]*example\.com\/foobar.*$ ^.*example\.com.*$ ^.*example\.com\/foobar.*$ 
Matching samples:      
http://example.com/foobar matches matches matches matches matches 
http://mail.example.com/foobar/morestuff matches matches matches  matches  matches 
http://www.example.com.co.uk/foobar does not match matches does not match matches  does not match  
http://myexample.com/foobar does not match  matches  matches  matches matches  
http://sample.com/example.com/foobar  does not match  does not match does not match matches  matches