Sophos XG Firewall: How to allow/block websites using custom categories and/or URL groups
KB-0000369012020/02/128 people found this article helpful
This article describes how to allow/block websites regardless of their category using custom categories and/or URL groups.
The following sections are covered:
Applies to the following Sophos products and versions
Categorization and changing categorization behavior
If a website has been categorized incorrectly, you can tell Sophos about it so that we can improve the categorization for all Sophos Firewall users. Please submit a sample of the URL. However you can also create additional steps in the Web policy to handle websites differently from their category.
The most common reason to treat a website differently is because a website is being blocked (or allowed) when it should not be. In Sophos Firewall there are three ways to create objects and policy rules for websites and URLs to achieve the business needs.
- Custom category with domain
- Custom category with keyword
- URL groups
When using a custom category or URL group, the URL will still maintain its original category. Therefore in addition to adding the URL to either a custom category or URL group, you must also create a Web policy rule to handle it. This rule should at the top of the list so that it takes priority.
As an example, you can create a custom category called Whitelist for Sales Dept and put into it a list of domains that the sales team should always have access.
Then in the Web policy, create a rule at the top that only applies to the sales user group and set the Whitelist for Sales Dept category to Allow.
In the firewall rule allowing Internet access, make sure to select the appropriate web policy. In this example, it is the Default Policy.
Objects type and wildcards
RegEx and other forms of wildcards are not supported within the text string. Strings are used verbatim in a substring match. However the three different methods have slightly different automatic wildcarding, allowing for some flexibility in matching. The following table describes how entries (with and without a slash) are matched within the system:
|URL group||Custom category with domain||Custom category with keyword|
|Text is a verbatim string that will match the right side in domain name. Path is not allowed. Note: This is FQDN aware which parses the URL to match that domain name and subdomains rather than a text string match.||Text is a verbatim string that will match anywhere in the domain name. If the text contains a slash (/), then it can only match the end of domain name and the beginning of the path.||Text is a verbatim string that will match anywhere in the domain name or path.|
|Entry does not contain a slash (/)||Entry contains a slash (/)||Entry does not contain a slash (/)||Entry contains a slash (/)|
|Left side wildcard||Any subdomains (FQDN aware).||Any characters in domain name or subdomains.||Any characters in domain name or subdomains.||Any characters in domain name or subdomains.||Any characters in domain name or subdomains.|
|Right side wildcard||Any path.||Any characters in domain name, top level domain or path.||Any path.||Any characters in domain name, top level domain or path.||any path.|
|String entered into the GUI||example.com||example.com||example.com/foobar||example.com||example.com/foobar|
|http://www.example.com.co.uk/foobar||does not match||matches||does not match||matches||does not match|
|http://myexample.com/foobar||does not match||matches||matches||matches||matches|
|http://sample.com/example.com/foobar||does not match||does not match||does not match||matches||matches|