Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway filtering rules
Content Gateway filtering rules
Help | Content Gateway | v8.5.x
Content Gateway supports the ability to create rules that inspect requests for certain parameters and, when matched, apply a specified action. Rules can be created to:
*
Deny or allow URL requests
*
Insert custom headers
*
Allow specified applications, or requests to specified websites to bypass user authentication
*
Keep or strip header information from client requests
*
Prevent specified applications from transiting the proxy
 
* 
Note 
To create rules for IWA, NTLM, and LDAP user authentication, see Rule-Based Authentication. To get started with Content Gateway user authentication options, see Content Gateway user authentication.
Use the Configure > Security > Access Control > Filtering tab to create and modify filtering rules. Rules are stored in the filter.config file.
*
Rules are applied in the order listed, top to bottom. Only the first match is applied. If no rule matches, the request proceeds.
*
Secondary specifiers are optional. More than one secondary specifier can be used in a rule. You cannot, however, repeat a secondary specifier.
*
Three filtering rules are configured by default. The first denies traffic on port 25 to all destinations. The second and third bypass user authentication for connections to 2 Forcepoint Advanced Malware Detection destinations.
*
When Authentication bypass is enabled on the Web > Settings > Scanning > Bypass Settings page of the Forcepoint Security Manager, appropriate rules are added to filter.config.
After adding, deleting, or modifying a rule, restart Content Gateway.
See filter.config for information about the structure of stored rules.
Creating filtering rules
1.
In the Content Gateway manager, go to the Configure > Security > Access Control > Filtering tab.
2.
Click Edit File to open filter.config in the file editor.
3.
Select a Rule Type from the drop down list. The Rule Type specifies the action the rule will apply. The supported options are:
allow: allows particular URL requests to bypass authentication; the proxy caches and serves the requested content.
deny: denies requests for objects from specific destinations. When a request is denied, the client receives an access denied message.
keep_hdr: specifies which client request header information to keep.
strip_hdr: specifies which client request header information to strip.
add_hdr: causes a custom header-value pair to be inserted. Requires that Custom Header and Header Value are specified. Provides support for destination hosts that require a specific header-value pair. For an example, see Creating an add_hdr rule to allow Google enterprise gmail, below.
 
* 
Note 
The "radius" rule type is not supported.
4.
Select a Primary Destination Type and then enter a corresponding value in the Primary Destination Value field. Primary Destination Types include:
dest_domain: a requested domain name. The value is a domain name.
dest_host: a requested hostname. The value is a hostname.
dest_ip: a requested IP address. The value is an IP address.
url_regex: a regular expression to be found in a URL. The value is a regular expression.
5.
If the Primary Destination Type is keep_hdr or strip_hdr, select the type of information to keep or strip from the Header Type drop down list. Options include:
*
date
*
host
*
cookie
*
client_ip
6.
If the rule applies to only inbound traffic on a specific port, enter a value for Proxy Port.
7.
If the rule type is add_hdr, specify the Custom Header and Header Value. The Custom Header and Header Value must be values that the destination host expects. See the example for Google Business Gmail below.
8.
Provide values for any required or desired Secondary Specifiers. They include:
Time: specifies a time range, such as 08:00-14:00.
Prefix: specifies a prefix in the path part of a URL.
Suffix: specifies a file suffix in the URL.
Source IP address: specifies a single client IP address, or an IP address range of clients.
Port: specifies the port in a requested URL.
Method: specifies a request URL method:
*
get
*
post
*
put
*
trace
Scheme: specifies the protocol of a requested URL. Options are:
*
HTTP
*
HTTPS
*
FTP (for FTP over HTTP only)
User-Agent: specifies a request header User-Agent value. This is a regular expression (regex).
You can use the User-Agent field to create application filtering rules that:
*
Allow applications that don't properly handle authentication challenges to bypass authentication
*
Block particular client-based applications from accessing the Internet
See the knowledge base article titled "When authentication prevents devices, browsers, and custom applications from working with the proxy" for more information and several examples.
9.
When you have finished defining the rule, click Add to add the rule and then Apply to save the rule.
10.
When you are done adding rules, click Apply to save all the changes and then click Close to close the edit window.
Editing a rule
1.
In the Content Gateway manager, go to the Configure > Security > Access Control > Filtering tab.
2.
Click Edit File to open filter.config in the file editor.
3.
In the list, select the rule to be modified and change the values as desired.
4.
Click Set to update the rule and click Apply to save the rule.
5.
Click Close to close the edit window.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway filtering rules
Copyright 2023 Forcepoint. All rights reserved.