Fortinet black logo

Handbook

Policy matching based on referrer headers and query strings

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:475731
Download PDF

Web proxy policies support creating web proxy addresses to match referrer headers and query strings.

Matching referrer headers

For example, to create a web proxy address to match the referrer header to block access to the following YouTube URL http://youtube.com/user/test321. The http request will have the following format:

GET /user/test321 HTTP/1.1

Host: www.youtube.com

User-Agent: curl/7.52.1

Accept: */*

Create the following web proxy addresses to match this page:

config firewall proxy-address

edit youtube

set type host-regex

set host-regex ".*youtube.com"

next

edit test321

set host "youtube"

set path "/user/test321"

set referrer enable

end

Then create two proxy policies, one that allows access to all traffic and a second one that blocks access to the page that matches the referrer header:

config firewall proxy-policy

edit 1

set uuid 92273e4e-8c53-51e7-a7bd-f26e6e15fc98

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "all"

set service "webproxy-connect"

set action accept

set schedule "always"

set utm-status enable

set profile-protocol-options "test"

set ssl-ssh-profile "test"

next

edit 2

set uuid d35ad06a-8c53-51e7-8511-17200f682a4a

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "test321"

set service "webproxy"

set action accept

set schedule "always"

set utm-status enable

set av-profile "default"

set profile-protocol-options "test"

set ssl-ssh-profile "test"

end

Matching query strings

To match the video with URL youtube.com/watch?v=XXXXXXXXX, (where XXXXXXXXX is an example YouTube query string) you need to match an HTTP request with the following format:

GET /user/watch?v=GLCHldlwQsg HTTP/1.1

Host: www.youtube.com

User-Agent: curl/7.52.1

Accept: */*

Create the following web proxy addresses to match this video or query string:

config firewall proxy-address

edit "youtube"

set uuid 4ad63880-971e-51e7-7b2e-c69423ac6314

set type host-regex

set host-regex ".*youtube.com"

next

edit "query-string"

set uuid 7687a8c0-9727-51e7-5063-05edda03abbf

set host "youtube"

set path "/watch"

set query "v=XXXXXXXXX"

end

Then create two proxy policies, one that allows access to all traffic and a second one that blocks access to the page that matches the query string

config firewall proxy-policy

edit 1

set uuid 92273e4e-8c53-51e7-a7bd-f26e6e15fc98

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "all"

set service "webproxy-connect"

set action accept

set schedule "always"

set utm-status enable

set profile-protocol-options "test"

set ssl-ssh-profile "test"

next

edit 2

set uuid d35ad06a-8c53-51e7-8511-17200f682a4a

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "query-string"

set service "webproxy"

set action accept

set schedule "always"

set utm-status enable

set av-profile "default"

set profile-protocol-options "test"

set ssl-ssh-profile "test"

end

Web proxy policies support creating web proxy addresses to match referrer headers and query strings.

Matching referrer headers

For example, to create a web proxy address to match the referrer header to block access to the following YouTube URL http://youtube.com/user/test321. The http request will have the following format:

GET /user/test321 HTTP/1.1

Host: www.youtube.com

User-Agent: curl/7.52.1

Accept: */*

Create the following web proxy addresses to match this page:

config firewall proxy-address

edit youtube

set type host-regex

set host-regex ".*youtube.com"

next

edit test321

set host "youtube"

set path "/user/test321"

set referrer enable

end

Then create two proxy policies, one that allows access to all traffic and a second one that blocks access to the page that matches the referrer header:

config firewall proxy-policy

edit 1

set uuid 92273e4e-8c53-51e7-a7bd-f26e6e15fc98

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "all"

set service "webproxy-connect"

set action accept

set schedule "always"

set utm-status enable

set profile-protocol-options "test"

set ssl-ssh-profile "test"

next

edit 2

set uuid d35ad06a-8c53-51e7-8511-17200f682a4a

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "test321"

set service "webproxy"

set action accept

set schedule "always"

set utm-status enable

set av-profile "default"

set profile-protocol-options "test"

set ssl-ssh-profile "test"

end

Matching query strings

To match the video with URL youtube.com/watch?v=XXXXXXXXX, (where XXXXXXXXX is an example YouTube query string) you need to match an HTTP request with the following format:

GET /user/watch?v=GLCHldlwQsg HTTP/1.1

Host: www.youtube.com

User-Agent: curl/7.52.1

Accept: */*

Create the following web proxy addresses to match this video or query string:

config firewall proxy-address

edit "youtube"

set uuid 4ad63880-971e-51e7-7b2e-c69423ac6314

set type host-regex

set host-regex ".*youtube.com"

next

edit "query-string"

set uuid 7687a8c0-9727-51e7-5063-05edda03abbf

set host "youtube"

set path "/watch"

set query "v=XXXXXXXXX"

end

Then create two proxy policies, one that allows access to all traffic and a second one that blocks access to the page that matches the query string

config firewall proxy-policy

edit 1

set uuid 92273e4e-8c53-51e7-a7bd-f26e6e15fc98

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "all"

set service "webproxy-connect"

set action accept

set schedule "always"

set utm-status enable

set profile-protocol-options "test"

set ssl-ssh-profile "test"

next

edit 2

set uuid d35ad06a-8c53-51e7-8511-17200f682a4a

set proxy explicit-web

set dstintf "wan2"

set srcaddr "all"

set dstaddr "query-string"

set service "webproxy"

set action accept

set schedule "always"

set utm-status enable

set av-profile "default"

set profile-protocol-options "test"

set ssl-ssh-profile "test"

end