Enabling Dynamic Web Content Filtering - D-Link DFL-1660 User Manual

6.3.4. Dynamic Web Content Filtering
blocked by the filtering policy.
WCF and Whitelisting
If a particular URL is whitelisted then it will bypass the WCF subsystem. No classification will be
done on the URL and it will always be allowed. This applies if the URL has an exact match with an
entry on the whitelist or if it matches an entry that makes use of wildcarding.
6.3.4.2. Setting Up WCF
Activation
Dynamic Content Filtering is a feature that is enabled by taking out a separate subscription to the
service. This is an addition to the normal NetDefendOS license.
Once a subscription is taken out, an HTTP Application Layer Gateway (ALG) Object should be
defined with Dynamic Content Filtering enabled. This object is then associated with a service object
and the service object is then associated with a rule in the IP rule set to determine which traffic
should be subject to the filtering. This makes possible the setting up of a detailed filtering policy
based on the filtering parameters that are used for rules in the IP rule set.
Setting Fail Mode
The option exists to set the HTTP ALG fail mode in the same way that it can be set for some other
ALGs and it applies to WCF just as it does to functions such as Anti-Virus scanning. The fail mode
setting determines what happens when dynamic content filtering cannot function and, typically, this
is because NetDefendOS is unable to reach the external databases to perform URL lookup. Fail
mode can have one of two settings:
• Deny - If WCF is unable to function then URLs are denied if external database access to verify
them is not possible. The user will see an "Access denied" web page.
• Allow - If the external WCF database is not accessible, URLs are allowed even though they
might be disallowed if the WCF databases were accessible.
Example 6.15. Enabling Dynamic Web Content Filtering
This example shows how to setup a dynamic content filtering policy for HTTP traffic from intnet to all-nets. The
policy will be configured to block all search sites, and this example assumes that the system is using a single NAT
rule for HTTP traffic from intnet to all-nets.
Command-Line Interface
First, create an HTTP Application Layer Gateway (ALG) Object:
gw-world:/> add ALG ALG_HTTP content_filtering
Then, create a service object using the new HTTP ALG:
gw-world:/> add ServiceTCPUDP http_content_filtering Type=TCP
Tip: Using a schedule
If the administrator would like the content filtering policy to vary depending on the
time of the day, they can make use of a Schedule object associated with the
corresponding IP rule. For more information, please see Section 3.7, "Schedules".
WebContentFilteringMode=Enabled
FilteringCategories=SEARCH_SITES
330
Chapter 6. Security Mechanisms