Product Documentation

Use case: URL filtering by using custom URL set

If you are an enterprise customer looking for a way to control access to specific websites and website categories, you can do by using a custom URL set bound to a responder policy.  Your organization’s network infrastructure can use a URL filter to block access to malicious or dangerous websites such as websites featuring adult, violence, gaming, drugs, politics, or job portals. In addition to filtering the URLs, you can create a customized list of URLs and import it to the SWG appliance. For example, your organization’s policies might call for blocking access to certain websites such as social networking, shopping portals, and job portals.

Each URL in the list can have a custom category in the form of metadata. The organization can host the list of URLs as a URL set on the NetScaler SWG appliance and configure the appliance to periodically update the set without requiring manual intervention.

After the set is updated, the NetScaler appliance automatically detects the metadata, and the responder policy uses the URL metadata (category details) to evaluate the incoming URL and apply an action such as allow, block, redirect or notify the user.

To implement this configure in your network, you can perform the following tasks:

  1. Import a custom URL set
  2. Add a custom URL set
  3. Configure a custom URL list in the NetScaler SWG Wizard

To import a custom URL Set by using the NetScaler SWG CLI:

At the command prompt, type:

import policy urlset <name> [-overwrite] [-delimiter <character>] [-rowSeparator <character>] -url <URL> [-interval <secs>] [-privateSet] [-canaryUrl <URL>]

Example import policy urlset test1 –url http://10.78.79.80/alytra/top-1k.csv

To add a custom URL set by using the NetScaler SWG CLI:

At the command prompt, type:

add urlset <urlset_name>

`add urlset test1`

Configure a URL list by using the NetScaler SWG wizard

Citrix recommends that you use the NetScaler SWG Wizard as the preferred option to configure a URL list. Use the wizard to import a custom URL set and bind it to a responder policy.

  1. Log on to the NetScaler SWG appliance and navigate to Secured Web Gateway > URL Filtering > URL Lists.
  2. In the details pane, click Add.
  3. On the URL List Policy page, specify the policy name.
  4. Select an option to either import a URL set.
  5. In the URL List Policy tab page, select the Import URL Set check box and specify the following URL Set parameters.
    1. URL Set Name—Name of the custom URL set.
    2. URL—Web address of the location at which to access the URL Set.
    3. Overwrite—Overwrite a previously imported URL set.
    4. Delimiter—Character sequence that delimits a CSV file record.
    5. Row Separator—Row separator used in the CSV file.
    6. Interval—Interval in seconds, rounded off to the nearest 15 minutes, at which the URL set is updated.
    7. Private Set—Option to prevent exporting the URL set.
    8. Canary URL—Internal URL for testing if the content of the URL set is to be kept confidential. The maximum length of the URL is 2047 characters.
  6. Select a responder action from the drop-down list.
  7. Click Create and Close.

localized image

Metadata semantics for custom URL sets

To import a custom URL set, add the URLs to a text file and bind it to a responder policy to block Social networking URLs.

 Following are examples of URLs that you might add to the text file:

cnn.com,News

bbc.com,News

google.com,Search Engine

yahoo.com,Search Engine

facebook.com,Social Media

twitter.com,Social Media

Configure a responder policy to block social media URLs by using the NetScaler CLI

add responder action** act_url_unauthorized respondwith "HTTP/1.1 451 Unavailable For Legal Reasons\r\n\r\nURL is NOT authorized\n"

add responder policy** pol_url_meta_match "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).GET_URLSET_METADATA("u1").EQ("Social Media")" act_url_meta_match