Thursday, June 15, 2006

URL Paths 2

From the comments of my original post about URL Paths:

<qoute src="Jon Cavallo">
You can put *.com in the URL Paths. You need to enter it as '/*.com'

I use the /*.x convention on all my extension blocking. This helps prevent them from wildcarding some other part of a complex url.

You are totally right, this is a better way to implement extension blocking with URL Paths. Thanks

Sunday, June 11, 2006


Did you know that fireware also has a command line interface.
You can SSH to your box on port 4118.
You can login with:
Username = admin
password = Your read-write password.

You can do all sorts of things from the command line.
I use it as a replacement for the 'Restart IPSec' function that was in WFS but not in fireware.

To clear individual BOVPN, MUVPN, or PPTP tunnels:
WG#no vpn-tunnel ipsec enter-ID-of-the-BOVPN-tunnel-here
WG#no vpn-tunnel muvpn enter-ID-of-the-MUVPN-tunnel-here
WG#no vpn-tunnel pptp enter-the-physical-IP-address-of-the-PPTP-client-here

To find out the ID of a tunnel:
WG#show vpn-tunnel ike-gateway
WG#show vpn-tunnel ipsec
WG#show vpn-tunnel muvpn
WG#show vpn-tunnel pptp

Very usefull but remember:
<quote src="Nathan Buff">
There is a CLI but the CLI creates configurations that are not compatible with the GUI-based Policy Manager. For this reason, the CLI is only supported when the Firebox is running in Common Criteria mode.

Saturday, June 03, 2006

URL Paths

I mainly use the URL Paths function of the HTTP Proxy for blocking file extensions. Here is a list of extension that I deny:


Notice that the file extension *.com is missing. I hope you can guess why.
You can also use the URL Path function for some more advanced filtering. I use it to prevent my users from turning off the safe search for google image search.

Rule name: Google_images_Safe_Search_Off
Pattern match:*/*safe=off*