WSA web filtering WBRS

DJCanuck1_2 · ‎06-12-2017

I'm seeing more and more phishing emails with links that incorporate a google redirect to allow the web connection to pass because Google has a good WBRS. The URL being redirected to has a poor web reputation score, so the phisher is bypassing the WSA with the Google redirect.

How can we verify the WSA interrogates the whole URL and not just the first domain name in the URL link? Is there a way toset up a custome filter to ignore the redirect domain and just see the malicious URL?

Example:

https://www[.]google[.]com/url?hl=ru&q=https://guardmailboxprotection.com/view/user/secure_account/PDF/secure_account.pdf&source=gmail&ust=1497379074170000&usg=AFQjCNGeaFXemYbB6pZQwL0zkO4yTvlSaw#ztibfdse

Handy Putra · ‎06-12-2017

Hi,

Since google.com traffic will automatically using HTTPS connection and in order to see the full link for this connection, the request will need to be decrypted otherwise WSA will only sees just the parent domain (www.google.com).

To decrypt the HTTPS traffic means that the HTTPS proxy will need to be enabled in WSA and use decryption policy to decrypt traffic for google.com.

Once it is decrypted, it will then go to Access Policy.

You can create a custom URL category using regular expression for this then include that new custom URL category to your access policy and set the action such as block or allow.

The regular expression in the custom URL category to identify redirect domain behaviour from google, you can use below regular expression:

url?.*\.*\q=

Hope this helps.

Regards

Handy Putra

WSA web filtering WBRS

Configure Cisco Web Security Appliance (WSA) s196

WSA S695 / S195 Web Security Appliance: NWS: failoverHealthy/Unhealthy

Cisco ESA, Umbrella et WSA Sécurisation Emails et Trafic Web (slides)

Updated SAML Certificate Web Security and ZTA is now available

【原创】Firepower-URL Filtering部署-详