Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
0
Helpful
3
Replies

WSA Regex in Decryption Policies

inox
Level 1
Level 1

‎06-22-2018 06:19 AM - last edited on ‎03-25-2019 04:55 PM by Community Manager

Hello,

 

I am trying to drop a connection to a specific path of a URL in Decryption Policies and allow only access to the homepage of that site.

The URL looks like https://exampleurl.eu/en/home.html. This is the part that I would like to allow.

The part that I would like to drop the connections is https://exampleurl.eu/en/articles/

I tried using the following regex in a Custom URL Category (under Advanced=>Regular expressions) and used it a decryption policy rule:

exampleurl\.eu/en/articles/

Unfortunately it does not work. To be sure that I'm indeed hitting the Decryption Policy Rule, I added the fqdn in the Sites of the Custom URL Category (exampleurl.eu) and that worked: the site is successfully dropped.

 

The site that I'm trying to block also exists in http. When trying the above regex in the Access Policies for http traffic, the regex works perfectly and the path of the URL is blocked (http://exampleurl.eu/en/articles/).

 

Is there an issue with the regex in the decryption policies?

 

Thank you.

Labels:
0 Helpful
3 Replies 3

Handy Putra
Cisco Employee
Cisco Employee

‎06-24-2018 06:21 PM

Hi,

 

For HTTPS traffic to read the regular expression or to read the URI path of the domain, the traffic will have to be decrypted first (in decryption policy the action will need to be set as "decrypted".

If the traffic is being set to passthrough, WSA can only see the parent domain and will not have the information of the URI path.

 

Hope this helps

 

Regards

Handy Putra

0 Helpful

inox
Level 1
Level 1
In response to Handy Putra

‎06-25-2018 07:04 AM

Hello,

 

Thanks for the response. I managed to solve it :)

I was indeed trying "Decrypt" in the URL filtering of the Decryption Policies Rule.

However, instead of using in the Rule a URL category that contained regex, I used a URL category that only had the domain name (exampleurl.eu, .exampleurl.eu).

Then I used the URL category that contained regex in a rule of the HTTP Access Policies.

 

Thanks again for your support.

 

0 Helpful

Handy Putra
Cisco Employee
Cisco Employee
In response to inox

‎07-08-2018 05:00 PM

Hi,

 

Great to hear that you have sorted this out

 

Regards

Handy Putra

0 Helpful
Customers Also Viewed These Support Documents