Whitelist sub-URL\domain related to primary Website

Hi Guys,

Existing customer solution is Blue Coat proxy with policy “blocked all” internet access except for the custom policy which have this feature call "Referer’ where it will whitelist all domain and sub-URL link to a primary website.

https://knowledge.broadcom.com/external/article/167143/access-denied-error-even-though-website.html

We have replicated Blue Coat policy, including the blocked rule. We will have to manually add all the sub-URL\domain related to the primary URL and the job is tedious for single URL imagine 200 policies with multiple primary URL in a single policy.

Appreciate if anyone can share their experience and guide or workaround to solve the limitation. Thanks

What is the use-case to block all internet traffic except what you explicitly allow. Normally this is used for very restricted environments and for servers. I am sure that this will be very hard to maintain as websites are very dynamic and interconnected. Especially with all linking to social media, advertisements and analytics sites.

When security is the primary reason, I would even say maintaining a complex custom URL policy might even increase risks due to potential mistakes. This is why it more common to block the risky categories, inappropriate content and bad stuff. Allowing pages that are linked to a primary site via a referrer, does not sound very secure either, as this is how trusted websites get compromised and misused for attacks via malicious advertisements.

If you need to build some form of deny by default policy. I would try to use standard URL categories for low risk sites and use Cloud Application Control to allow specific Cloud Apps within URL categories you block as you want to have more granular control on (Like allow Facebook and LinkedIn, but block the “Social Media” category).

Know that with Zscaler, URL filtering and Cloud App Control are access control policies and even when traffic is allowed we scan for malware and other security threats.

I hope this helps you in finding the best solution for you case.
Marco

Hi @Marco_Put-Carstens,

Appreciate the feedback. Current customer is FSI industry. Hence the restricted control.

Blue coat “referer” feature, based on their current environment is crucial to their IT team by minimizing the process and resources of documentation and communication, e.g. IT or end-user (1.2k+) will have gone through time consuming process in order to provide full or sub-URL information list for the single primary website as discussed above in term of controlling the policy.

Same as Zscaler even though the URL is whitelisted, Blue coat still have a layer of protection including multi tier security solution protection to help customer secured their internet traffic. Currently we don’t have an option than having to go through each URL per policy to whitelisted the sub-URL\domain as discussed. Thanks

I understand the strict policies requirement within FSI.

Perhaps you could still leverage Cloud App Control to reduce some of the complexity of managing sanctioned applications within URL categories like Productivity & CRM Tools, Financial Services, Collaboration, File Sharing, Social Media and Streaming.

Probably you know this already, but when converting whitelists from Bluecoat to Zscaler you just start with the trailing dot if you need wildcard for the domain. For whitelisting a site like www.cnn.com, you can enter “.cnn.com” as URL to also include the sub-domains. Don’t add the (*) as a wildcard like “*.cnn.com”.

Hi @Marco_Put-Carstens,

Appreciate the advice and guidance. We manage to reduce workload using URL formatting as suggested. However. External URL\domain add on is still required to fully load the website due to primary policy is “block all” including the concern of website with login\redirect requirement.

Currently subscribe feature doesn’t include application control and we are working with the browser dev tool “inspect” for detail information. Thanks