Forum Discussion

jckstn73_322934's avatar
jckstn73_322934
Icon for Nimbostratus rankNimbostratus
Dec 14, 2017

How does the URL database download work?

We are implementing URL filtering on the Big-IP (12.1.2) using APM/SWG and want to run URL updates through the management interface.

 

So far I've gone through the configuration information for APM/SWG and am able to implement URL filtering within our lab.

 

My questions before rolling this out to production and for security are:

 

What ports do I need to open to allow this traffic through our firewalls How is my subscription authorized when making the connection?

 

I'm assuming the BigIP does a site validation when connecting to download.websense.com, does anyone have more information about what is going on during this connection?

 

Lastly, how does the BigIP validate the downloaded db?

 

Thanks in advance Jack

 

  • In case anyone wants to know:

     

    What ports do I need to open to allow this traffic through our firewalls?

     

    Port 443/SSL

     

    How is my subscription authorized when making the connection?

     

    The BigIP passes the license ID / subscription ID)

     

    I'm assuming the BigIP does a site validation when connecting to download.websense.com, does anyone have more information about what is going on during this connection?

     

    This is the interesting part. The connection between the BigIP and the websense site is confirmed with the use of SSL pinning. SSL Pinning is a mechanism to ensure that the Big IP host checks the F5/Websense server's certificate against a know copy of that certificate. This check requires an exact match to the one originally supplied on the BigIP. The pinning mechanism guards against processes that inspect SSL traffic by breaking the encryption, thus resisting impersonation by man in the middle efforts. Were you able to successfully decrypt the tunnel, the actual data is compressed and also encrypted.

     

    Lastly, how does the BigIP validate the downloaded db?

     

    There is a PFM module that decrypts, decompresses, validates and imports the updates.

     

    Does anyone know what the updates file extension is?

     

  • Hi All

     

    How can we download and install these database on the device manually if lets say a particular F5 device doesnt have internet access.

     

    Regards, Vikram Khatri

     

  • In case anyone wants to know:

     

    What ports do I need to open to allow this traffic through our firewalls?

     

    Port 443/SSL

     

    How is my subscription authorized when making the connection?

     

    The BigIP passes the license ID / subscription ID)

     

    I'm assuming the BigIP does a site validation when connecting to download.websense.com, does anyone have more information about what is going on during this connection?

     

    This is the interesting part. The connection between the BigIP and the websense site is confirmed with the use of SSL pinning. SSL Pinning is a mechanism to ensure that the Big IP host checks the F5/Websense server's certificate against a know copy of that certificate. This check requires an exact match to the one originally supplied on the BigIP. The pinning mechanism guards against processes that inspect SSL traffic by breaking the encryption, thus resisting impersonation by man in the middle efforts. Were you able to successfully decrypt the tunnel, the actual data is compressed and also encrypted.

     

    Lastly, how does the BigIP validate the downloaded db?

     

    There is a PFM module that decrypts, decompresses, validates and imports the updates.

     

    Does anyone know what the updates file extension is?

     

  • Your best option to get answers to these questions is to talk to your account team. Be aware that there may well be Non-disclosure agreements involved. This information is not available publicly on our website.