Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Feb 16, 2016

URL Filtering vs SWG

Hi,

 

I tried to find some more precise info about two additional features provided by SWG license (in compare to URL Filtering license) but there is not a lot available.

 

According to my knowledge SWG license is offering two additional features not present in URL Filtering:

 

  • Malware detection and protection
  • Real-Time content classification

It seems that both services are based on Websense technology but what exactly they provide and how they work? Is there a way to turn on/off above, any configuration?

 

Will appreciate pointing me to some more in depth docs or sharing some real life experiences with those functions.

 

Piotr

 

  • TeddyO_38338's avatar
    TeddyO_38338
    Historic F5 Account

    Correct,

     

    The URL Filtering subscription is an URL Database, controls access to websites or web applications based on the categories and risks associated with the intended URLs. URL filtering alone can be used with APM, and it can also be used with LTM and DNS/GTM via iRules.

     

    SWG subscription works within APM, includes the URL Filtering Database above, and as you mentioned the advanced malware protection i.e. malicious scripts hosted inside public web pages by scanning return HTTP/HTTPS traffic. Towards your question of turning things on/off, yes you can control parts of the traffic flow and make decisions on what to allow/disallow etc.

     

    More details for both URL and SWG can be found here a few tabs down in the APM manual: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-12-0-0.html

     

  • Hi,

     

    Thanks for answer. I know this Implementations guide but to be honest it's not very helpful to figure out how exactly Malware protection is working.

     

    I assume you are referencing to Response Analytics object. That part I already figured out but I am still not sure how it's exactly working.

     

    I assume that when this object is used then all responses from server are scanned? Or not really?

     

    When using URL Category Lookup in GUI some lookups are returning additional Category - Analytics. This category is not listed in URL Categories. So my assumption was it's somehow related to Malware protection (or Real-Time classification - or maybe both?).

     

    When checking logs for Per-Flow Policy execution I can as well see that some urls classified by Category Lookup object are returning additional category - recommend_to_scan (ID 199).

     

    Now question is if only responses from urls with this additional category are in fact scanned or all responses?

     

    If only responses with this category how to control if we would like to scan or not? Using some logic in Category Lookup object?

     

    Another question is if there is any easy way to check which urls has Analytics category assigned? There is no way I can see via GUI (nothing in URL Categories list).

     

    Yet another question is if there is a way to enable scanning for categories not assigned with Analytics category or for custom added categories?

     

    Piotr

     

  • I have a related question.

    What would the expected behavior be on the F5 when swapping out url filtering license with the SWG license?

    I would imagine it will reboot the device, but I'm not sure.

     

    I have the swg license ready to go, not sure what the swap over process is.