Managing WebGroups

If the Distributed Cloud Firewall (DCF) feature is disabled, WebGroups are not available.
webgroup default

WebGroups are groupings of domains or URLs, inserted into DCF rules, that filter (and provide security to) Internet-bound traffic. WebGroups in DCF are only supported on Spoke Gateways and Public Subnet Filtering (PSF) Gateways.

From this tab you can save views, filter intrusion results, and download the results in a CSV file.

To filter HTTP or HTTPS traffic with a URL-based WebGroup, TLS Decryption must be enabled in the rule where the WebGroup is used.

Non-TLS or non-HTTP traffic will not match the rule that uses the WebGroup and will be evaluated against later rules.

Considerations

  • A TLS packet with no SNI header will only match the All-Web default WebGroup. You can create a DCF rule that uses a URL-type WebGroup to capture the packet, but only exact match URLs are supported at this time.

    As an alternative to using a URL-based WebGroup, you can configure an L4 rule without WebGroups to allow the traffic based on IP address, and insert it before the first L7 rule.

  • For non-TLS encrypted HTTP traffic, there is no SNI header. The following values are used instead:

    • Domain-based WebGroups: the value of the HTTP Host Header.

    • URL-based WebGroups: the URL value, as it would be for HTTPS (as long as TLS Decryption is enabled).

  • Non-TLS, non-HTTP traffic will not match any WebGroup.

System-Defined WebGroup

When you navigate to Security > Distributed Cloud Firewall > WebGroups, a system-defined WebGroup, 'All-Web', has already been created for you (if no other WebGroups exist). This predefined WebGroup cannot be deleted.

This is an "allow-all" WebGroup that you must select in a Distributed Cloud Firewall rule if you do not want to limit the Internet-bound traffic for that rule, but you still want to log the FQDNs that are being accessed.

Prior to Release 7.1.3006, the default WebGroup was named 'Any-Web' and was created by CoPilot. If you still have this WebGroup, you can modify it (if it is being used by Distributed Cloud Firewall rules) or delete it (if it is not used by any Distributed Cloud Firewall rules) so that it is not confused with the default 'Any-Web' WebGroup created by Controller.

Related Topics