About WebGroups

WebGroups are groupings of domains or URLs, inserted into Distributed Cloud Firewall rules, that filter (and provide security to) Internet-bound traffic.

From this tab you can save views, filter intrusion results, and download the results in a CSV file.

Prerequisites

You must create WebGroups before creating any Distributed Cloud Firewall rules that utilize WebGroups.
To filter HTTPS traffic with a URL-based WebGroup, TLS Decryption must be enabled in the rule where the WebGroup is used.

Considerations

A TLS packet with no SNI header will only match the Any-Web default WebGroup. You can create a DCF rule that uses a URL-type WebGroup to capture the packet, but only exact match URLs are supported at this time.

As an alternative to using a URL-based WebGroup, you can configure an L4 rule without WebGroups to allow the traffic based on IP address, and insert it before the first L7 rule.

For non-TLS encrypted HTTP traffic, there is no SNI header. The following values are used instead:
- Domain-based WebGroups: the value of the HTTP Host Header.
- URL-based WebGroups: the URL value, as it would be for HTTPS (as long as TLS Decryption is enabled).
Non-TLS, non-HTTP traffic will not match any WebGroup.

Default WebGroup

When you navigate to Security > Distributed Cloud Firewall > WebGroups, a predefined WebGroup, 'All-Web', has already been created for you (if no other WebGroups exist). This predefined WebGroup cannot be deleted.

This is a "match-all" WebGroup that you must select in a Distributed Cloud Firewall rule if you do not want to limit the Internet-bound traffic for that rule, but you still want to log the FQDNs that are being accessed.

Prior to Release 7.1.3006, the default WebGroup was named 'Any-Web' and was created by CoPilot. If you still have this WebGroup, you can modify it (if it is being used by Distributed Cloud Firewall rules) or delete it (if it is not used by any Distributed Cloud Firewall rules) so that it is not confused with the default 'Any-Web' WebGroup created by Controller.

Creating WebGroups

To create a new WebGroup:

On the Security > Distributed Cloud Firewall > WebGroups tab, click +WebGroup.

Configure the following:

Field	Description
Name	Enter a name for the WebGroup.
Type	Domains or URLs In the Domains/URLs field, enter the domains or URLs. You can enter either domains or URLs in one WebGroup; they cannot be mixed.
Domains/URLs	Enter the domains or URLs for the WebGroup. Domain examples: google.com, www.microsoft.com, *.amazonaws.com URL example: github.com/AviatrixFieldEng/

Field

Description

Name

Enter a name for the WebGroup.

Type

Domains or URLs

In the Domains/URLs field, enter the domains or URLs. You can enter either domains or URLs in one WebGroup; they cannot be mixed.

Domains/URLs

Enter the domains or URLs for the WebGroup.

Domain examples: google.com, www.microsoft.com, *.amazonaws.com

URL example: github.com/AviatrixFieldEng/

Domain example: *.amazonaws.com

URL example: github.com/AviatrixFieldEng/

Domains can start with *. (asterisk and dot). Another valid domain is only an asterisk. Domains can also contain -(dash), _(underscore), alphanumeric, and dots.

A domain is only valid if characters are alphanumeric, dots, dashes, underscores, or asterisks. The domain can start with any of these characters except for asterisks (for example, you can use google.com or *.google.com, but not *google.com).

Any TLS protocol is supported for domains, along with HTTP.

Click Save.

Editing a WebGroup

You cannot edit the Any-Web WebGroup.

Click the Edit icon next to a WebGroup. You can edit the Name, Type, and Domain/URLs of the WebGroup.
Click Save.

Deleting a WebGroup

You cannot delete the Any-Web WebGroup.

Click the Delete icon next to the WebGroup.
Click Delete to confirm you want to delete the selected WebGroup.