Users may seek clarification on how URL Filtering functions on a Tier-1 (T1) Gateway.

Related Documentation:

• URL Filtering
• Create a URL Filtering Policy
• L7 Access Profiles
• Custom URLs

VMware NSX

vDefend Firewall

Unlike DFW FQDN Filtering, URL Filtering on a Gateway Firewall does not require a Layer 7 (L7) DNS rule to snoop traffic. The extraction methods are as follows:

• HTTPS Traffic: 
  • Without TLS Inspection Configured - The T1 Gateway extracts the FQDN from the TLS Server Name Indication (SNI) field within the TLS Client Hello packet during the handshake.
  • With TLS Inspection Configured - The T1 Gateway is able to decrypt the packet and extract the URL from the HTTP Host header. 
• HTTP Traffic: 
  • The URL is derived directly from the HTTP Host header in the request.

URL Filtering is supported for HTTP and HTTPS traffic only. Other protocols should be separated out into dedicated rules without custom URL's in the L7 Access Profile. Non-HTTP/HTTPS protocols will be dropped by the default attribute within the L7 Access Profile if the default attribute is set to drop/reject.