Video Screencast Help

Blocking HTTPS access for facebook

Created: 29 Jan 2013 • Updated: 29 Apr 2013 | 7 comments
Frank Quijano's picture
This issue has been solved. See solution.

Very much aware of this KB from Symantec:

But is it possible to block any website even if it is accessed using HTTPS and SWG is inline mode?

As far as we know, other products seem to work on this one.

Any ideas to have a solution for this? Very appreciated if there will be just one.


Comments 7 CommentsJump to latest comment

BenDC's picture

It is not possible to selectivly block https in inline or span/tap mode with the SWG, proxy mode was added to deal with https inspection.

You may be able to use your internal DNS server to redirect domains wish to block entirely.

SMLatCST's picture

As per your link and the article below, it may be possible if you use an external proxy and place the SWG inline between the proxy and the endpoints:

Frank Quijano's picture

Noted on your comments.

My current worries is that the secured website for Facebook is allowed to be accessed once SWG is in inline mode.

I tried before to include within the blacklist. But nothing happened. I could still access their https site.

By the way, the setup is currently Inline + Proxy.

Hope you could help me a lot on this.


If you can't stand the heat, get out of the kitchen!

SMLatCST's picture

If you have the SWG in Inline+Proxy mode, then the most effective way you can block https access to facebook is to configure all your user endpoints to use the SWG as their proxy.  If you combine this with firewall rules to restrict web traffic from the user subnets, forcing them to go via the SWG proxy for web access, and you should be away.

Is there any reason why you're focussing upon the Inline traffic?

Frank Quijano's picture

as per client's setup (which is a school). it was set as inline+proxy because they would want also to give internet access to their students who use their devices. also, they wanted their employees to be restricted from accessing some websites. but either way, they still wanted some sites to be restricted from being accessed.

If you can't stand the heat, get out of the kitchen!

rmw's picture

I would like to request an enhancement to the Web Gateway.  As mentioned earlier, other products can block HTTPS via inline or span/tap mode. 

In larger organizations, using a proxy server is complicated and cumbursome.  Espcially when there are other products that have this feature already.

What would it take to have this added?  The Web Gateway just needs to block HTTPS via a DNS lookup, it does not need to inspect the secure traffic.

Frank Quijano's picture

very much noted. looks like they need to use proxy to block https.

very thanks for the help.

If you can't stand the heat, get out of the kitchen!