Malicious URL Protection

Enable malicious URL protection on a security device to drop incoming HTTP packets that reference URLs with specific user-defined patterns. You can define up to 48 malicious URL string patterns per zone, each of which can be up to 64 characters long, for malicious URL protection at the zone level. When the malicious URL blocking feature is selected, the security device examines the data payload of all HTTP packets. If it locates a URL and detects that the beginning of its string—up to a specified number of characters—matches the pattern you defined, the device blocks that packet from passing the firewall.

A resourceful attacker, realizing that the string is known and might be guarded against, can deliberately fragment the IP packets or TCP segments to make the pattern unrecognizable during a packet-by-packet inspection. However, security devices use Fragment Reassembly to buffer fragments in a queue, reassemble them into a complete packet, and then inspect that packet for a malicious URL. Depending on the results of this reassembly process and subsequent inspection, the device performs one of the following steps:

To configure a malicious URL string, you must specify the following properties:

For more information about malicious URLs on security devices, refer to the Concepts & Examples ScreenOS Reference Guide: Attack Detection and Defense Mechanisms.

Related Documentation