SonicOS 7 Rules and Policies

Web Browser Control

You can also use App Rules to protect your Web servers from undesirable browsers. App Rules supplies match object types for Netscape, MSIE, Firefox, Safari, and Chrome. You can define a match object using one of these types, and reference it in a policy to block that browser.

You can also access browser version information by using an HTTP User Agent match object type. For example, older versions of various browsers can be susceptible to security problems. Using App Rules, you can create a policy that denies access by any problematic browser, such as Internet Explorer 9. You can also use negative matching to exclude all browsers except the one(s) you want. For example, you might want to allow Internet Explorer version 10 only, because of flaws in version 9, and because you have not yet tested version 11. To do this, you would use a network protocol analyzer such as Wireshark to determine the Web browser identifier for IEv6, which is “MSIE 10.” Then you could create a custom match object of type HTTP User Agent, with content “MSIE 10” and enable negative matching. Navigate to OBJECT | Match Objects to configure these settings.

Match Object Settings - MSIE 10

You can use this match object in a policy to block browsers that are not MSIE 10. For information about using Wireshark to find a Web browser identifier, see Wireshark. For information about negative matching, see About Negative Matching.

Another example of a use case for controlling Web browser access is a small e-commerce site that is selling discounted goods that are salvaged from an overseas source. If the terms of their agreement with the supplier is that they cannot sell to citizens of the source nation, they could configure App Rules to block access by the in-country versions of the major Web browsers.

App Rules supports a predefined selection of well-known browsers, and you can add others as custom match objects. Browser blocking is based on the HTTP User Agent reported by the browser. Your custom match object must contain content specific enough to identify the browser without creating false positives. You can use Wireshark or another network protocol analyzer to obtain a unique signature for the desired browser.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.