Bug ID 532375: Facebook chat cannot be completely blocked with a URL Filter

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP SWG(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Jul 08, 2015
Severity: 3-Major

Symptoms

If an administrator creates a policy with a categorization agent and a URL Filter with an action to block Facebook chat, when the per-request policy applies the URL Filter, the chat session cannot be completely blocked. The categorization agent will not successfully categorize it as Facebook chat. However, if response analytics is included in the policy, incoming chat messages will be blocked, but outgoing chat messages will still be sent. (Although the sender will be shown a "message could not be sent" notification, it will still have been sent).

Impact

Facebook chat at this time cannot be accurately blocked. So users will still be able to send chat messages to other Facebook users thereby bypassing the URL Filtering policy in place.

Conditions

SWG module provisioned. Categorization agent in place. URL Filter created that blocks Facebook Chat. URL Filter is applied to user's request when per-request policy is evaluated.

Workaround

If response analytics is used, incoming chat messages will be blocked. This significantly impacts the user experience. Users will be able to send messages, though the sender will be shown a "message could not be sent" notification. Alternatively, an admin can block all of Facebook and, therefore, Facebook chat will be blocked as well.

Fix Information

A new agent has been added (request analytics) that will allow outgoing Facebook messages to be blocked. To use this agent requires an additional URL Filter Assign item in the per-request policy. Correct per-request policy implementation should follow the general idea of Category Lookup > Request Analytics > URL Filter Assign > Response Analytics > URL Filter Assign.

Behavior Change