Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP SWG
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: Jul 08, 2015 Severity: 3-Major
If an administrator creates a policy with a categorization agent and a URL Filter with an action to block Facebook chat, when the per-request policy applies the URL Filter, the chat session cannot be completely blocked. The categorization agent will not successfully categorize it as Facebook chat. However, if response analytics is included in the policy, incoming chat messages will be blocked, but outgoing chat messages will still be sent. (Although the sender will be shown a "message could not be sent" notification, it will still have been sent).
Facebook chat at this time cannot be accurately blocked. So users will still be able to send chat messages to other Facebook users thereby bypassing the URL Filtering policy in place.
SWG module provisioned. Categorization agent in place. URL Filter created that blocks Facebook Chat. URL Filter is applied to user's request when per-request policy is evaluated.
If response analytics is used, incoming chat messages will be blocked. This significantly impacts the user experience. Users will be able to send messages, though the sender will be shown a "message could not be sent" notification. Alternatively, an admin can block all of Facebook and, therefore, Facebook chat will be blocked as well.
A new agent has been added (request analytics) that will allow outgoing Facebook messages to be blocked. To use this agent requires an additional URL Filter Assign item in the per-request policy. Correct per-request policy implementation should follow the general idea of Category Lookup > Request Analytics > URL Filter Assign > Response Analytics > URL Filter Assign.