Technical Tip: How to block URLs when they are redirected within a parameter

This article describes how to block URLs when they are redirected within a parameter.

Example: It is desired to block all access to /ecp path on the mail server but the mail server redirects the traffic to a login page and adds the URL in the request in a parameter called URL.

When trying to access https://mailserver.local/ecp, it will redirect to https://mailserver.local/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.aguasdoporto.pt...

To configure a URL-access policy matching /ecp* using the below steps, it will not block the URL within the parameter:

• Create an URL-access rule:
  
  

config waf url-access url-access-rule

    edit "Block_ECP"

        set action deny_no_log

            config  match-condition

                edit 1

                    set reg-exp /ecp*

                    set type regex-expression

                next

            end

    next

end

• Create a URL-access policy and add the created rule to it:
  
  

config waf url-access url-access-policy

    edit "Block_ECP"

        config  rule

            edit 1

                set url-access-rule-name Block_ECP

            next

        end

    next

end

• Modify the in-line web-protection profile used by the server-policy and add the URL-access policy to it:
  
  

config waf web-protection-profile inline-protection

    edit "Block_ECP_WPP"

        set url-access-policy Block_ECP

    next

end

When testing with https://mailserver.local/ecp, it will be blocked. However, when attempting to access https://mailserver.local/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.aguasdoporto.pt..., it will not be blocked.