How to Configure Not(Browse) to Filter Web Traffic Managing network security requires precise control over how internal applications access the external internet. Standard web gateways often struggle with non-browser traffic generated by scripts, automated tools, and background processes. This guide explains how to configure “Not(Browse)” logic to isolate and filter web traffic that does not originate from a standard web browser. Understand Not(Browse) Traffic
Not(Browse) traffic refers to any HTTP or HTTPS request initiated by a non-browser application. Standard browsers like Chrome, Firefox, and Edge send distinct metadata and follow predictable behavioral patterns. Non-browser traffic includes API calls, command-line tools like cURL, DevOps pipelines, and background software updates.
Malware and data exfiltration tools also use non-browser processes to communicate with command-and-control servers. Separating this traffic from standard employee web browsing allows you to apply stricter security compliance rules. Identify Non-Browser Traffic
The first step in filtering non-browser traffic is accurate identification. Network appliances and proxies use specific criteria to distinguish this traffic.
User-Agent Strings: Browsers pass complex identifiers. Non-browser tools often use distinct strings (e.g., curl/7.68.0) or leave the field completely blank.
JA3/JA4 Fingerprints: These tools analyze the TLS client hello packet. Browsers have specific cryptographic handshakes that differ significantly from Python scripts or command-line utilities.
Traffic Behavior: Standard browsing involves downloading HTML, CSS, images, and executing JavaScript. Non-browser traffic usually consists of isolated, repetitive POST or GET requests targeting specific API endpoints. Configure the Filter on Secure Web Gateways
Most modern Secure Web Gateways (SWG) and Next-Generation Firewalls (NGFW) allow you to build policies based on application type and client attributes. 1. Create the Traffic Class
Define a new object or traffic class within your gateway management console. Name it something clear, such as Non_Browser_Web_Traffic. 2. Apply the Negation Logic
Set up your rule criteria to target web protocols (ports 80 and 443) but invert the application match. Select the criteria for Application Category. Choose Web Browser or Web Browsing. Apply the NOT or Exclude operator to that category. 3. Define the Actions
Determine how the gateway should handle this traffic class. Because non-browser traffic lacks human oversight, apply a zero-trust approach:
Block Uncategorized Destinations: Restrict non-browser traffic strictly to verified, whitelisted domains.
Enforce Deep Packet Inspection: Mandate SSL/TLS decryption for this traffic to scan payloads for malicious code or data leaks.
Restrict File Types: Block executable downloads (.exe, .sh, .bat) requested by non-browser utilities unless explicitly approved. Implement Local Proxy Routing
If you are managing traffic at the endpoint or local server level, you can use local proxy configurations to enforce Not(Browse) rules. Use Environment Variables
Linux servers and developer workstations use environment variables to route command-line traffic. You can direct non-browser tools to a specific filtering proxy while leaving standard browsers to route through the default gateway.
export http_proxy=”http://filtering-proxy.local:8080” export https_proxy=”http://filtering-proxy.local:8080” Use code with caution. Configure PAC Files
Proxy Auto-Configuration (PAC) files can use the FindProxyForURL function to split traffic. While PAC files primarily look at destinations, you can combine them with local firewall rules to ensure scripts are forced through a restrictive proxy port. Monitor and Troubleshoot
Tightening controls on non-browser traffic can occasionally disrupt legitimate business workflows, such as automated software updates or developer tools.
Analyze Log Drops: Review firewall logs specifically for Default Block actions associated with empty User-Agents or failed TLS handshakes.
Build an Exception List: Create a highly specific destination whitelist for critical corporate services like Microsoft Update, AWS APIs, or internal code repositories.
Regularly Update Fingerprints: Ensure your firewall subscription signatures are current so that new browser versions are not accidentally misidentified as non-browser traffic.
To help fine-tune this setup for your environment, let me know:
What specific firewall or gateway hardware (e.g., Palo Alto, Fortinet, Zscaler) are you using?
What operating system dominates the network you are trying to secure?
Which specific applications or scripts are you trying to restrict?
I can provide the exact policy syntax or configuration commands for your specific platform.
Leave a Reply