How can i create user based application policy ?

Hi,

As far as i understand, you cannot do this. 

The Web Proxy is the only module in XG which does not rely to this KBA: https://community.sophos.com/kb/en-us/123161

All modules like Firewall Policies (Application, IPS etc.) Hotspot, VPN etc. uses the "Primary Group" for authentication.

Only the Web Proxy can perform "another" lookup to AD. 

Well, for example some users need to connect to p2p, but others should not be able to connect.

Can I only do this from the source network in the firewall rule? If the ip number of these people changes, the rule doesn't work? 

Hi Ozgur,

are you using the AD as an authentication to access the XG?

Ian

Yes

Hi Ozgur,

So, as part of your AD you can disable people'e access to VPN's via a GPO.

Ian

VPN or P2P is just an example :)

why do i have to use a single application policy for all clients ? 

I might want to allow some users to allow facebook games or block them. I should be able to do that with application policies ?

As you can see in the image below, it is a drop for users outside the defined group and the next firewall rule does not work

Hi,

I think you misunderstand. You create groups within your AD and then create the groups in the XG where people are allowed to connect using STAS functions. (You would have to read the KBA and search the forums, I am not a STAS user). You can create your own application policies and assign them to a firewall rule/s.

I have an application policy on my XG, for VoIP.

You will need to change your rules to use HTTPS scanning as well.

Ian

I would like to explain this with an example

I created 3 user groups, 

Group A, Group B, Group C

also created 3 application policies, 

AppPolicy1, AppPolicy2, AppPolicy3 

Ok,

Group A have connect to wan in AppPolicy1,

Group B have connect to wan in AppPolicy3 (for example)

Group C have connect to wan in AppPolicy2

So, i should create 3 firewall rules for this operation but firewall rules is triggering through via only network ip or hosts is not depending user groups. 

Can I explain my problem? 

I would like to explain this with an example

I created 3 user groups, 

Group A, Group B, Group C

also created 3 application policies, 

AppPolicy1, AppPolicy2, AppPolicy3 

Ok,

Group A have connect to wan in AppPolicy1,

Group B have connect to wan in AppPolicy3 (for example)

Group C have connect to wan in AppPolicy2

So, i should create 3 firewall rules for this operation but firewall rules is triggering through via only network ip or hosts is not depending user groups. 

Can I explain my problem? 

Like mentioned in my post earlier. You need to setup all those 3 Groups in XG as primary group and fill them with users. Then you are able to perform your actions because you setup up 3 user based policies and attach all those 3 app policies to these 3 rules. 

It will work.

Same for IPS, VPN, etc.

But you cannot simply use the same mechanism like HTTP Proxy. The Proxy works in a different way, so he can perform a lookup to get other groups out of AD. 

Thank you LuCar for chiming in to assist.

Ian