Best approach for Authentication and Surfing Quotas?

Both are possible. I have experimented with this myself. However, you will need to do some preparation work first.

For each device, you will need to manually assigned an IP address, or use 'Bind IP to MAC' on your wireless device or whatever assigns IP addresses. so you can


System, Hosts and Services - add each device to the list

After that

You add Firewall rules (Protect, Firewall and within there, you can set surfing quota (you can add your own quota in System, Progiles) and also Web Filters (as well as application and IPS


Hope this helps

Thanks for the reply. I have setup all the hosts and defined the desired surfing quota, but can you please clarify where I can apply the surfing quota to these hosts?

You need to add / create a Firewall rule

Within there, you would specify the host (device) and also surfing quota

Okay, so within the FW rule I am adding the newly defined hosts as the source. However, I do not understand where I can add the Surfing Quota to apply to these source hosts. 

You use the 'During Schedule Time'

Ok, but isn't that just a schedule for the rule itself? I don't see the Surfing Quotas listed there. 

I see now what you are wanting to do.

So, additionally, you will need to

1) go to System Profiles, Surfing Quota and set your quota for user there.
2) Create a new user - Configure, Authentication, Users
3) While creating the user, that is where you select your Surfing Quota
4) Within the rule that you created, select Match Known users and put tick in box for 'Show captive portal to unknown users' 
   a) select devices
   b) Select Web Policy
   c) Select Intrusion Prevention
   d) Select Application Policy


Additionally, you can use the 'During scheduled time' for the devices within the Firewall Rule

All the above, would work with only the devices you chose, set a time between for surfing and also limit the amount of time between the hours set and apply the web, IPS and Application Policy to protect devices from unwanted

Hi Paul,

Sorry to butt in again but i know you have User ID Sync in place now right?  So essentially you can skip the Binding hosts to ips, you can create User based rules for your kids logins where the surfing restrictions you setup on those users, that way whatever endpoint your kids login too there restrictions apply even if you overlook an IP.  then just clone that rule below and set a drop / reject rule below this one as a catch rule.  As long as your kids only know there users passwords you should not have an issue.

Just another way you can go about this.  You could do it the other way round and create your main web protection policies with restrictions then rather than creating user based firewall rules for your kids create them for everyone else, that way only those users can access unrestricted content.

Also dont overlook setting Central Web policies for these users too as further protection.

Okay, yeah that is what I suspected and is the crux of the problem. Unfortunately, you cannot apply Surfing Quotas to clientless users OR using your host method. Which means I am stuck with the captive portal. The problem is I can't figure out how to only present the captive portal to my kid devices without ALSO presenting it to everyone else. The only solution I can think of is to identify each "known non-kid" device and separate them out by rule so they do not receive the captive portal. Guests would be stuck with the captive portal since there is no way to identify them.

Oh well... Appreciate your help and time with this. 

Thanks for the input! Ok, so I am not familiar with User ID Sync or Central Web Policies so will have to check that out. Just to clarify, the users would still need to be authenticated in some way right?? (agent OR captive portal)?

Also, complicating matters is the "kid devices" are non-standard and each has its own challenges such as Chromebook (no agent), iPad (agent seems to be flaky), iPhone, XBOX (not sure how captive portal will work), etc.

Although its still in Early Access the User ID sync which has a lot of hoops to jump through right now, your Sophos Central Endpoint Sends the logged on user to XG although ive not tested it in this scenario personally in theory it should work.  But as i say its got a lot of hoops to jump through to get it working so if you want a quick and easy method to do what you want then probably you will be better off doing it via the methods referred to earlier.  But just wanted to put the idea out there if you may have had Sophos Central EDR EAP, as well as the XG Central Management EAP and AD servers setup (lol as a say its got a lot of hoops to jump through to get Syncronised User ID to even work at this stage)

But thinking about your requirements with Just Sophos XG you could still enable Safe Browsing on your existing web protection policies and setup your surfing quota restrictions as your default then just create users for your unrestricted users and utilise either Captive portal or client agent authentication so that you know your kids are always restricted in there web access and then for your unrestricted users they are the ones you create top level firewall user rules for with web protection policies / unrestricted profiles.

Do you get what i mean? 

No change for me, User ID not working. Will be working through with Sophos Support on Wednesday.

No change for me, User ID not working. Will be working through with Sophos Support on Wednesday.