Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 2695 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem in Web filtering using AD Groups

Alaa Mousli

Hi

 

I newly started to use Sophos XG Firewall  SFOS 17.14.4 MR-4 for testing purposes.

 

after I made the integration with my AD I tried to create a firewall policy that will block (Facebook, YouTube) for example.

and went to Identity under Match Known Users and selected a group that contains some users to apply the policy on instead of applying it to the hole network

and under Advanced --> Web Policy selected the policy I made and clicked save to the top.

 

but unfortunately the policy didn't work the users are still able to open Facebook and YouTube.

 

my scenario is to block some web categories on a group of users by adding them to a security group on AD. 

 

any advice please? 



This thread was automatically locked due to age.
  • +1

    Hi Alaa,

    How I did this was to create some security groups in AD - Sophos-Basic, Sophos-Manager and Sophos-Admin

    Then In STAS I only import these three groups.

     

    When I create my web policy I apply the various restrictions to apply to one of those groups - such as block Social Media to Sophos-Basic.

     

    Then you need to add the rule to a Firewall Rule that applies to the users you are trying to restrict

     

     

    In this case mine was under Default Proxy Policy and you will see this in the FW Web Policy.

    Please ensure you have the STAS configured correctly and the changes made to the GPO's to log the events on logon  / off and set WMI etc or you will get problems.

    I am not sure if you have seen the articles below but they may assist in getting you up and running.

    Once done you can have quite granular control on who does what. I also have a master Web Blacklist that applies to all users - places they really dont need to be at work no matter who they are.

     

    https://community.sophos.com/kb/en-us/123833

     

    community.sophos.com/.../123155

  • +1 in reply to M8ey

    Never forget, there are Authentication methods for Proxy only, and some for Firewall. 

    STAS etc. will do both. NTLM requires somekind of challenge, which is most likely a Proxy Authentication method. 

    XG offers couple of ways to authenticate to your XG. 

    STAS, SSO Client, Captive Portal, Sync-Sec Heartbeat User ID, NTLM, Clientless Authentication, you name it. 

    It is important to have the IP mapped to Username in XG. Proxy will take care of the correct group etc.