XG firewall how to control User level access to surf internet by AD?

Hello support internal,

Thank you for contacting the Sophos Community.

Once you have integrated the XG to the AD, and you have imported the groups (hopefully you created Groups called, Marketing, Management, Production).

You can control access base on Firewall rules and Web Policies.

1) You would create 3 Firewall rules, one for each group

2) In each Firewall rule, you will select Identity = Match known users = User or Groups (In my example I selected the Marketing group)

3) In the same Firewall rule, under Advanced, select a Web Policy that matched a Policy for the Marketing team (For example I selected Default Workplace Policy)

That should be everything that you need.

Note Make sure that above those Firewall rules there are not Firewall rules such as LAN to WAN without match known users not selected, otherwise, all users will have open access.

Now you would need to adjust the Web Policy Filter as per your requirements, for this you would go to Protect >> Web >> Policies (For example in the Firewall rule I selected Default Workplace Policy which includes those activities. 

You can check this KB for more information about the same

===

Sophos XG Firewall: How to allow/block websites using custom categories and/or URL groups

https://community.sophos.com/kb/en-us/127270

===

===

Sophos XG Firewall: Can I Add a Website from a Default Category to a Custom Category?

https://community.sophos.com/kb/en-us/123370

===

Additionally to all of this when using Web Policy I would highly recommend you to install the SSL Certificate on the user's computers to avoid any certificate error when they access a website not allowed for them.

===

Sophos XG Firewall: SSL CA certificate installation guide

https://community.sophos.com/kb/en-us/123048

===

Regards,