Hi all, I have a customer that hat the following requirement: - for all users there is a rule that denies several URLs and Categories - but: there are 4 groups of users that are allowed to use URLs out of there categories so in my example: Internet Access Level 1 (All Access) Internet Access Level 2 (most pages) Internet Access Level 3 (banking, amazon etc) Internet Access Level 4 (Default Users -> no AD group assigned) My Idea was to create those rules and just do some "allow url lists" on Level 2/3 and the deny on level 4. But I the user is member of the AD Group for Level 3 the rule for any users simply does not work. So - do I have to create the same denys on all web filter policies or can I have a "global" deny rule and allow only some URLs for other users? Thanks an Br

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Several Policies to build up Web Protetction Rules

ChristianSchneider1 over 8 years ago

Hi all,

I have a customer that hat the following requirement:

- for all users there is a rule that denies several URLs and Categories

- but: there are 4 groups of users that are allowed to use URLs out of there categories so in my example:

Internet Access Level 1 (All Access)
Internet Access Level 2 (most pages)
Internet Access Level 3 (banking, amazon etc)
Internet Access Level 4 (Default Users -> no AD group assigned)

My Idea was to create those rules and just do some "allow url lists" on Level 2/3 and the deny on level 4. But I the user is member of the AD Group for Level 3 the rule for any users simply does not work.

So - do I have to create the same denys on all web filter policies or can I have a "global" deny rule and allow only some URLs for other users?

Thanks an Br

This thread was automatically locked due to age.

0 lferrara over 8 years ago

Christian,

can you share your Policy rules?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 HuberChristian over 8 years ago

In XGv16, this scenario can be solved with one Webfilter Policy containing different Rules. Something what is currently not supported by XGv15. If I remember correctly, you have to create Multiple Firewall Rules each having applied a different Webfilter Policies what makes it somehow complicated. So sharing your Config wouldn't be a bad idea for that.
Cancel
Vote Up 0 Vote Down

Cancel
0 ChristianSchneider1 over 8 years ago in reply to HuberChristian

Hi, thanks for you replys. Yeah, I assume it just does not work like I want it.

So, thats my rules. It starts at the top with the "allow all" and ends with the "deny" rule. In the middle (e.g. layer_4) there are some domains on the whitelist that are blacklisted further down. But the other blacklists from "deny" do not work... so this is by design?

Thanks :)
Cancel
Vote Up 0 Vote Down

Cancel
0 HuberChristian over 8 years ago in reply to ChristianSchneider1

What do Logfiles say about Packets, which should Match for RuleID 11 or 13? Is there any user visible into XG Log?

If you don't feel comfortable with GUI Logfile, those two commands may help:

console> system diagnostics subsystems WebProxy debug on

XG135w_XN02_SFOS 15.01.0# tail -f /log/awarrenhttp_access.log
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 8 years ago

Hi Christian,

How about creating a separate user firewall rule on the top and below the DNS rule for your User on AD? Or simply create a bypass rule for your IP address on the top. Does anything from the 2 works for you ?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 ChristianSchneider1 over 8 years ago in reply to HuberChristian

Hi, thanks :)

So if I am in the Group "Layer2" for Rule 13 only these rules apply, not the deny-rule from rule 10. And that was what I expected. Rule 10 is for everybody and can partly be overwritten by e.g. rule 13.
Cancel
Vote Up 0 Vote Down

Cancel