Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 9303 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Making filtering rules user specific; best practices

tal yoffe

We have added web mail and social media blocking and it is working exceptionally. However we do want to have some users be able to access such sites. What is the best practice to add user exceptions. 

 

My thinking is since we are using AD for authentication. To create an AD group. Add users who we want exempt and someone move that rule above rule which denies all. Please let me know how to set this up and if this is best practice. 



This thread was automatically locked due to age.
Parents Reply Children
  • FormerMember
    0 FormerMember in reply to tal yoffe

    Sorry I havn't seen this

  • 0 in reply to tal yoffe

    I am assuming that you would already have a default policy in place which would be matching ALL your AD users and which would be denying access to certain websites/applications and you want to give a certain group of people access to some of the websites/applications that this default policy is blocking (If you do not have any such policy in place please have one as this is one of the best practices)

    In this scenario the best practice would be to create a group of AD users you want to exempt. Then make a rule which states "Match known users" to the group you created earlier. Then have this rule ABOVE your default policy and not the deny all rule. This is because the XG (or any firewall for the matter) matches rules based from top to bottom. So the rule at the top get processed first. Whenever the firewall receives a packet from the LAN its going to go through these rules and the FIRST rule that packet matches the firewall is going to process it according to that and will stop processing further rules. So if this new rule is below the default policy then ALL AD users, even the AD user group you want to exempt, will get matched to this rule and the exemption rule will never get processed since its below the default rule. Best practice is to keep more specific rules (rules matching a specific mac address, host, user, IP) at the top of the firewall rules and the broader and less specific (rules applying to a bigger group of users, or the whole subnet) at the very bottom.