Making filtering rules user specific; best practices

Question

We have added web mail and social media blocking and it is working exceptionally. However we do want to have some users be able to access such sites. What is the best practice to add user exceptions. 
 
 My thinking is since we are using AD for authentication. To create an AD group. Add users who we want exempt and someone move that rule above rule which denies all. Please let me know how to set this up and if this is best practice.

FormerMember · Answer

I think best idea is to create a Firewallrule, with webfiltering rule, and than only add these user you want to allow.

Muhammad Osama · Answer

I am assuming that you would already have a default policy in place which would be matching ALL your AD users and which would be denying access to certain websites/applications and you want to give a certain group of people access to some of the websites/applications that this default policy is blocking (If you do not have any such policy in place please have one as this is one of the best practices) 
 In this scenario the best practice would be to create a group of AD users you want to exempt. Then make a rule which states "Match known users" to the group you created earlier. Then have this rule ABOVE your default policy and not the deny all rule. This is because the XG (or any firewall for the matter) matches rules based from top to bottom. So the rule at the top get processed first. Whenever the firewall receives a packet from the LAN its going to go through these rules and the FIRST rule that packet matches the firewall is going to process it according to that and will stop processing further rules. So if this new rule is below the default policy then ALL AD users, even the AD user group you want to exempt, will get matched to this rule and the exemption rule will never get processed since its below the default rule. Best practice is to keep more specific rules (rules matching a specific mac address, host, user, IP) at the top of the firewall rules and the broader and less specific (rules applying to a bigger group of users, or the whole subnet) at the very bottom.