Web/Application Policies by User/Group

Carlos,

XG uses certralization concept so everything is managed by firewall rules. For web traffic you can create one rule per each users/group or one firewall rule for all users/groups and create a unique web profile. Under web menu indeed, you can create one profile and apply different policy to different users.

Do some test before going in production so you can take confidence with it.

Regards

Hi Luk, thank you by your answer. 

Well.. but now I 'm a bit confused. When you say "For web traffic you can create one rule per each users/group or one firewall rule for all users/groups and create a unique web profile. Under web menu indeed, you can create one profile and apply different policy to different users."

"For web traffic you can create one rule per each users/group" .. Did you mean Firewall rule ? 

"Under web menu indeed, you can create one profile and apply different policy to different users." .. Where I found it ? I did not found Profile option.

Could you please post some screenshots to explain about these options that you suggest ?

Best regards

Carlos

Hi Luk, thank you by your answer. 

Well.. but now I 'm a bit confused. When you say "For web traffic you can create one rule per each users/group or one firewall rule for all users/groups and create a unique web profile. Under web menu indeed, you can create one profile and apply different policy to different users."

"For web traffic you can create one rule per each users/group" .. Did you mean Firewall rule ? 

"Under web menu indeed, you can create one profile and apply different policy to different users." .. Where I found it ? I did not found Profile option.

Could you please post some screenshots to explain about these options that you suggest ?

Best regards

Carlos

There are two different things you can do:

You can do user matching within the firewall rule.  Then each firewall rule can apply to a different Web Policy.  You need one Web Policy for each different type of access level, and in each Web Policy just set leave the rules applying to Everyone.  You can create separate firewall rules, one for each user/group that you want to sent to a unique policy.  Though it uses more objects it can be more straightforward to read a web policy and know exactly how it applied.  This is familiar to Cyberroam users and takes advantage of the "User aware next generation firewall".

The other option is to create a single firewall rule that applies to everyone.  It goes to a single Web Policy.  Within the web policy you specify on a rule by rule basis which rules apply to which groups.  This uses fewer objects and puts all the complexity into the Web Policy rules.  This is more familiar to how the UTM works, by putting user awareness into the proxy.  Whether the firewall rule should "Match known users" depends a bit on how you do authentication.

You can of course also do a mix.

Hi Michael,

Thank you by clarify me.

I think that I will usage the fist option, each firewall rule to each users/groups, because I have appplication filters specific to each group, and maybe te second option is more specific to Web Filtering.

But about the second option, when you say "Within the web policy you specify on a rule by rule basis which rules apply to which groups. " is it related the image attached ? need I choose the group/user in each policy/action ?

Best regards

Carlos

Carlos,

as Michael and I explained, you have 2 ways to implement web filters.

On the screenshot you attached, you have to create a Policy and you can add uses inside the policy and for each user/group you can attach an activity and action. Once you have configured that policy, apply that policy inside the Firewll rule and enable "match know users".

If you the configuration is not clear for you, do some test.

Regards