This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering: Merge multiple filter actions

 Hello everyone,

 

I searched the web and the community for this the whole morning, now I joined the community to see if someone can help me with my task.

 

We are using a transparent proxy, no SSO auth, just URL filtering. We blocked some pages that we do not want to be available in the office. At the moment, we only have one filter action with multiple settings. 

What we want to do: we want to use this filter action for all our clients, but we want to add one additional rule for our terminal servers. To be specific: the users shall have the same restrictions when using their client or the terminal server, but in addition to that, we want to prevent that they use Skype WebApp on the server, so we want to block this site, too, only if the traffic is originating from this server.

 

I could not clone our default filter action and add the block to the Skype URL. But this would mean that everytime I adjust the main rule I would have to do this on the new rule, too. Is there any way to "merge" the usage of two filter actions?

 

For now I only found topics in the community stating that only one profile can be used at a time for one system. I am affraid it is the same with filter actions, but I thought i would give it a try...

 

I appreciate any help!

 

Thanks

 

Regards,

 

Tobias



This thread was automatically locked due to age.
Parents
  • Hi Tobias,

    maybe website tagging might be helpful for you.

    Go to Web Protection -> Filtering Options -> Websites

    Create a new site.

    Then enter the URLs here you want to block and create the tag block.

    When you are finished with this go to your webfilter profile policies and modify your filter action.

    Under websites put the tag block and set the action to block

    With this option you only have to put the block tag to your filter action.

    With every "new site" under the filtering option that have the tagging block the action would be set to blocking.

    Best Regards
    DKKDG

  • Hi,

    thank you for your answer. But if I understand correctly, this would not solve my specific use case:

     

    I have a Filter Action A, and a Filter Action B. 

    Filter Action A is regulating a lot of traffic (no Facebook, no Shopping...), Filter B is just blocking one specific page.

    Now I want that my Default Profile is using Filter Action A. And another profile only for a specific server should usa Filter Action A, but also block the site in Filter Action B. 

     

    What I want to avoid is recreating the "default part" of my filters for this specific group. I am thinking like ActiveDirectory Group Policy: the Default policy sets the wallpaper, and a department specific GPO underneath that is installing a specific software. But I want this subordinate department also getting the default wallpaper...

     

    Do you understand what I need? I realise that I have problems articulating it properly...

  • Hallo Tobias and welcome to the UTM Community!

    You need to understand how Web Filtering is configured to do what you want.  Policies are not additive since they are members of an ordered list.  In WebAdmin, as soon as an item is matched, no further members of the list are considered.  A Policy can only use a single Filter Action, so Filter Actions also cannot be used in an additive way.

    Simply delete your Filter Action B, clone Filter Action A and modify the clone to include DKKDG's suggestion.  Use the new Filter Action in the Profile for the server.  The Profile for the server must be above any other Profile that applies to the subnet of the server.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo Tobias and welcome to the UTM Community!

    You need to understand how Web Filtering is configured to do what you want.  Policies are not additive since they are members of an ordered list.  In WebAdmin, as soon as an item is matched, no further members of the list are considered.  A Policy can only use a single Filter Action, so Filter Actions also cannot be used in an additive way.

    Simply delete your Filter Action B, clone Filter Action A and modify the clone to include DKKDG's suggestion.  Use the new Filter Action in the Profile for the server.  The Profile for the server must be above any other Profile that applies to the subnet of the server.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

     

    yes, your suggestion would work. My question was, if there is any method to achieve additive Filter Actions - this question was answered by you.

     

    I wanted to avoid cloning the main rule, because everytime I change something in this rule, I would have to do it twice (if I will one day need a third rule, I would have to do every change three times) - this is how missconfigurations can occure.

     

    But the question is answered, I will either clone the rule or I will look for a different way, maybee a PacketFilter.

     

    Thank you DKKDG and Bob for your clearification

  • FYI (and I know this is completely unhelpful) this is how the Sophos Web Appliance works - it is additive.

     

    What about this:

    Categories - First all realize that "Category" is often actually a group of categories, which can be managed.  Go to Filtering Options, Categories, and create a new category called "My Blocked Categories" and put in all the categories you want to block.  Now go to both of your filter actions, set My Blocked Categories to Block and leave everything else as Allow.  Now if you ever want to block an additional category, add it to My Blocked Categories and it automatically updates both.

    Websites - Do not use the "Block these Websites" and "Allow these websites".  Instead create a tag "My Blocked Tags" and "My Allowed Tags" and in the Filter Action set them to Allow and Block.  Now when you add websites to the tags, it automatically adds it to both Filter Actions.

    Downloads - Unfortunately there is no global place where you can set an object and reuse it for file extensions and mime types.  However there is on each of those lists an Import and Export, which allows you to manage the entire list as one cut&paste rather than each line individually.

    Antivirus and Additional Options - No way to share or copy these.  However once configured the almost never change.

    After the first month and things have settled down, 95% of changes that need doing are with allowing and blocking individual sites, which can be done purely with tags and therefore apply to both filter actions.  Which means, that all most people really need is to use tags in the Websites, they don't even need to mess with custom groups of categories.

     

     

    Another option would be that if everything that is different can be done as a single Tag then whenever you make a change to your base, just clone it, update the clone with the tag, and then use the new clone.  Basically if you make the it so there is a one-line-difference then it becomes easier to just re-clone and re-modify.

  • Excellent suggestions, Michael.  Much more helpful than my explanation of how things work.  You're right that a tagging approach would have been easier for him and I bet that's what he does the next time.  I marked your post as an answer.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob is right - I will definitely build up a concept with tags like Michael suggested. This is still not exactly what my lazy mind was thinking, but it is the best approach to come to the same result.

     

    Thank you all for your help!