Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=server-protection-web-control

Server Web Control Policy

Web control policies let you control access to certain categories of websites.

About web control

There are two types of web control policy:

  • Web profile. This type uses our new web filtering profiles.
  • Classic settings.

Both policy types let you block, allow, or warn about categories of websites or custom lists of websites.

Web profiles policies have the following additional features:

  • They can control access to new "Productivity" website categories.
  • They can control access to Generative AI websites.

You can have policies of both types, depending on your needs and whether your devices support them.

Web profile policies are currently only available for Windows devices.

Default policy

If you're new to Sophos or haven't created custom policies, a "Base" web control policy applies to all your devices.

The policy has settings for both Classic settings and Web profiles.

  • By default, classic settings are turned on with recommended settings. These settings are initially used for all devices.
  • By default, web profiles are turned off.

If you turn on Web profile, the base policy automatically tries to use web profile settings for any device that supports them. However, you must create a profile or profiles first. See Web filtering profiles.

If the base policy fails to apply web profile settings to devices, it applies the classic settings instead.

You can edit both web profile settings and classic settings in the base policy. However, in any additional policies you create, you can only configure one or the other.

Requirements

Web control policy requirements are as follows:

  • Policies with web profiles are only available for Windows devices running Sophos Endpoint 2026.1 or later.
  • You must turn on decryption of HTTPS websites to receive warning messages through the web control policy. See SSL/TLS decryption of HTTPS websites.

Restrictions

The following restrictions apply to web control policies:

  • Web Control settings apply only to Windows servers.
  • Web Control settings don't apply to websites you've excluded from checks for threats. See Server Threat Protection Policy.

Create a policy

This section tells you how to create and configure a policy of either type: web profile or classic settings.

You can only include settings for one policy type in each policy.

Click the appropriate tab below to see instructions for the policy type you want.

To create a web profile policy, do as follows:

  1. Go to My Products > Server > Policies.
  2. Click Add policy in the upper right.
  3. In the Add policy dialog, in Feature, select Web Control.
  4. Enter a Name for the policy.

  5. On the Servers tab, assign the policy. Select servers in the Available Servers list and move them to the Assigned Servers list.

    Adding servers to the Assigned Servers list.

  6. Click the Settings tab.

  7. Turn on Web Control.

  8. Select Web profile as the policy type.

    "Settings" tab showing "Web profile" selected.

On the Settings page, you see the settings shown below. Configure them as described in the sections below.

Web profiles policy settings.

Choose a web filtering profile

You need to set up your own web profiles before you can use profiles. We don't provide default profiles.

Your profile is where you set up filtering by website categories or by site lists. See Web filtering profiles.

To choose a profile, do as follows:

  1. Select a profile.

    Your policy uses this profile by default. You can change it later.

  2. (Optional) Select Apply different profiles at different times and set a schedule.

    Your policy can use multiple profiles as long as they're used at different times.

Risky file types

  1. Turn on Risky File Types.

  2. Select one of the following actions:

    • Recommended: This gives you recommended settings. Click View More to see a list of file types and the action we'll take for each.
    • Allow: Allows all risky file types.
    • Warn: Warns the user that a file may be risky before they can download it.
    • Block: Blocks all risky file types.
    • Let me specify: This lets you set an action for individual file types. Click View More, then select Allow, Warn, or Block next to the file type.

Note

You can only configure actions for risky file types that are already listed. You can't add more risky file types.

Log web control events

Select Log web control events to log attempts to visit blocked websites or websites for which we display a warning.

Note

If you don't turn on logging, only attempts to visit infected sites will be logged.

To create a classic settings policy, do as follows:

  1. Go to My Products > Server > Policies.
  2. Click Add policy in the upper right.
  3. In the Add policy dialog, in Feature, select Web Control.
  4. Enter a Name for the policy.

  5. On the Servers tab, assign the policy. Select servers in the Available Servers list and move them to the Assigned Servers list.

    Adding servers to the Assigned Servers list.

  6. Click the Settings tab.

  7. Turn on Web Control.

  8. Select Classic settings as the policy type.

    "Settings" tab showing "Classic settings" selected.

Now configure the settings as described in the sections below.

Filter website by category

You can control access to websites that may be inappropriate. For each website category, select one of the following actions:

  • Allow: Allows all websites in this category.
  • Warn: Warns the user that a website may be inappropriate.
  • Block: Blocks all websites in this category.

Log web control events

Select Log web control events to log attempts to visit blocked websites or websites for which we display a warning.

Note

If you don't turn on logging, only attempts to visit infected sites are logged.

Control sites tagged in Website Management

You can put websites into your own custom categories by "tagging" them, and then use a Web Control policy to control sites in each category.

In-product workflow

To tag websites and control them, do as follows:

  1. Click the Global Settings icon Global Settings icon..
  2. Go to Protection and Remediation > Web Settings, and click Website Management.
  3. Click Add.

  4. In Add Website Customization, enter a website and add a tag. You can either type in a new tag name, or select a tag you've used before. You'll see suggested tags when you start typing.

    If you exclude a domain, you automatically exclude all of its subdomains. For example, if you exclude http://google.com, you also exclude http://www.google.com or http://foo.google.com.

    You don't need to use any wildcards or special characters.

  5. Click Save.

  6. Go to My Products > Server and click Policies.
  7. Under Web Control, select a policy.
  8. Click the Settings tab.
  9. In Control sites tagged in Website Management, click Add New.

  10. In Add Website Tag, do as follows:

    1. Select the website tag you created.
    2. Choose the Action you want to take against websites.
    3. Click Save.

  11. On the Settings tab, click Save.

For more information on how Sophos filters websites see Sophos Web Security and Control Test Site.