Skip to content


For a Web Gateway policy, you can configure allow and block rules, and trusted domains and IP addresses.

To change the filtering settings, in the Web Gateway policy, click Settings to show the Filtering options.

Category Filtering

Use this to control which websites your users are allowed to visit. You can set options for security categories or productivity categories.

For more information on how Sophos filters websites see Sophos Web Security and Control Test Site.

Security Categories

Use this section to configure access to websites that are known to be high-risk. You can choose these options:

  • Block risky downloads: This will block all high-risk websites.
  • Block All: This blocks all traffic categorized as security.
  • Custom: Lets you choose which categories you want to Allow, Audit, Warn or Block.

To see the effect of an option on various categories of websites and downloads, click View Details.

Productivity Categories

To see the effect of an option on various categories of websites, click View Details.

  • Keep It Clean: Prevents users from accessing adult and other potentially inappropriate or controversial websites.
  • Audit Potential Risks: Allows administrators to flag events where users visited adult, controversial or data sharing websites that could be a potential risk. The user is not shown any type of warning.
  • Conserve Bandwidth: Blocks inappropriate browsing and site categories likely to consume high bandwidth.
  • Business Only: Only allows site categories that are generally business-related.
  • Block Data Sharing: Blocks any website associated with data sharing activities. This helps prevent data loss.
  • Custom: Lets you choose which category groups or individual categories of sites you want to Allow, Audit, Warn or Block.

Web Filtering

Use this to control access to websites that you have "tagged", that is, put into your own categories, in Settings > Website Management.

  1. Select Web Filtering .
  2. Click Add New (on the right).
  3. Select your Website Tag and set the Action to one of the following options.
    • Allow allows access to the website.
    • Audit allows access to the website, but associates an Audit action with the website so that you can filter and report on these events.
    • Warn displays a warning to the user, but allows them to proceed to the website if they decide they want to.
    • Block denies access to the website and shows the user a block page (which you can customize).


In Website Management, you can change the category a website is in, but Web Gateway does not currently support such changes.

Data Filters

Use this to specify keywords and regular expressions that should be identified and used for filtering web pages.

To set up a filtering rule:

  1. Select Data Filters .
  2. Click Add New (on the right).

    The Add Data Filter dialog is displayed.

  3. Enter a Name for the rule.

  4. Choose whether to Allow, Audit, Warn or Block the content once a rule is matched.
  5. Choose whether the filter applies to Download, Upload or Both.
  6. Select the Type:
    • Manual. If you select this, enter a Keyword and a Count (number of occurrences).
    • Template. If you select this, choose a template from the drop-down list.

The rule is applied when all the conditions of the filter are met.


Data filters apply to all content including web pages, files (.pdf, .doc, .xls, and so on), and more. Data filters do not apply to HTTPS content if SSL decryption has also been enabled.

Web Safe Mode

Use this to help restrict access to inappropriate images or videos.

  • Enable Google SafeSearch. This helps to block inappropriate or explicit images from Google search results.
  • Enable YouTube restricted mode. This hides videos that may contain inappropriate content (as flagged by users and other criteria).

SSL Scanning

Use this to configure whether web pages should be decrypted to identify potential malware or content that should be filtered. You can select SSL scanning for:

  • Risky websites.
  • Search engines and social media.
  • Let me specify. This lets you set options for each category of website.

For each category, you can specify whether to scan all sites in the category, or select Let me specify again to select which subcategories to scan.


This is an automated process so no additional certificates need to be deployed. All SSL decryption is performed with a Sophos CA.

Trusted Destination IPs & Domains

Use this to specify IP addresses and domains for which traffic will not be routed through the Web Gateway. Instead that traffic will go directly to the internet.


A port does not have to be specified. If you do not specify one, it is assumed that this rule will be applied on ALL ports.

Trusted Source IPs

Use this to specify source IP addresses and subnets where traffic will not be routed through the Web Gateway.

When the Web Gateway agent is on the specified IP address or subnet, Web Gateway will not run. This setting is often used for known safe networks where network security is already in place.

Back to top