Policies

With web policies, you can create rules to control end users’ web browsing activities.

Policies take effect when you add them to firewall rules. The default set of policies specifies some common restrictions. You can modify one of the default policies to fit your requirements or create new policies.

  • To edit a policy, find the policy you want to change and click Edit .
  • To test and troubleshoot policies, click Policy test.

Policy rules

Rules specify the following criteria:
  • Users to whom the rule applies.
    Note Users specified by firewall rules take precedence over those specified by policies.
  • Activities that describe the type of usage to restrict. These include user activities, categories, URL groups, file types, and dynamic categories.
  • Content filters to restrict web content that contains any terms in the lists specified.
  • An action to take when the firewall encounters HTTP traffic that matches the rule criteria.

You can also specify a separate action for HTTPS traffic and set a schedule for the rule.

The firewall evaluates rules from highest to lowest. For example, if a rule that allows all traffic precedes a rule that blocks a specific type of traffic, the rule that allows all traffic is the effective rule.

Note For a rule to be effective, it must be on.
  • To turn on a rule, click the Status switch.
  • To add a rule to a policy, click Add .
  • To clone a rule, click Clone .
  • To position rules within a policy, click and drag the Rule handle ().

Positioning rules

The following policy includes a separate rule for .mdb files. Because the rule is positioned above the rule for database files — which itself includes the .mdb file type — the policy allows access to .mdb files and blocks all other database files.

Policy quota

Using time quota, you can allow access to restricted websites for a limited period. This applies to all the restricted web categories in the policy with a quota action. Time quota applies to all the rules in the web policy. Users can have individual quotas for each web policy.

When you make a change to the quota, the changes aren't applied if the web policy is invalid, the user has no time quota left, or has an active quota session in the web policy.

Quota details:

  • When the quota traffic matches an SSL/TLS inspection rule that has action set to Deny, the quota won't take effect and the website continues to be blocked. To prevent this, go to Web > Exceptions, and create an exception to skip HTTPS decryption for the matching criteria.
  • To see the remaining quota and to reset it, go to Web > Policy quota status.
  • To customize the quota notification page, go to Web > User notifications.

Policy overrides and Time quota: Instead of using their quota, users who're allowed to override web policies can sign in to the user portal and grant themselves temporary access to websites that would normally be blocked by a web policy. When they use policy override, quota doesn't apply.

User action: When users try to access a page restricted by time quota, a quota block page appears. They can specify the quota they want to use and select Proceed. If they don't want to use their quota, they need to select Return to previous page. The block page reappears at the end of the period. When users exceed their quota, a message appears that no time quota remains.