Skip to content

Add a web policy

  1. Go to Web > Policies and click Add policy.
  2. Enter a name.
  3. Add rules. For instructions about how to add rules, see Add a rule to a web policy.
  4. Scroll to Search engine enforcement and specify settings.

    Name Description
    Enforce SafeSearch Prevent potentially inappropriate images, videos, and text from appearing in Google, Yahoo, and Bing search results. You can reduce the risk of exposure to explicit content by enabling additional filters that show only images with a Creative Commons license.

    Note: For Bing and Yahoo, you can enforce SafeSearch on HTTPS connections only if you turn on HTTPS scanning in the firewall rule.
    Enforce YouTube restrictions Prevent access to potentially inappropriate content by restricting such content in YouTube search results.
  5. Scroll down to Policy quota status and select the allowed time quota.

    Using time quota, you can allow access to restricted websites for a limited period. This applies to all the restricted web categories in the policy with a quota action. Time quota applies to all the rules in the web policy. Users can have individual quotas for each web policy.

    Create a web policy with a rule for the categories Online shopping and Unproductive browsing with Action set to Quota HTTP and Quota HTTPS. You then set Allowed time quota to two hours. The users specified in the rule can access websites in these categories for two hours in a 24-hour period.

    However, if you want to set individual time quotas for the two categories, you must create two web policies.


    You can't set the quota to zero. Time quotas are reset at midnight local time.

    Quota doesn't apply to Activities set to a content filter or dynamic categories. Example: Web content with ActiveX, applets, cookies.

  6. Scroll to Advanced settings and specify settings.

    Name Description
    Enable logging and reporting Include this policy in logs and reports.
    Prevent downloading of large files Prevent downloading files greater than the size specified.
    Add X-Forwarded-For header to outgoing HTTP requests Add this header to pass on the IP address of the original HTTP request.
    Restrict login domains for Google Apps Allow users to sign in to Google Apps (example: Gmail, Drive) only with the domains specified. For example, you can allow users to access these services only through their corporate Google account.
    Apply Microsoft Azure AD tenant restrictions Allows Azure AD to enforce tenant restrictions. Specify tenants in the following fields:
    Restrict-Access-To-Tenants: A comma-separated list of tenants you want to allow users to access. You can use the domain name or the domain ID to identify the tenants.
    Restrict-Access-Context: The domain ID of the tenant that is setting the restrictions.
  7. Click Save.

For the policy to take effect, add it to a firewall rule.

More resources