Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=web-control-access-websites

Control access to websites

Many organizations need to control access to certain categories, and often the access varies according to user group.

For example, you may want to allow some users to access websites blocked by the default workplace policy.

Objectives

When you complete this unit, you'll know how to do the following:

  • Create a group of users for whom you want to allow access to categories
  • Add a policy that permits access to categories
  • Create a firewall rule for the policy and specify users
  • Position the firewall rule

Create a user group

To allow a group to access some categories blocked by the default workplace policy, create a group that allows unlimited access.

  1. Go to Authentication > Groups and click Add.

  2. Specify the settings.

    Name Description
    Group name Research
    Surfing quota Unlimited internet access
    Access time Allowed all the time

  3. Click Save.

Create a policy that allows access to categories

Create a policy that allows access to some categories blocked by the default workplace policy.

  1. Go to Web > Policies and click Add policy.

  2. Specify the settings.

    Name Description
    Name Web categories

  3. Click Add rule. The firewall creates a default rule at the top of the rule hierarchy that blocks all HTTP traffic for all users. By default, the rule is turned off.

    Default rule.

  4. Move the pointer over the Activities field, click the activity (All web traffic), and click Add new item.

    Add activity.

  5. Clear the All web traffic check box.

  6. Click Show only and select Web category.

    Select web category.

  7. Select categories and Apply selected items.

    Select the web categories.

  8. Move the pointer over the Action field, click the Action indicator, and select Allow HTTP.

    Allow HTTP.

  9. Click the Status switch to turn the rule on.

    Turn the rule on.

  10. Click Save.

Create a firewall rule and apply the policy

Your configuration contains a rule that blocks access for all users for the Default workplace policy. However, you want to add a rule that allows some users to access some categories that are blocked by the default policy. You create a rule for those users and move it to the top of the list.

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 and select Add firewall rule.

  2. Specify the settings.

    Name Description
    Rule name Web research group
    Source zones Any
    Destination zones Any

  3. Scroll down to the Identity section and click Add new item.

    Adding users and groups.

  4. Clear the Any check box, select Research, and click Apply selected items.

    Add group.

  5. Scroll down to the Advanced section and select the Web categories policy.

    Select a web policy.

  6. Click Save. The firewall adds the rule below the rule for the Default workplace policy. Because you want the firewall to process the rule for the web research group first, you move it to the top of the hierarchy.

  7. Click the drag handle of the rule for the web research group and drag the rule to the top of the list.

    Drag the rule handle button.

    The web research group rule will be processed first. Any traffic that matches the rule criteria (user group and categories) will be permitted. Traffic that matches users and categories in the default rule will be blocked.

    Repositioned rules.

More resources