Web Filtering Changes
As of the 9.2 release, Sophos UTM on AWS includes a new simplified interface for creating and managing your web filtering policies. While the interface has changed considerably, functionality has not changed. All of your existing settings have been preserved and if you make no changes the system will behave in the exact same way.
Previously, complex web policy involved creating web filtering profiles. These consisted of filter actions, created on the Filter Actions tab, which were then assigned to users and groups through filter assignments on the Filter Assignments tab, and then configured on the Proxy Profiles tab. Now, you can configure all aspects of your web filtering policy, including your default configuration and advanced filtering profiles from the Web Filtering > Policies tab.
Note – Take some time to familiarize yourself with the new interface and read the following overview. While it is different than previous releases, it should be much easier to create and maintain complex web policies.
Some Key Differences
- In 9.1 there were several tabs containing global options that were under Web Protection > Web Filtering. These tabs have moved to Web Protection > Filtering Options.
- In 9.1 a proxy profile had filter assignments, which allowed you to select different filter actions based on criteria. These are now called filter profiles with policies, which are presented in a table on a second tab of the profile.
- In 9.1 the default profile only supported a single filter assignment (called the default assignment). Now you can have many policies within the default profile.
- In 9.1 every profile had a fallback action. This is now called the base policy, however the functionality is the same. The base policy contains the filter action that is used if no other policies match.
- In 9.1 you created filter actions using multiple tabs on the default profile, and a very tall scrolling region for any additional. Now the creation of all filter actions is done with a multi-tabbed dialog, the Filter Action Wizard.
The following is a brief overview of how you perform common tasks in 9.2 and later compared to the 9.1 interface.
|How do I:||9.1||9.2|
Edit the default policy?
Configure the various tabs under Web Filtering:
|Web Filtering > Policies|
|Create or edit a proxy profile?||Web Filtering Profiles > Proxy Profiles||
Web Filtering > Web Filtering Profiles
|Assign a filter assignment to a proxy profile?||
|Add a website to a blacklist in my default filter action?||Web Filtering Profiles > Filter Assignments||On Web Filtering > Policies, when creating or editing a policy, click the green Plus icon next to Filter Action.|
|Create a new filter action for my filter assignment?||Web Filtering > URL Filtering and click the green Plus icon next to Additional URLs/Sites to block||
|Modify advanced settings?||Web Filtering > Advanced||Filtering Options > Misc|
|Manage trusted HTTPS CAs?||Web Filtering > HTTPS CAs||Filtering Options > HTTPS CAs|
When you upgrade to version 9.2, your previous configuration and settings are preserved and your system will continue to behave the same. However, as the user interface has changed considerably, things may not be where you expect them to be. The Web Filtering menu item contains all the settings you need to apply a set of policies and actions to a single set of allowed networks. The Web Filter Profiles menu item contains corresponding settings, but allows you to create multiple profiles so you can apply different settings to different networks. All global settings are now on tabs on the Filtering Options menu item.
Some objects have been renamed. For example, Proxy Profiles are now Filter Profiles and Filter Assignments are now Policies. The Fallback Action is now called the Base Policy, as it is the policy/action that occurs if no other policies match. The relationship between these objects is much clearer, as all Policies are now listed on a tab of the profile. The Filter Action can be added or modified using a pop-up tabbed dialog that contains everything that can be configured for an action.
One of the limitations of 9.1 is that the default profile could only have one set of users assigned to it. This has been migrated to a policy called Default content filter profile assignment with a migrated filter action called Default content filter action. If you had other filter assignments created, these will now appear as disabled policies in the profile.
In 9.1 if you had created a profile just so that you could have multiple assignments you can simplify your configuration by enabling those policies in the default profile in the first menu option, making sure that your Allowed Networks is correct, and then deleting the now unnecessary additional profile.