Do you have different 'groups' of users who need different levels of access to websites? We've seen it happen in many different organizations: Marketing needs access to Twitter and Facebook, but leaving these open drives productivity down in other departments. Maybe you want to apply application settings unevenly in your environment: don't use SSL Inspector for Android devices, for example, or only present the Captive Portal capture page to users who haven't authenticated yet.
Whenever the question is 'how do I make an exception to my normal network policy?', the answer is Policy Manager.
There are two steps to this process - creating a new policy and sending users to that new policy. The instructions below will walk you through setting up an additional policy and sending users to it.
Click an item to jump directly to that section.
Creating and Configuring a New Policy
- Click Settings on Policy Manager, then click the Policies tab.
- Click Add Policy to add a new policy.
- Give it a name, description, and set the Parent to "Default Policy". Click Add, then Save in the lower-right corner of the main window.
- Click Back to Apps to return to the main policy view.
- Near the top there will be an entry that says Default Policy with an arrow by the side, click this arrow and select your new policy.
When viewing your new policy, you'll notice you cannot click Settings on the applications because they are grayed out. This is because this is a "child" policy; all settings in these applications are being copied from the "Parent" you set in Policy Manager.
- Click Install Apps > Web Filter, which will install a new instance of Web Filter into this policy (overriding the one from its parent, the Default Policy) and allow you to configure it.
At this point, all "grayed-out" apps are copying their configuration from the Default Policy while the Web Filter settings only come from this instance of Web Filter. This enables you to keep settings for virus scanning and spam blocking the same between policies and only change web filtering settings, which is by far the most often use case - simply configure Web Filter to allow the sites you want and save.
Policy configuration is done - as soon as you send users to this policy they will start being filtered by the new rules. Now you'll need to set up policies to get users to that policy: we'll go over how to do that next. We've covered the two most common methods, however there are many more options such as policies by interface as well as having time-based policies which let you do things like allow social networking sites for all employees during lunch only. Feel free to explore once you get the hang of it!
Creating Policies Based on IP Address
Setting users to either static IPs or static DHCP entries is a good idea if you're going to set up policies by IP.
- Click Settings on Policy Manager, then click Add under the Rules tab.
Clicking the image above will load it, full-size, in a new window.
- Give a description, like "Move Marketing to Allow Facebook", then click the Add Condition button to start adding conditions.
- For Type select "Source Address" and in the Value field include the IP(s) you want going through the new rack - you can enter single IPs (192.168.1.10), ranges (192.168.1.10-192.168.1.15), or use CIDR notation (192.168.1.0/24).
More specific information on syntax is available here.
- Once you enter the IP(s), choose what policy to send them to in the "Target Policy" entry near the bottom, then click Done and Save.
Creating Policies Based on Username or Group
Using Directory Connector or Captive Portal with Policy Manager will allow you to create policy rules by username or group name. User name and group name are both available when used with Active Directory; only user name is available when used with NG Firewall's built-in Local Directory.
To send users to a policy by username, simply follow the instructions above and select the "Directory Connector: User in Group" or "Username" condition instead of "Source Address" in your policy rule.