About the Content Filtering Rule Editor
The Symantec Web Security Service Content Filtering Rules policy editor allows you to accomplish the following:
- Create custom rules that, based on who requested it, allow or block access to web content.
- Quickly define global policy, or rules that apply to every employee that is not explicitly allowed or blocked by a custom rule.
To view the Content Filter Rules policy editor, in Solutions mode, select Content Filtering > Policy. The Policy Rules matrix comprises five columns—an Order column and four policy constructs—and a series of rows. The following sections describe how to interpret the editor and create new rules.
Content Filter Policy Construct
Policy Rules columns provide options for four constructs that shape the purpose of the rule.
By Column name—
- Sources—Applies to content requests. Users, Unauthenticated Users, Groups, IP addresses/Subnets, fixed Locations, WSS Agents, Mobile Users, and Geolocations (if your account has the license). The default is Any.
Destinations—Applies to requested content Categories, Web Applications, IP addresses/Subnets, Domains/URLs, and Geolocations. The default is Any.
Tip: See About Geolocation Policies for more details.
Content and Limits—Applies to content parameters. For example, set the policy to only apply to selected file types, browsers, or actions within web applications.
- Actions, such as media uploads and downloads, joining meetings, games.
- Specific browser vendors.
- File Types
- Schedule—Define when the policy rules apply, such as during core business hours.
The default is the rule applies to all contents at any time.
Note: Some Actions are valid only in Group A; others in Group B. For example, File Types are notated with a B. These items correspond to the rows that the WSS will place them. The Contents and Limits section below discusses this.
- Allow or block the request or content if any policy matches occur in the rule.
- Advise (coach) employees that their internet activity is recorded
- Redirect the user to another web location (such as an intranet site that lists appropriate web use guidelines).
- Require a password to access content.
The Policy Editor enables you to create And/Or constructs. For example, you have a rule where the Sources are either of two users (an Or construct) if the request from a specific location (an And construct). The Add a Policy Rule section below demonstrates an example.
Group and Global Rows
The rules editor contains two distinct areas: Group A and Group B. As you add and modify rules, the Content Filtering Rules policy editor automatically places the rules in the correct group and correct order. Rules might contain conditions for a mix of inbound and outbound traffic; the actions and whether the elements in the request or the response triggers the policy dictates the appropriate rule grouping. Furthermore, the editor displays messages whenever a rule addition or change requires a rule to be moved. This section describes why rules are placed where they are.
Rules are evaluated in order. If a rule matches, no other subsequent rules are checked.
Group A Rules
As the service executes the rules in this group first, the only conditions available are those that test the request and the only actions are those that can be enforced on the request. The rules in Group A cannot depend on the content returned from the web destination. This is because for this group of rules the WSS must check the policy before the request reaches the content server.
If traffic matches a Group A rule, the request never reaches the server. Keep this in mind as you develop policy. For example, you might prefer to put rules in Group A when possible for security reasons.
Group B Rules
If no rule in Group A triggers a policy action, the WSS checks rules in Group B. As such, while Group A cannot depend on returned content, Group B might. Rules in Group B can execute on traffic before it reaches the web destination, such as a blocked IP address or content filter category. However, if any rules contain actions that must execute on returned content, they are placed in Group B. This includes actions such as policy based on file type, an Allow verdict with web use coaching, and Block verdicts with password override.
There are hard-coded rule rows that cannot be deleted. They are designated as G1, G2, G3, and G4. Primarily, these rules are in place to enforce pre-defined, default policies. Where applicable for the rule, the columns contain links. Click the link to display an editor dialog from which you can specify or select policy objects that apply to everyone (unless they are allowed or blocked by other custom policy).
- G1—Designated row for permanently blocked categories, such as Child Pornography.
G2—An Allow rule that applies to source IP addresses/subnets. The policy check occurs on the request.
G3—An Allow rule that applies to specific trusted, or safe, destination URLs, IP addresses/subnets, and web applications. For actions, such as uploading and downloading content, the policy occurs on the response.
G4—A Block rule that applies to specifically blocked destination categories and web applications, URLs, and IP addresses/subnets.
In the editor, mouse-over the text bubble icons and the G-numbers in the left column to view these descriptions in text pop-ups.