Define a User-Based Web Applications Policy
By combining several types of policy, you can create a robust web application policy that both protects your network, ensures acceptable web use policies, and allows employees to complete their job duties based on their roles in the organization. Consider the following use case and example policy.
The default Web Security Service settings for all applications is Allow. Previously, a Web Security Service admin set the major webmail applications to Block and set E*Trade to Allow. You now want to add a more granular policy based on user groups.
- The FIFA World Cup creates network bandwidth havoc every year; furthermore, reports indicate that Pinterest traffic is trending upward and you want to block access.
Both Facebook and Twitter can hinder productivity, yet are necessary marketing applications. You want to allow access only to the Marketing group; however, you also want to block security risks (such as downloading files) and block unnecessary features (such as games and chatting) for everyone in those groups.
Tip: How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure such personnel understand this and can inform employees.
- Human Resources also uses Facebook plus Linkedin, but you do not want other employees job-networking while working for you.
- In Solutions Mode, select Content Filtering > Policy.
- Add FIFA World Cup, Facebook, Twitter, Linkedin, and Pinterest to Blocked Web Applications to the global block list.
- In the Group B > G4 rule, click the Blocked Web Applications link in the To Where column. The service displays the Object Edit: Blocked Web Applications dialog.
- The initial dialog is read-only. Click Edit. Show screen...
- Select the FIFA World Cup application in the Sports/Recreation drop-down (you can search for the term).
- Select the Facebook, Twitter, Linkedin, and Pinterest applications from the Social Networking drop-down.
The Blocked Applications (#) number increments to include the four applications.
- Yellow triangle icons indicate non-active policies. Click Activate. At this point, anyone who attempts to access any of those applications are blocked.
Allow Marketing access to Facebook and Twitter.
- Click Add Rule. The service displays the Create New Rule dialog.
- Click Add Sources.
- Click User Group.
Select the group to be granted access—for this example, CorpMarketing. Show screen...
- Click Save.
- Click Add Destinations
- Click Web Application.
- Search for Facebook and Twitter and add them; click Save.
- For the Verdict construct, select Allow > Completely. Click Finish, which adds the rule in Group B above the default global block rule. The order is important, as when a component of rule gets matched, subsequent rules are ignored.
You now want to prevent Marketing employees from downloading attachments, playing games, and chatting from within Facebook.
- Repeat Step 3, creating a rule that applies to the same CorpMarketing group (Sources construct).
- Select the same web applications on the Destinations construct.
- Click Contents and Limits; click Actions.
Select the actions to block, such as Download Video and Games. Show screen...
- Click Save.
- Set the Verdict construct to Block.
- Click Add Rule; the service displays the new action blocking rule in Group B.
- Click Activate.
- Create another rule for the CorpHR group to be allowed Facebook and Linkedin.
Click Activate. You now have conditional rules that fully allow access, limit access, or block web applications. Show screen...
How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure your support staff understand this and can inform employees.