Allow Access to Multiple Access Policy

febrians · ‎11-04-2021

Hi,

I'm new to this forum, I would like to ask regarding access policy that integrated to security group in the active directory, so here are the case:

1. I'm giving access to users by security group in AD

2. I've created several access policy in WSA, here I take as an excample, named : 1.Standard-Access(it allows access to some category, one of the exception is social networking which is blocked), 2.Additional-Facebook(it blocks everything except custom URL categroy that consist of facebook URLs), all the access policy use selected group and users that linked to AD security group, the security group linked to 2 example above is 002-Standard-Access and 003-Facebook-Access

3. The scenario is, when a users ask for internet access, by default they will bu put into 002-Standard-Access security group

4. If a user requests for additional access they also will put into 003-Facebook-Access, so if a user what to have Facebook they will put into 2 security group (002-Standard-Access and 003-Facebook-Access)

5. The scenario is plan to be used for another additional request

The problem is, that kind of configuration is not working as expected, I need an advise or solution about how to run the scenario planned by our management? Thank you for your advise.

Ken Stieers · ‎11-04-2021

I'm guessing that 2-standard is above 3-facebook in the gui?

You need to flip the order and probably tweak the facebook policy...

The policy engine works from top down until it hits a match on settings in the first box, then processes the transaction left to right.

So if they hit 2standard and it applies to them and blocks Facebook, they never reach the one below it, even though it matches.

As far has how to change your facebook policy, you can do it one of two ways: make it the same aa standard, except it also allows facebook. Or change the identity to be members of the ad group, plus going to facebook, then, just alllow facebook in the categories and AVC.

febrians · ‎11-04-2021

I'm guessing that 2-standard is above 3-facebook in the gui?

-->Yes, the 002-Standard is above the003-Facebook

The policy engine works from top down until it hits a match on settings in the first box, then processes the transaction left to right.

So if they hit 2standard and it applies to them and blocks Facebook, they never reach the one below it, even though it matches.

-->Understood

As far has how to change your facebook policy, you can do it one of two ways: make it the same aa standard, except it also allows facebook. Or change the identity to be members of the ad group, plus going to facebook, then, just alllow facebook in the categories and AVC

-->Still didn't get it, sorry...

Ken Stieers · ‎11-05-2021

So, if you don't care that the group allowed to hit facebook hits a the same policy for ALL stuff they surf to, you can do it this way:

If they're in the group, they hit this policy for everything, which is basically a copy of the global policy except under applications, and possibly under URL filtering, Facebook is allowed.

If you want them to only hit this policy when a member of the group AND hitting facebook, you have to create a custom category, add the various facebook domain names to it, then add it as part of the policy definition in the Group column and allow facebook under URL filtering and Applications

You could also create this set of criteria as its own Identity, both AD group and URL category and then just use that for the definition for the policy...