Hi Erik,

I have solved the issue by re-ordering the access policies and apply the time-range under the access policies configuration not under the custom URL filtering options.

I have re-ordered in a way that blocking websites with time-range is the 1st policy, and then all the other policies, and at the end permit the same policy but negating the time-range.

Please check the attached screenshot.

My question, why custom URL fitering with time based range within the policy is not working fine? is there any restrictions/configuration tips?

Thanks.

Ahmad.

HI Ahmad,

I would have to see the access logs when your trying to have the time-range policies apply to your HTTP/HTTPS traffic. The users you believe should be applied to the time based policy may be hitting another access policy. Without the access logs I can only specualte.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Hi Erik,

Thanks for your interest.

But I dont have the access logs for now, since the system is on production, and the customer is satisfied with the current configuration.

But according to the policy-trace while I'm troubleshooting the configuration not the logs, I noticed that the users hit the correct access policy based on the AD group but the website is blocked while it must be opened due to fact that we are out of the closed time range, but I cannot re-produce the issue right now.

I will try to reproduce the issue, and get back to you with the results.

But for me, this is a closed discussion with the current configuration, since the customer can work with the current setup, and can have seperate policies for the URL time-based blocking/allowing.

Thanks.

Ahmad.

Hello,

I'm sure that the Ironport is synched with the NTP server (Same AD), since after changing from customr URL policy to the policy itself, it is working fine like the sharm, the device is synced correctly and successfully with the NTP (same AD).

It is clear that it is not NTP issue.

Thanks.

Ahmad.