Jump to content


Photo

Exceptions List Basic Q&A


  • Please log in to reply
3 replies to this topic

#1 Jeff Hayward

Jeff Hayward
  • Members
  • 4 posts

Posted 03 May 2019 - 01:53 PM

We have a very common bare bones set of URLs that we want to allow to certain users as a "Restricted Internet" list.

We also have a list of whitelisted domains above and beyond our allowed "Block-Accept Content Filter" categories that we want to allow to all users

 

Question:  If we add the whitelisted domains in the "Block-Accept Domains Allowed Domains" list, then we create a "Custom Category" for the "Restricted Internet" URLs and add an Exception rule of:

 

Allow  <DomainController>:<AD Group>   ContentFilter   Restricted Internet

Block <DomainController>:<AD Group>    AllWebTraffic

 

Will that accomplish our goal of the following:

 

Allow users in <AD Group> access to the domains in the "Block-Accept Domains Allowed Domains"?

Allow users in <AD Group> access to the domains in the "Restricted Internet" custom category?

Block users in <AD Group> from accessing all other sites>?

 

Or, will in accomplish only the following:

 

Allow users in <AD Group> access to the domains in the "Restricted Internet" custom category?

Block users in <AD Group> from accessing all other sites>?

 

In other words, do I need to put the same entries in the "Block-Accept Domains Allowed Domains" in the "Restricted Internet" "Custom Category" list if I want them allowed to the users as well?

 

Lastly, do I really need the "Block" row in the Exceptions list if it is preceded by the "Content Filter" entry?  Does the "Content Filter" mean that it will only allow access to those sites, and no other, such that the "Block" entry is not necessary?

 

Thanks in advance for any guidance.  As you can see, I am struggling to understand the way this works top-down as well as how entries in the Exceptions list that are "Content Filter" based affect the "Block Accept Domains Allowed Domains" list.

 

 



#2 John Irwin

John Irwin
  • Barracuda Team Members
  • 52 posts

Posted 06 May 2019 - 08:22 AM

as expected you put in a block all and that will happen according to the order of flow here

 

https://campus.barra...BWFv60/6160461/

 

 

the exception will override all other pages, there fore the only time the other pages such as domains lists page, will behit is when there is not policy overriding it from the exceptions page. so they have to get past the exceptions page to get there. but if you blocked users to all web traffic already then this will happen before any other policy is taken as it matched the rule and is done with the request and blocked traffic now.

 

so either adding needed domains tot he list. or making a new list called all users allowed domains and add allowed domains to this list and now create a new rule and make your third rule to allow these users to all needed allowed sites and they will get both rules applied before the block happens.

You are on the right track.

 

ie..

Rule 1  Allow users in <AD Group> access to the domains in the "Block-Accept Domains Allowed Domains"? (make new custom category to apply additional needed policy)


Rule 2 Allow users in <AD Group> access to the domains in the "Restricted Internet" custom category? ( unless you want to add all the additional domains into this one also and not create a new custom category for all users allowed domains)
 

Rule 3 Block users in <AD Group> from accessing all other sites>? (finished no more policy after this from the other pages will be applied to a request made)



#3 Jeff Hayward

Jeff Hayward
  • Members
  • 4 posts

Posted 06 May 2019 - 11:43 AM

Hi and Thanks for the prompt reply,

 

I have another quite basic question on the Exceptions List:

 

 

If I have a row that "Allows" for a certain LDAP/User  a type "Content Filter" to a list of sites noted by a custom category...

and

If the user matches the LDAP/User, but the website being visited is not in the list of sites in the custom category

 

Does it continue to the next exception row to see if that one applies to the user?  I.E., could I allow for one set of domains in a custom category, and if the domain is not matched, it may find a subsequent exception rule that does pass?

 

I guess what I am having trouble grasping is:  Does the "Content Filter" row result in only allowing the user access to the domains specified in that Custom Category (and nothing more), or if their destination domain is not allowed in the Custom Category, does the rest of the Exceptions list continue to get processed for that user in case there is another match (for allow).

 

Thanks,

jeff



#4 Jeff Hayward

Jeff Hayward
  • Members
  • 4 posts

Posted 06 May 2019 - 12:57 PM

Here is my proposed configuration, which I think allows me to achieve the following requirements:
 
1. Block all internet access to some A/D logins
2. Block all internet access to some IP addresses
3. Block set of "Black Listed" websites for all users
4. Allow a set of "White Listed" websites for all users
5. Allow Youtube access for an A/D group
6. Allow web access to anywhere for some IP addresses
7. Block all web access OTHER than the "White Listed" category allowed in rule 4 for some IP addresses
8. Block all web access OTHER than the "White Listed" category allowed in rule 4 for an A/D group
9. IF you make it to here, allow all web access to sites and categories allowed by the main Content Filter
 
Does this achieve this goal? (sorry, I tried real hard to make the below columnar, but could not do it)  I have color coded columns instead
 
Allow/Block AppliesTo Exception Type SubCategory Notes
Block WOODDC1: Woodland Internet None All Web Traffic no internet access at all for this A/D group
Block <IPAddress1> All Web Traffic No internet access at all for this computer
Block All Users Content Filter Global Black List Do not allow anyone to get to the Global Black List
Allow All Users Content Filter Global White List Allow everyone to get to the Global White List
Allow  WOODDC1:YouTube Domains Youtube.com Allow A/D group to get to Youtube
Allow      <IPAddress2> All Web Traffic Use to allow certain device (AK Phone, SCTMarty, etc. ) to go anywhere
Block <IPAddress3> All Web Traffic No internet access other than above Global White List from row 4 above for this computer
Block WOODDC1:Woodland Internet Restricted All Web Traffic No internet access other than above Global White List from row 4 above for this A/D group
IF you make it to here, allow all web access to sites and categories allowed by the main Content Filter