Block URL group for all except authenticated users

Hi,

I would do differently. You have created a unique policy with both rules. One rule with authentication and the other without. In my experience, policies should not mix authenticated users and non-authenticated users. Even policies for authenticated users in AD, for example, should not at least mix different groups. So I would create a firewall rule (first) for the authenticated users and apply the policy also from the authenticated users. After or last in the order I would create the firewall rule for the unauthenticated users by applying the corresponding policy.
In my experience too, the rules applied to the unauthenticated users must be either the first or last in the list.

Hope this helps! Good luck.

[:)]

First of all, this can be done within one Firewall Rule and Web Policy, as long as you are not trying to force authentication for unauthenticated users.  If you are, there are a few options.

New to XG line, trying to block only the specific "URL group" for every user while only authenticated user group ("managers") that can login and access blacklisted websites listed in the group.

Issue is that:

a) every website is blocked for non-authenticated users not just our blacklisted few in the URL group. 

b) when user authenticates then they are allowed to view ONLY blacklisted websites and nothing else.

 -- our web policy Block Blacklisted Websites --

What you describe is exactly how you have set up your web policy.  The issue is the "Default Action" which is set to block.  So anything that does not match the two above rules are blocked.

Right now you have three types of users - not authenticated, authenticated but not manager, and authenticated and manager.

Be aware that in the Web Policy has the following "users/groups"

Known users - this is anyone who has authenticated

Unknown users - this is anyone who has not authenticated

Anybody - this is both known and unknown users

Assuming you want only managers access, then your web policy is correct after you change the default action to Allow.

Thanks Michael.

- Changed 'default action' to 'allow' = now the authentication window shows up only when we try to access blacklisted websites, all other websites time out with "DNS_PROBE_FINISHED_NO_INTERNET". After Manager authenticates, it can access all websites except those that are blacklisted.

- Yes, essentially we want to have Managers to gain access to blacklisted ULRs when they authenticate while everyone else (Anybody) should be blocked from those blacklisted sites. Simply put, "must be Manager, login to view".

Hi BioTech,

You may simply use two firewall rule here with 2 webfilters.

1. Create a firewall rule on the top with authentication enabled by applying the check on identity on "Match known users" the default block page for unauthenticated users is a captive portal which would prompt for username and password. 
2. Create/configure a web filter policy and apply on the users/firewall rule created via step 1. 
3. Create another firewall rule positioned below the authenticated firewall rule and apply another web filter policy with blacklisted URL/category

Hi Aditya,

Thanks for the help, I have tried that without much success. Now Managers have to authenticate to access any website but they are only prompted to log in when trying to access Blacklisted websites, while everyone else has no access at all and get the generic fall back page of DNS unresolved.

Here are the rules:

web policies: