Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 21572 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering Policies based upon IP Address

vertices

I am in the process of migrating from a SonicWALL TZ215 to Sophos UTM9 for my home network.  The first issue I am having is in recreating my web filter policies.  I have 3 classes of machines on my network.  

  • Nodes that can browse anywhere
  • Nodes for kids that are restricted
  • Nodes that should not be allowed to browse at all

On my SonicWALL it was very easy to simply set up IP ranges and assign different policies to them.  Then anyone in that range automatically had that policy.  So all of my DHCP reservations and static assignments have nodes grouped into appropriate ranges for different policies.

I am trying to recreate this on Sophos but so far, have had no luck.  This is a home network so no AD.  I also do not want users to be required to authenticate.  I just need a policy auto applied to certain IPs.

Is this possible?  I'm not having much luck figuring this out.  Thanks in advance.



This thread was automatically locked due to age.
  • 0

    In short...;)

    First, change Default Web Filter Profile:
     - Allowed Networks (Nodes that should not be allowed to browse at all).
     - In Base Policy select "Default content filter block action".

    Second, create new Web Filter Profile "Kids Profile":
    - Allowed Networks (Nodes for kids that are restricted), Operation mode Transparent, Default authenticaton - None.
    - Add policy "Kids Policy", leave Users/Groups empty, and create new filter action "Kids Filter Action", specifying desired restrictions.

    Third, create new Web Filter Profile "No restriciton Profile":
    - Allowed Networks (Nodes that can browse anywhere), Operation mode Transparent, Default authenticaton - None.
    - Add policy "No restriction Policy", leave Users/Groups empty, and create new filter action "No restriction Filter Action", specifying desired restrictions. Make sure that this profile is listed above "Kids Profile".

    Make sure also that all of the web filter profiles are activated (green button on the left), and that in each of the web profiles only policy created for that profile is activated (green).

  • 0 in reply to vilic
    Awesome thank you. I am getting closer! I went ahead and defined my ranges. The problem is when I try to assign them to the web filter profile allowed networks, it doesn't let me. I can assign other built-in objects but any of my defined ranges, when I drag them over they just shoot back to the other side. What are the requirements for these objects?
  • 0 in reply to vertices
    Actually I just found this in the manual: Network range objects cannot be used with every network configuration throughout WebAdmin. For more information about network range objects, see section Where Network Range Objects Can Be Used.

    Strange. So I guess I need to redefine my objects as actual subnets?
  • 0 in reply to vertices
    I think I got it. Out of curiosity, why does the order of filter profiles matter if they are all locked down to allowed networks? What happens if there is allowed network overlap? Most restrictive wins?

    Also, what happens if there are nodes that do not match and allowed networks (for base or any). Are they denied access or they end up bypassing the webfilter entirely?
  • 0
    "I think I got it. Out of curiosity, why does the order of filter profiles matter if they are all locked down to allowed networks? What happens if there is allowed network overlap? Most restrictive wins?" The answer to these are that Profiles are evaluated in order until a match is found. If there is a match, processing ends and no further profiles are checked. If you have two profiles with an overlapping allowed network, less restrictive with higher precedence and more restrictive with lower precedence, the less restrictive would apply and the more restrictive would't be checked against.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0

    Moving this thread to the Web Filtering forum...please post in the correct forum in future.  :)

    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Thank you. Sorry I didn't see it when I looked. This forum structure is a bit confusing compared to other forums.


    I still would like to know what happens to a node in a network that doesn't match any web filtering policy.
Unfiltered HTML