UTM 9.4 Web Filter Categories

Based on your description, there are two things you might not be aware of:

1. In every ordered list in WebAdmin, the list is processed from #1 to the bottom.  Once something qualifies for one item in the list, no further items are considered.  Thus, it makes no sense for User 1 to be a member of both groups.
2. In Web Filtering, an Exception will let an individual or a group access a website/domain/category that is otherwise blocked by the Policy for which they qualify.

Cheers - Bob

PS Since this is a question that appears to be strictly about Web Filtering, I will move this thread to the correct forum.

My point here is that you MUST include Categories in your Policy, either Allow or Block, why? 

And yes, having a User who is a member of more than one group is very common, not all people from HR or Finance for instance will have access to Social Networking, therefore what you do you create another group and add only those who need it so a user gets to be a member of HR and Facebook Group at the same time. 

One way to solve this issue, as you pointed out, is using Exceptions which will require you to create an exception for almost every time you create an policy, which will create extra work and extra confusion especially when dealing with medium to large infrastructures where you have 200 Policies and 150 Exception related to those Policies. 

In my case this is an transition from TMG and that's why it is very difficult to adapt Firewall Rules since in TMG it's not a must to include Categories in your Policy. 

So, if I only want to grant Group1 access to Google.com, I simply allow that and that rule only deals with Google.com nothing else. 

Thanks. 

The UTM is not TMG.  Most of what you learned in order to learn the TMG will translate, but methods and solutions are different. Once you learn the philosophy of operation of WebAdmin, you will be surprised how easy it is to administer and maintain.

If you are attempting to install your first Sophos UTM by yourself without an experienced installer to guide your questions, you likely will create a design that is less easy to maintain.  For example, did you follow The Zeroeth Rule in Rulz?

Cheers - Bob

Sophos personnel from support and sales have already tried to help us on this but not so successful.

The configuration so far is done in proper way, the only problem Web Protection Policies. 

Me and my company would be very grateful if you could assist us by connecting remotely to our lab and show us the right way to do it.

Thanks

Sophos Support and Sophos Presales Support  don't design new configurations from scratch. Sophos has a separate group of consultants that will do that.

Cheers - Bob

PS I've sent you a PM.

Just so you know, the Sophos Web Appliance works in a way you describe.  A polices does not need to list actions for all categories, and they "fall through" to the next one.  However the SWA is not a Firewall.

I do agree that the TMG way of doing things does not always port over well to the UTM.  However if you generally go back to your base requirements and then say "how do I solve this in the UTM" that gets your answers easier.  There are experts (not me) who are used to TMG ports and can help.

IMO, don't ask "how can I get this AD user who is a member of two AD groups to have these policies applied in this way" the way the TMG did.  Ask "I have a person who needs to have the following things blocked and allowed".  In general by going back to your underlying requirements you'll end up with policies that are easier to manage.