Application Control Question

Very roughly, any block overrides any allow.  If you Allow Search Engines and Block executable downloads, you want to be blocked.  In this case Web Policy and Application Control are evaluated separately and either one can block.

If you want to allow facebook only and block all other Social Networking I would do the following. It requires you taking on some of the management role.

Get rid of the Application Control rule.

Temporarily allow Social Networking.

Go to facebook and navigate around doing all the things you expect to be allowed.  Now look at the logs and reports at all the domain names involved.

Block Social Networking.

Under Filtering Options, Websites, Add a Site for the domain name (eg facebook,com) and a tag "Facebook".  Repeat for all domain names facebook uses.

In your Web Filtering Policy, set everything tagged as Facebook to Allow.

Facebook should now be allowed.  Because you are managing the list of domains that are allowed there can sometimes be some issues.  For example maybe your users complain that something in their feed is not showing up and now you need to decide if you want to also allow imgur.com or whatever is being linked to.

Michael, what advantage is there to taking this approach instead of using an Exception in Web Filtering?

Duncan, in AppCtrl, a rule allowing Facebook before a  rule blocking other social networking could work, but see #2 in Rulz to understand why your first approach couldn't work.

Cheers - Bob

To some extent whether you do it by exception or by tags doesn't matter - two paths to the same destination.  I personally find the Websites tab easier to use and manage than exceptions.

Doing it by tag (or by changing the category) goes to the specific root of the problem - you don't want the following urls to be treated as social networking.  The rest of the system behaves the same.

Doing it by exception will also ignore any filetype blocks, and potentially other things as well.  It is a little heavy handed.  If you don't like the color of the walls you could paint the walls or you could remove the walls entirely.  The latter also removes something you may actually want - protection.

Tags also match the SWA functionality and it better fits with the way the XG works.  They are also potentially more efficient, though that is splitting hairs.

To some extent whether you do it by exception or by tags doesn't matter - two paths to the same destination.  I personally find the Websites tab easier to use and manage than exceptions.

Doing it by tag (or by changing the category) goes to the specific root of the problem - you don't want the following urls to be treated as social networking.  The rest of the system behaves the same.

Doing it by exception will also ignore any filetype blocks, and potentially other things as well.  It is a little heavy handed.  If you don't like the color of the walls you could paint the walls or you could remove the walls entirely.  The latter also removes something you may actually want - protection.

Tags also match the SWA functionality and it better fits with the way the XG works.  They are also potentially more efficient, though that is splitting hairs.