This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

duplicating policy

Is there a way in web appliance to duplicate a policy instead of creating each time from scratch ?



This thread was automatically locked due to age.
Parents
  • In short 

    No,  Your policy schema should be robust enough that you should never need more then a few simple policies to police even the most complex network. 

    For Example ... when I create policy it looks something like this...

     

    Under authentication:  configuration / system / authentication / default settings

    Authenticate using:

    Single sign on

    click SSO for MAC if required.

    do not check off authenticate all requests

    captive portal.  

    leave this un-checked

    On authentication failure

    block access

     

    This will block access for anyone who has an IP on your network that can not be authenticated.

     

    configuration / group policy / default policy

     

    Pick an array of categories that "normal" people will have.. in short anyone with an ip that has authenticated.  Note: do not set them all to block, this will cause you a world of hurrt

    do the same for file types, for the most part everything should be allow.

     

    configuration / group policy / additional policies

    add: 

    (for a demo purpose - under select users pick the accounting group)

    move them to the selected entries..

    then

    skip every tab until you get to the TAGS ..

    add

    name: ALLOW action Allow .. click add.

    under name and schedule, check off "turn on this policy for machines connecting anywhere"

    give it the name ALLOW

    save it

     

    Do the same thing and set it to BLOCK , for this example select the group HR

     

    Now that you have an allow and block tag, set up your ad groups.

    the purpose of these rules is to allow additional categories. 

    create several additional policies as needed.  Ie accounting, help-desk, ceo..

    Under site categories and download types , only allow ones that are blocked by the default category.

    make sure you turn of the policy for machines anywhere, name them and save them. 

     

    Now you should have.

     

    A default policy

    4-5 additional policies based on AD groups.

    1 Block tag (for HR)

    1 Allow tag (for Accounting)

     

    Now you're ready to create a local site list:

     

    Lets suppose your company policy blocks facebook

    Your default policy would be set to block dating and personals.

    none of your other additional policies over ride that block.

    But lets suppose accountants should be able to go there.

     

    create a local site list entry for facebook.com

    under modify site properties, select the drop down and pick the ALLOW tag.

    now you have a policy that will allow accounting to only facebook and block everyone else, and you need is a lsl entry with a tag.

     

    another example:

    Suppose you are a school, you can make an ALLOW-Teachers tag, and a BLOCK-Students tag.

    now you can create a local site list entry and apply both a block and an allow tag for the same site.

     

    You could also create ALLOW/BLOCK tags based on IP ranges, you could create a special AD group, or you could pick and choose users.

     

     

    The final word...

    Imagine your mining rocks.. the scoop grabs a ton of dirt and drops it into a screen ... the first screen caches the big rocks.. smaller rocks fall through to the next screen and so on.. Policy works exactly the same way.. You don't make policy that dictates what everyone can or cannot do.. you make policy to override the default.

Reply
  • In short 

    No,  Your policy schema should be robust enough that you should never need more then a few simple policies to police even the most complex network. 

    For Example ... when I create policy it looks something like this...

     

    Under authentication:  configuration / system / authentication / default settings

    Authenticate using:

    Single sign on

    click SSO for MAC if required.

    do not check off authenticate all requests

    captive portal.  

    leave this un-checked

    On authentication failure

    block access

     

    This will block access for anyone who has an IP on your network that can not be authenticated.

     

    configuration / group policy / default policy

     

    Pick an array of categories that "normal" people will have.. in short anyone with an ip that has authenticated.  Note: do not set them all to block, this will cause you a world of hurrt

    do the same for file types, for the most part everything should be allow.

     

    configuration / group policy / additional policies

    add: 

    (for a demo purpose - under select users pick the accounting group)

    move them to the selected entries..

    then

    skip every tab until you get to the TAGS ..

    add

    name: ALLOW action Allow .. click add.

    under name and schedule, check off "turn on this policy for machines connecting anywhere"

    give it the name ALLOW

    save it

     

    Do the same thing and set it to BLOCK , for this example select the group HR

     

    Now that you have an allow and block tag, set up your ad groups.

    the purpose of these rules is to allow additional categories. 

    create several additional policies as needed.  Ie accounting, help-desk, ceo..

    Under site categories and download types , only allow ones that are blocked by the default category.

    make sure you turn of the policy for machines anywhere, name them and save them. 

     

    Now you should have.

     

    A default policy

    4-5 additional policies based on AD groups.

    1 Block tag (for HR)

    1 Allow tag (for Accounting)

     

    Now you're ready to create a local site list:

     

    Lets suppose your company policy blocks facebook

    Your default policy would be set to block dating and personals.

    none of your other additional policies over ride that block.

    But lets suppose accountants should be able to go there.

     

    create a local site list entry for facebook.com

    under modify site properties, select the drop down and pick the ALLOW tag.

    now you have a policy that will allow accounting to only facebook and block everyone else, and you need is a lsl entry with a tag.

     

    another example:

    Suppose you are a school, you can make an ALLOW-Teachers tag, and a BLOCK-Students tag.

    now you can create a local site list entry and apply both a block and an allow tag for the same site.

     

    You could also create ALLOW/BLOCK tags based on IP ranges, you could create a special AD group, or you could pick and choose users.

     

     

    The final word...

    Imagine your mining rocks.. the scoop grabs a ton of dirt and drops it into a screen ... the first screen caches the big rocks.. smaller rocks fall through to the next screen and so on.. Policy works exactly the same way.. You don't make policy that dictates what everyone can or cannot do.. you make policy to override the default.

Children
No Data