I'm trying to block a certain windows ad group from going to external web sites/IPs. I have built a policy assignment rule based on the correct AD Group (admin FW rules) and now need to build the correct policy.
I have one firewall policy for the client. I want the new admin FW rule to be used to block any traffic bound for non defined IPs. In the new admin FW rule is just lists the approved IP subnets and it should have a default deny all at the end.
How are these 2 rules "merged" to ensure if a user logs in they just get the client policy, but if the admin logs in they get both the client policy and the admin FW rules.
I also looked at the Web Security Control and can't see were I can configure only the allows local networks and block everything else.
Firewall rules will not merge based on the users. Only policies themselves can change based on the user.
User-based polices (UBP) enable policies to be defined and enforced using McAfee ePO policy assignment rules with an LDAP server. These assignment rules are enforced on the client system for the user at log-on, regardless of the McAfee ePO group.
User-based polices are enforced when a user with a matching assignment rule logs on to the client system on the console. System-based polices (SBP) are enforced when two or more users are logged on to a system. Policy assignment rules take precedence over polices defined in the System Tree.
The user policy supersedes the system policy. All system policies apply and any user-based policy overrides the system policy.
Policy assignment rules are enforced only if the user logs on as the interactive user. The system policy, rather than the user policy, is enforced if the user logs on:
• With a runas command
• To a remote desktop or terminal service where the user's logon is not set to interactive
For more information about user-based policies and policy assignment rules, see the McAfee ePO Help.
With Web Control there's a default enabled option in the Options policy that allows internal ip's. You would just have to configure to block all red, yellow, green and unknown sites to block all but internal.
"By default Web Control doesn't block or report on IP addresses in the local private network."
In the Web Control -> Content Actions, I have everything blocked, and Rating Actions, everything is set to block.
I don’t see an option to block green sites, since most of the sites would be green.
In the Web Control -> Option I have it set to Block if not verified by GTI
How can I block “green” sites?
I have also unselected the Enable web category blocking, updated the client and verified the policy is getting set; however the web category blocking has been updated, but the Content Actions are at the default values. So the policy is updating correctly, it is just the Content Actions information is not getting updated.
Yes you're right. My mistake. I think you could take what you've already done and add blocked sites by pattern like www, com, net, etc. Check the box for allowed sites take precedence and that should probably work.
Web Control (and SiteAdvisor) were designed to be host-based internet site rating enforcement applications for safe web browsing. They were not designed to turn off the internet and only allow internal traffic. That would be much easier with gateways, firewalls or by simply unplugging the switch that leads to the internet on those network locations. 🙂