2 Replies Latest reply on Feb 17, 2010 3:05 PM by tessebie

    Block websites except for particular users - SG560 firmware 3.2.2



      Is it possible to block access to certain websites (e.g. facebook) for all users except a few people.

      Try this on an SG560 with firmware 3.2.2 and it appears to be a global entry.

      I have even tried the require user authenication and it is still blocked.


      Does the 4.0.6 firmware allow this to be configured on a user or IP address basis ?



        • 1. Re: Block websites except for particular users - SG560 firmware 3.2.2

          access controls are parsed in the order listed on the access control help page.


          You will need KB62474


          specifically for your situation


          • If you want internal hosts to bypass the web lists under access control and do not want their allowed accesses to be logged, use the following rule, which will allow unrestricted web access to the host

            iptables -t nat -I ContFilt -s -j RETURN
          • 2. Re: Block websites except for particular users - SG560 firmware 3.2.2

            In addition to what Ross said, 5.0 will provide the ability to consider a users Active-Directory Group membership inside the new Packet Filter UI. ie. create a folder of rules which equates to 'if this connection is associated with a AD-Sales-Group user, apply the following rules' - organized as tree/folder view.


            The majority of the functionality in Access Control is also shifted into the Packet-Filter rule-set. The remainder of Access-Control (main/policy/web-service) has been relocated, so there is no more Access-Control menu in 5.0 at all anymore. While we provide a packet-filter 'Access Control' rule-folder which contains the migrated settings from your 4.0 Access Control rules/settings in the same order as it is in 4.0, you will be able to drag & drop these (or create new ones of course) into whatever IP, AD-Group, time or other type of exception / inclusion situation that you want to create.


            There is also a new 'RETURN' target that will allow you to exit a folder of rules for exception purposes. ie. 'do the first few rules for everybody that gets to this folder, but if they are part of X-thing return now and do not apply the remaining rules' kind of thing. For those able to handle structured programming techniques, hard-links to folders also exist (ie. rule/code re-use for those familiar with those concepts). All in all it should allow you to still have a single, simple, flat rule-set if all you have is a dozen or so things to worry about - just run a single folder type of arrangement - but it will also allow for much easier navigation, organization of complex and sophisticated rule-sets where required.


            We're getting close to putting up a Beta of this on the emulator so you can see what I'm talking about. Beta images should be released-to-web soon after.