Policy Design

BRR_IT · 10-24-2011, 09:51 AM

Hello Everyone,

I need a little help with our policy design. Here's what I am trying to achieve.

I want a "Default" rack that hosts

Spam Blocker
Phish Blocker
Spyware Blocker
Web Filter Lite (block social media, gambling, etc)
Virus Blocker
Attack Blocker
Intrusion Prevention
Ad Blocker
Firewall
Protocol Control

I have a series of other racks that are linked to specific sets of users. So for example we have our CEO's on a "presidents rack". They will get more access to the internet and should have social media unblocked.

Right now I have the "presidents rack" using the Default rack as a parent. When I install Web Filter Lite, and put *.* in the pass list, the "presidents" are still blocked from Facebook, etc. I think the parent rack is the issue.

Basically I have a set of rules that should apply to everyone, unless we have special rules for that employee/group.

hlarsen · 10-24-2011, 09:53 AM

you're doing it right.

have you verified they are actually going to that rack? you can use the Session Viewer (from the rack selection dropdown) to check, or just find what Event Log their traffic is showing up in.

jcoehoorn · 10-24-2011, 10:13 AM

I'd pull intrusion prevention out of the default rack, and only use that particular item on a rack reserved for your servers.

BRR_IT · 10-24-2011, 10:20 AM

Quote:

Originally Posted by hlarsen

you're doing it right.

have you verified they are actually going to that rack? you can use the Session Viewer (from the rack selection dropdown) to check, or just find what Event Log their traffic is showing up in.

Ok, I am going to try the setup again and see what happens. Thanks for the help!

BRR_IT · 10-24-2011, 10:24 AM

Quote:

Originally Posted by jcoehoorn

I'd pull intrusion prevention out of the default rack, and only use that particular item on a rack reserved for your servers.

Are there any specific benefits to this? I have noticed it has "blocked" a few things, but from what I can tell it usually websites that people are visiting, or from IMAP connections to our mail server. All of the "blocks" originate from our users and not our servers. Just wondering.

BRR_IT · 10-24-2011, 10:49 AM

Inside Policy manager, I am able to reorder the policies. Does the order of the policies matter? Right now I have the default rack at the bottom, but it doesn't seem to be blocking anything. When I move it to the top, it blocks everything, but doesn't unblock for the specific users we want it to unblock for.

hlarsen · 10-24-2011, 10:56 AM

yes, they match from the top down - if a rule matches, it will send the match to the rack specified. you don't need a rule for the default rack, anything that doesn't match a policy will go to the default rack.

all the policies do is send traffic to a rack, it's the apps in the racks themselves that do the filtering. we have a good example of multiple policies on our wiki here, or you can call support.

BRR_IT · 10-24-2011, 11:14 AM

Quote:

Originally Posted by hlarsen

we have a good example of multiple policies on our wiki

Ahhh.. I see in the Wiki, that both policies have the "proxy" filter selected. I was trying to have a set of categories on the default rack apply to all child racks, but reading into it seems like that won't work. On the child rack, I'll need all the same settings I have on my default. Is that correct?

That's kind of a bummer because I have 11 different child racks and there is only minor web filter differences between them. And if I want to make a change globally (let say to accept a domain for every employee) I'd have to open the 11 child racks and add the domain.

hlarsen · 10-24-2011, 11:16 AM

when you add a new Web Filter to a child rack, that's the only Web Filter that matters for that rack - all settings are copied from the greyed out apps only. you can import/export pass/block lists between the filters, but you'll need to change them each individually (as well as set categories individually).

10-24-2011, 09:51 AM	#1 (permalink)
BRR_IT Newbie Join Date: Oct 2011 Location: Las Vegas, Nevada USA Posts: 14	Policy Design Hello Everyone, I need a little help with our policy design. Here's what I am trying to achieve. I want a "Default" rack that hosts Spam Blocker Phish Blocker Spyware Blocker Web Filter Lite (block social media, gambling, etc) Virus Blocker Attack Blocker Intrusion Prevention Ad Blocker Firewall Protocol Control I have a series of other racks that are linked to specific sets of users. So for example we have our CEO's on a "presidents rack". They will get more access to the internet and should have social media unblocked. Right now I have the "presidents rack" using the Default rack as a parent. When I install Web Filter Lite, and put . in the pass list, the "presidents" are still blocked from Facebook, etc. I think the parent rack is the issue. Basically I have a set of rules that should apply to everyone, unless we have special rules for that employee/group.

10-24-2011, 09:53 AM	#2 (permalink)
hlarsen Join Date: Jul 2010 Location: sfba URLs submitted: 1 Posts: 1,139	you're doing it right. have you verified they are actually going to that rack? you can use the Session Viewer (from the rack selection dropdown) to check, or just find what Event Log their traffic is showing up in. __________________ Attention: Support on the Untangle Forums is provided by volunteers and community members. If you need official Untangle support please call or email support@untangle.com.

10-24-2011, 10:13 AM	#3 (permalink)
jcoehoorn Master Untangler Join Date: Mar 2010 Location: York, NE Posts: 475	I'd pull intrusion prevention out of the default rack, and only use that particular item on a rack reserved for your servers. __________________ Three time Microsoft ASP.Net MVP managing an IBM System x3250 / X3440 / 8GB with Untangle 9.2 to protect 40Mbits for 450+ residential college students and associated staff and faculty

10-24-2011, 10:56 AM	#7 (permalink)
hlarsen Join Date: Jul 2010 Location: sfba URLs submitted: 1 Posts: 1,139	yes, they match from the top down - if a rule matches, it will send the match to the rack specified. you don't need a rule for the default rack, anything that doesn't match a policy will go to the default rack. all the policies do is send traffic to a rack, it's the apps in the racks themselves that do the filtering. we have a good example of multiple policies on our wiki here, or you can call support. __________________ Attention: Support on the Untangle Forums is provided by volunteers and community members. If you need official Untangle support please call or email support@untangle.com.

10-24-2011, 11:16 AM	#9 (permalink)
hlarsen Join Date: Jul 2010 Location: sfba URLs submitted: 1 Posts: 1,139	when you add a new Web Filter to a child rack, that's the only Web Filter that matters for that rack - all settings are copied from the greyed out apps only. you can import/export pass/block lists between the filters, but you'll need to change them each individually (as well as set categories individually). __________________ Attention: Support on the Untangle Forums is provided by volunteers and community members. If you need official Untangle support please call or email support@untangle.com.

Protect

Filter

Perform

Connect

Manage

Add-Ons

10-24-2011, 10:49 AM	#6 (permalink)
BRR_IT Newbie Join Date: Oct 2011 Location: Las Vegas, Nevada USA Posts: 14	Inside Policy manager, I am able to reorder the policies. Does the order of the policies matter? Right now I have the default rack at the bottom, but it doesn't seem to be blocking anything. When I move it to the top, it blocks everything, but doesn't unblock for the specific users we want it to unblock for.