Related Topics
Configure WebBlocker Actions for Groups with Firebox Authentication
Many organizations want to allow different levels of access to websites for different groups of users. To do this, you must first set up user authentication. You can then set up different WebBlocker actions for policies that apply to each group of users. At a high level, the steps are:
- Configure user authentication.
- Add the users to groups who you want to have different levels of access.
- Add policies for each group of users. The policy includes WebBlocker action to use for that group.
- Remove or modify the default Outgoing policy.
- Configure authentication settings to automatically redirect users to the WatchGuard authentication page.
Example Scenario
To show how to set up this configuration, we use Policy Manager to configure WebBlocker policies for a school that wants to set different levels of web access for three groups:
- Students (more restricted access)
- Teachers (less restricted access)
- IT (unrestricted access)
Configure Authentication
Before you configure WebBlocker settings, you must set up user authentication. You can use any authentication method, such as Active Directory, local authentication, RADIUS, or LDAP. For information about the supported authentication methods, see Authentication Server Types. In this example , we assume the school uses Firebox authentication.
Add Users for Firebox Authentication
- Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
- On the Firebox tab, in the Users section, click Add.
The Setup Firebox User dialog box appears.
- Type the Name and (optional) a Description of the new user.
The Name is the user name used to authenticate. The name cannot contain a space. - Type and confirm the Passphrasefor the new user.
When you set this passphrase, the characters are masked and it does not appear in simple text again. If you lose the passphrase, you must set a new passphrase.
- In the Session Timeout text box, type or select the maximum length of time the user can send traffic to the external network.
The minimum setting for is one (1) seconds, minutes, hours, or days. The maximum value is 365 days.
- In the Idle Timeout text box, type or select the length of time the user can stay authenticated when idle (not passing any traffic to the external network).
The minimum setting is one (1) seconds, minutes, hours, or days. The maximum value is 365 days.
- To close the Setup Firebox User dialog box, click OK.
The Authentication Servers dialog box appears, with the user name added to the Users list.
Repeat these steps to add each user to the Firebox authentication database. For this example, add all students, teachers, and members of the IT team.
Define Firebox Authentication Groups
Next, you must define the user groups that correspond to the different WebBlocker policies you want to use. From Policy Manager, create a group for each different level of website access you want to allow. In this example, we define three groups, Teachers, Students and IT.
- Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
- In the User Groups section, click Add .
The Setup Firebox Group dialog box appears.
- Type a name for the group. For this example, the group name is Teachers.
- (Optional) Type a description for the group.
- Add the user names of all the teachers to this group. To add a user to the group, select the user name in the Available list. Click
to move the name to the Member list.
You can also double-click the user name in the Available list. - After you add all of the teachers to the group, click OK.
The Authentication Servers dialog box appears with the Teachers user group added.
Repeat the same steps to create a group called Students that contains the user names of all the students, and a group called IT that contains the user names of all members of the IT team.
Create an HTTP-proxy Policy for the Students
The Firebox uses two categories of policies to filter network traffic: packet filters and proxies.
Packet filter policy
A packet filter examines each packet's IP and TCP/UDP header. If the packet header information is permitted by the packet filter settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.
Proxy policy
A proxy examines both the header information and the content of each packet. If the packet header information and the content of the packet is allowed by the proxy settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.
To deny access to categories of websites for a group of users, use Policy Manager to create an HTTP proxy policy for those users, and define a WebBlocker action for that policy. The HTTP proxy can then inspect the content and allow or deny the users access to a website based on the WebBlocker categories configured for that policy.
- Select Edit > Add Policies.
The Add Policies dialog box appears. - Expand the Proxies folder and select HTTP-proxy. Click Add.
The New Policy Properties dialog box appears.
- Change the name of the proxy policy to describe the group it applies to.
In this example, we call the proxy policy HTTP-proxy-Students. - On the Policy tab, in the From list, select Any-Trusted. Click Remove.
- In the From section, click Add to add the user group for this policy.
The Add Address dialog appears. - Click Add User. Select Firewall and Group from the drop-down lists.
The Add Authorized Users or Groups dialog box appears.
- Select the Students group. Click Select, then click OK.
The New Policy Properties dialog box appears with the group Students (Firebox-DB) in the From section of the policy.
- Click
.
The HTTP Proxy Action Configuration dialog box appears.
- From the categories list, select WebBlocker.
The WebBlocker configuration appears. - Adjacent to the WebBlocker drop-down list, click
.
The Clone WebBlocker Action dialog box appears.
- In the Name text box, type a name for this WebBlocker action.
For this example, give this configuration the name Students. - Select the Categories tab to show the categories of content that can be denied.
- Select the check box for each content category that you want to deny for users in the Students group.
Create an HTTP-Proxy Policy for the Teachers
From Policy Manager, repeat the same steps to set up a different policy for the Teachers group.
- Select Edit > Add Policies.
The Add Policies dialog box appears. - Expand the Proxies folder and select HTTP-proxy. Click Add.
The New Policy Properties dialog box appears.
- In the Name text box, type a descriptive name for the proxy policy to describe this group.
For this example, type HTTP-proxy-Teachers. - On the Policy tab, in the From list, select Any-Trusted. Click Remove.
- In the From section, click Add to add the user group for this policy.
For this example, add the group Teachers. - Click Add User. Select Firewall and Group from the drop-down lists.
The Add Authorized Users or Groups dialog box appears.
- Select the Teachers group. Click Select. Click OK.
The New Policy Properties dialog box appears with the group Teachers (Firebox-DB) in the From section of the policy.
- Click .
The HTTP Proxy Action Configuration dialog box appears. - From the categories list, select WebBlocker.
The WebBlocker configuration appears. - Adjacent to the WebBlocker drop-down list, click .
The Clone WebBlocker Action dialog box appears. - In the Name text box, type a name for this WebBlocker configuration.
In this example, we use the name Teachers. - Select the Categories tab to see the categories of content that can be blocked.
- Select the check box for each content category that you want to deny for users in the Teachers group.
Create an HTTP Packet Filter Policy for the IT Group
The IT team needs unrestricted access to the Internet. Because we do not need a policy to inspect the content of HTTP packets for these users, we use Policy Manager to create an HTTP packet filter policy instead of an HTTP proxy policy.
- Select Edit > Add Policies.
The Add Policies dialog box appears. - Expand the Packet Filters folder and select HTTP. Click Add.
The New Policy Properties dialog box appears.
- Change the name of the proxy policy to describe the group it applies to.
In this example, we call the proxy policy HTTP-IT. - On the Policy tab, in the From section, select Any-Trusted. Click Remove.
- In the From section, click Add to add the user group for this policy.
For this example, add the group IT. - Click Add User. Select Firewall and Group from the drop-down lists.
The Add Authorized Users or Groups dialog box appears.
- Select the IT group. Click Select. Click OK.
The New Policy Properties dialog box appears with the group IT (Firebox-DB) in the From section of the policy.
- Click OK.
Members of the IT group are no longer affected by WebBlocker restrictions.
Remove or Modify the Outgoing Policy
After you configure your HTTP proxy to add a WebBlocker action, you must make sure that the default Outgoing policy does not allow network clients to visit websites without user authentication. To do this, you can use Policy Manager to either remove the Outgoing policy and add any other outgoing network policies you need, or you can edit the Outgoing policy to add your WebBlocker authentication user groups. Both options are explained below.
Option 1: Remove the Outgoing Policy and Add Other Outgoing Network Policies
This is the option we recommend if you want increased control over outbound network access. You must know what ports and protocols are necessary to meet the needs of your organization.
First, remove the Outgoing policy:
- Select the Outgoing policy.
- Select Edit > Delete Policy.
- Click Yes to confirm.
Then, add a DNS packet filter policy to allow outbound DNS queries:
- Select Edit > Add Policies.
The Add Policies dialog box appears. - Expand the Packet Filters folder and select DNS. Click Add.
The New Policy Properties dialog box appears. - Add all of your internal networks to the From section of the policy.
- Click OK to save the policy.
Finally, add other custom policies.
Add custom policies for any other necessary outgoing traffic. Examples of other custom policies you may want to add include:
- UDP
- SMTP (if you have a mail server)
For information about how to add a custom policy, see About Custom Policies.
Option 2: Add Your User Authentication Groups to the Outgoing Policy
If you are not sure what other outgoing ports and protocols are necessary for your business, or if you are comfortable with the same level of outbound control you have when you use the default configuration, you can modify the Outgoing policy to add your authentication groups.
- Double-click the Outgoing policy.
The Edit Policy Properties dialog box appears. - In the From list, select Any-Trusted. Click Remove.
- In the From list, select Any-Optional. Click Remove.
- In the From section, click Add.
The Add Address dialog box appears. - Click Add User. Select Firewall and Group from the drop-down lists.
The Add Authorized Users or Groups dialog box appears.
- Select all three of the user authentication groups you created. Click Select.
- Click OK.
The Edit Policy Properties dialog appears for the Outgoing policy. The selected groups appear in the From section of the policy.
Automatically Redirect Users to the Login Portal
From Policy Manager, you can configure the global authentication settings to automatically send users who have not yet authenticated to the authentication login portal when they try to get access to the Internet.
- Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box opens. - Select the Auto redirect users to authentication page for authentication check box.
WebBlocker is now configured to use different policies for different groups of authenticated users, and automatically redirects unauthenticated users to an authentication page.