Step 5 – Build and Apply your Policy
- A policy is a security profile which contains at least one 'Security Rule', 'Category Rule' or 'Black/Whitelist'.
- You add the rules to a policy then apply the policy to a device or network.
- You can also add custom block pages and/or virtual browsing settings.
- You must have created at least one rule before you can create a policy.
- You must also have added at least one device or network or have imported a site using the local resolver.
How XSIG applies rules in a policy:
- XSIG checks the whitelist first, then the blacklist, then the security/category rules.
- For example, if they visited domain is whitelisted, then access is allowed. XSIG will check no further.
- If it is not in the whitelist, XSIG checks the blacklist. If found, then it is blocked.
- If it is not in blacklist, XSIG checks the security / category rules. If the site is in a banned category, then it is blocked, or virtualized as per your preference.
- If the site isn’t in the blacklist or category rules, then it is allowed.
Create a policy
- Click 'Configure' > 'Policy'
- Click 'Add New Policy' at top-right
Objects - Select the devices/networks to which the policy should apply. This can be a network, roaming device, internal network, site, or mobile device. You can select multiple instances of each.
Note - The 'Objects' menu only shows networks, devices or sites that do not yet have a policy.
Networks - Manually added networks.
Agents - Roaming Windows and Mac devices that have the Secure Internet Gateway agent installed.
Mobile Agents - Enrolled Android and iOS devices.
Sites - Network sites imported by deploying the local resolver virtual appliance.
Internal
Networks - Internal
objects within imported sites. Note - Policies applied to a site will
over-rule policies applied to internal objects.
You can apply a policy to any number of objects.
Remark - Enter a description for the policy (optional).
Click 'Next' or 'Settings' to configure the policy:
Only B/W Mode - If enabled, you can only
add blacklist and/or whitelist rules to the policy. You cannot
add security or category rules to the policy.
Block All Mode - If enabled, all domains are blocked EXCEPT domains in the whitelist. You can only add whitelists to the policy under this setting.
Safe Search - Activates the content filtering feature of search engines like Google, Bing and Yahoo. Safe search eliminates explicit and potentially offensive websites from the results page of a search. This setting is disabled by default. Youtube.com is a part of Safe Search feature and it cannot be blocked when 'Safe Search Enabled' option is 'ON' in 'Policy settings'.
Security Rule - Select a rule to block websites that host specific types of threats. The drop-down lists security rules that have been added in the 'Policy Settings' section. See 'Add Security Rules' for more details.
Redirect to CCB - If enabled, sites in this policy are instead opened in a virtual environment. Enable this and select a virtual session rule from the drop-down. See ‘Configure Virtual Browsing’ if you need more information on virtual session rules.
Category Rule - Rules which block websites by their content-type. The drop-down lists category rules that have been added to the 'Policy Settings' section. See 'Add Category Rules' for more details.
Domain B/W List - Select
a list to block or allow specific domains. The dialog shows
blacklists and whitelists added to the 'Policy Settings' section.
See 'Add Domain Blacklist and
Whitelist' for more details.
Block Page Appearance - Choose the block page you want to show to users if they try to visit a site prohibited by the policy. The drop-down lists block pages created in the 'Policy Settings' area. See Add Block Pages for more details.
Note - The block page is shown on all devices to which the policy is applied, except mobile devices.
Example policy settings are shown in the following screenshot:
- Click 'Add' to save your policy.
The policy is applied to the chosen networks an devices.
- Repeat the process to add more policies.
Add an existing policy to newly added networks and roaming/mobile devices
- Click 'Configure' > 'Policy'
- Click the 'Edit' icon in the row of the policy
The 'Update Policy' dialog appears.
- Select the new network / roaming / mobile device from the 'Objects' drop-down
- Click 'Update'.
The policy is applied to the new network(s)/roaming/mobile device(s).