• Introduction To Comodo Secure Web Gateway
  • Purchase Licenses
  • Login To The Admin Console
• The Admin Console
• The Dashboard
  • Customize The Dashboard
• Configure Comodo Secure Web Gateway
  • Connect Your Network / Devices To Secure Web Gateway
    • Traffic Forwarding Via Direct Proxy Or PAC
    • Traffic Forwarding Via Proxy Chaining
    • Traffic Forwarding Via Internet Content Adaptation Protocol (ICAP)
    • Traffic Forwarding Via SWG Agent
  • Connect Your Roaming Devices To Comodo Secure Web Gateway
    • View Enrolled Roaming Devices
  • Configure Comodo Secure Web Gateway Messages
  • Configure Domain Name
  • Configure PAC File For Exclusions
  • Configure Data Loss Prevention And View ICAP Service Information
  • Configure Policy Time-Schedules
• Manage Trusted Networks
• Manage Policies
  • Security Policy
    • Configure Advanced Threat Protection Settings
    • Configure Containerization Settings
  • Web Content Policy
    • Manage URL Filtering Policies
    • Configure SSL Inspection Settings
    • Manage File Type Control Rules
• Apply Policies To Networks
• Administration
  • Configure User Authentication Settings
  • User Management
    • Manage Users
    • Manage User Groups
    • Manage Departments
    • Manage Computers
  • My Profile
• Reports
  • Custom Reports
  • Scheduled Reports
• Unknown Threat Statistics
• About Comodo Security Solutions

Apply Policies to Networks

 

• Click 'Configuration' > 'Policy' to open the policy list.

• After enrolling networks as explained in 'Connect your Network to Comodo Secure Web Gateway', the default global policy is applied to your endpoints.

• You can configure new policies and deploy them to your networks as required. You can tailor polices and schedule them to specific users, groups, departments and computers.

• Note 1: To apply user specific policies, you must enable user authentication.

• Note 2: To apply computer specific policies, you must select 'Hosted DB' as user authentication method.

• Click 'Administration' > 'User Management' to add users/groups/departments/computers. See 'User Management' for help

• Click 'Administration' > 'Authentication Settings' to configure user authentication. See 'Configure User Authentication Settings' for help

Policy List - Table of Column Descriptions
Column Header	Description
#	The priority of the policy. The policy that is nearer the top of the list will be implemented on matching objects. Tip – Put user/location specific policies above 'catch-all' policies like 'All locations', 'Everyone', 'All computers' etc. You want to make sure the targeted policy does not get over-ruled.
Name	Label of the policy. The default 'Global Policy' cannot be deleted. This policy contains the default Security Policy and Web Content Policy.
Remark	Comments provided for the policy.
User	The name of the user that is applied the policy. See 'Manage Users' to learn how to add end users.
Location	The name of the network location to which the policy is applied. See 'Manage Trusted Networks' for more details on how to add Comodo SWG-connected networks /roaming users.
Group	The name of the group to which the policy is applied. See 'Manage Groups' to know how to add groups.
Department	The name of the department to which the policy is applied. See 'Manage Departments' to know how to add departments.
Computer Name	The name of the computer to which the policy is applied. Note – This will be available only if 'Hosted DB' is selected as user authentication method. See 'Manage Computers' for more information.
Scheduled	Check mark - The policy is active only at specific times. Blank - The policy is active at all times.
Policy Details	Click to view policy rule settings. These include security rules, web content control rules and any schedules.
Control buttons	Click the pencil icon to update a policy Click the trash can icon to remove a policy

How policy deployment works

• Comodo SWG applies policy after analyzing the connection used by a device.

• It uses five criteria, or 'Objects', to determine whether it should apply a particular policy to a device. These are 'Location', 'User', 'Group' , 'Department' and 'Computer Name'. If a connection matches all five objects then SWG will apply the policy. SWG also checks if the policy is scheduled for specific days / time-period and applies it appropriately.

• Note – 'Computer Name' object will be available only if 'Hosted DB' is selected as user authentication method.

• Comodo SWG ships with a default 'Global Policy' that is applied to all connections. Its objects are set as 'Location' = 'All', 'Users' = 'Everyone', 'Group' = 'Everyone', 'Department' = 'Everyone' , 'Computer Name' = 'Everyone, 'Scheduled' = 'Always' 

• You cannot modify the objects in the global policy as it is intended to be a catch-all if no other policy has been set. However, you can modify the settings that it implements (the 'Security' and 'Web Content' components).

• You can add as many new policies as you want for specific locations, users, groups, departments and computers.

• Policies are prioritized according to their rank the in the policy list ('Configuration' > 'Policy').

• The first policy from the top that matches all five objects for a connection will be applied. You can change the priority of a policy by clicking 'Edit' > 'Policy Order'.

• Note - The first policy with a schedule from the top that matches all the five objects will be applied during the scheduled times. During non scheduled times SWG will move down the policy list and apply the first matching policy. Make sure to place a scheduled policy above 'Always on' for an object(s).

• The 'Global Policy' is always last in the list. If a device is not covered by any custom policy then the global policy will be implemented.

• To deploy policies by 'Computer Name', you must install the SWG agent on the endpoints.

• To protect a device that is outside a trusted network, you must install the SWG agent on the device.

• If you want to create a specific policy for outside devices then you must set the 'Location' object as 'Roaming Users'. You can then set the 'Users', 'Group' , 'Department' and 'Computer Name' objects as required.

• FYI – 'All Locations' also covers 'Roaming Users' (if you want a policy to apply to both internal and external connection types).

Examples

a) A policy that apples to a single user, regardless of location:

• Location = All locations

• Users = < User Name >

• Group = Everyone

• Department = Everyone

• Computer Name = Everyone

• Scheduled = Always
  

b) A policy that only applies to members of a group, regardless of location:

• Location = All locations

• Users = Everyone

• Group = < Group Name >

• Department = Everyone
  

• Computer Name = Everyone

• Scheduled = Always

c) A policy that applies to any user connecting from outside the network:

• Location = Roaming Users

• Users = Everyone

• Group = Everyone

• Department = Everyone
  

• Computer Name = Everyone

• Scheduled = Always
  

d) A policy that applies to a specific endpoint, regardless of other objects

• Location = All locations

• Users = Everyone

• Group = Everyone

• Department = Everyone

• Computer Name = < Computer Name > Note: The SWG agent should be installed on endpoints to deploy policies by computer names.

• Scheduled = Always

e) A policy that only applies to members of a group on specific days / time-period regardless of location:

• Location = All locations

• Users = Everyone

• Group = < Group Name >

• Department = Everyone

• Computer Name = Everyone

• Scheduled =[Time frame]

Tip:

• Give policies which target a specific audience a higher rank than policies which cover large user bases. This is to ensure your targeted policies are not over-ruled by the policy above it. The 'All locations' and 'All Users' settings will over-rule every corresponding object below them if the policy has a high rank.

The interface allows you to:

• Add a new policy

• Edit a policy

• View policy details

• Delete a policy
  

Add a new policy

• Click 'Add Policy' at top-right.

Step 1 - Policy Details  

• Policy Order - Select where the rule has to be placed.

• The drop-down will display the number of rules that are currently available.

• Policies are prioritized according to their rank in the the policy list.

• The first policy from the top that matches all the five objects defined in step 2 for a connection will be applied.

• If you select '1', then the policy will be placed at the top of the list. 

• Name - Create a label for the policy.
  

• Remark - Enter appropriate comments for the policy. 

Click 'Next' or 'Select Objects' at the top to process further.

Step 2 - Define Objects

In the 'Select Objects' section, you can specify the object(s) for which you want to apply the policy.

• Location - Select the required trusted network from the list. 'All Locations' is selected by default.You can add networks in the Locations area ('Administration' > 'Locations').

• User - Select the required users from the list. 'Everyone' is selected by default. You can add users in the User Management area ('Administration' > 'User Management').

• Group - Select any required user-groups from the list. 'Everyone' is selected by default. You can create user-groups in the User Management area ('Administration' > 'User Management').

• Department - Select any required department from the list. 'Everyone' is selected by default. You can create departments in the User Management area ('Administration' > 'User Management').

• Computer Name - ' Select required endpoints from the list. 'Everyone' is selected by default. You can add endpoints the User Management area ('Administration' > 'User Management').

Click 'Next' or 'Apply Policy' to proceed.

Step 3 - Select Security, Web Content Policy and Schedule it

 

In the 'Apply Policy' section, specify the security and web content profiles that you want to add to the policy. Select the time interval that the policy should be active.

Add Security Profile

• Select Advanced Threat Protection Profile - Select the appropriate ATP profile from the list. The default profile is selected by default. The drop-down will display the ATP exception profiles that are available in the Security Policy section.
  

• Containment – Select whether you want to run unknown files in the sandbox. See 'Configure Containerization Settings' for more details. Containment is enabled by default.

Add Access Control Profile

• Select URL Filtering Profile - The default profile will be selected. The drop-down will display the URL filtering profiles that are available in URL Filtering section. Select the appropriate URL filtering profile from the list.

• SSL Inspection Settings - Allows you to configure how Comodo SWG should act if SSL certificates for the visited websites are untrusted or revoked. Please note this is a global setting, meaning any modification done will apply for all the policies. Clicking the 'Show Details' link will open the 'SSL Inspection' page. See 'Configure SSL Inspection Settings' for more details.

• File Type Control Policy - Displays file download restriction rules that were created in 'Configuration' > 'Web Content Policy' > 'File Type Control'. See File Type Control Rules for more about this area. Select the appropriate file control rule you wish to apply.
  

Define Policy Schedule

• Select Time Interval of Activity – By default it will be 'Always' meaning the policy will be applied at all times. The drop-down lists the schedules that you have configured in Configuration' > 'Configuration' > 'Time Intervals'. See 'Configure Policy Time-Schedules' for more information about pre-defined schedules'. Select the schedule from the drop-down list. Note – Make sure to place a scheduled policy above a non scheduled policy.
  

Click 'Create' to deploy the policy. The policy will be displayed in the Policy List.

Edit a policy

• To update a policy, click the edit icon beside it. The 'Update Policy' dialog will be displayed.

• Edit the name and other parameters as required. The process is similar to adding a policy as explained above.

Click 'Save' after modifying the policy. The policy will be updated for users to whom it is deployed.

View policy details

• To view the details of a policy, click 'Policy Details' beside it. The 'Policy Detail' dialog will be displayed.

The 'Policy Details' dialog displays the details of profiles that are added for security and access control policy including containerization and SSL inspection settings.

• Click the 'X' mark at the top right to close the dialog.

Delete a policy

• Click the trash icon beside a policy that you want to remove from the list. Please note you cannot remove the default Global policy.

• Click 'OK' to confirm

When a policy is removed, Comodo SWG will deploy other applicable policies for the affected users. If no other policy is applicable, then the default Global policy will be deployed.

 

Policy Deployment Examples

Example 1 - Deploy same policy for all users, either roaming or inside the network

Step 1 - Name

• Name – Select policy order as 1

• Policy Name – Enter a name for the policy

• Remark – Comment for the policy

Step 2 - Select Objects

• Select Location(s) – Select 'All Locations'

• Select User(s) – Select 'Everyone'

• Select Groups(s) – Select 'Everyone'

• Select Department(s) - Select 'Everyone'

• Select Computer Name(s) - Select 'Everyone'

Step 3 - Apply Policy

• Select the Security component profile and Web Content component profiles

• Click 'Create'

In this example, all users will be applied the same policy since 'All Locations' include 'Roaming users' and 'Trusted Network'.

Example 2 - User specific and Location specific policy

• Create two trusted networks – Location A and Location B

• Add usernames in User Management

• Create four polices

• Policy 1 – Location = Location B, User = John Smith, Group = Everyone, Department = Everyone, Computer Name = Everyone

• Policy 2 – Location = Roaming Users, User = Everyone, Group = Everyone, Department = Everyone, Computer Name = Everyone

• Policy 3 – Location = All Locations, User = John Smith, Group = Everyone, Department = Everyone, Computer Name = Everyone

• Policy 4 – Global Policy (default profile), All Locations and Everyone

Scenario 1

• John Smith is out of trusted location – Policy 2 will be applied since it matches the current location (Roaming) and other objects are 'Everyone', which includes John Smith.

Scenario 2

• John Smith connects to Location A – SWG first checks first rule, then second and third. Policy 3 will be applied since 'All Locations' in rule 3 includes Location A and username John Smith is specified in that policy with other objects as 'Everyone'.

Scenario 3

• John Smith connects to Location B – Policy 1 will be applied since it matches location and other objects

Scenario 4

• Another user Angel is out of trusted location - Policy 2 will be applied since it matches the current location (Roaming) and other objects are 'Everyone', which includes Angel

Scenario 5

• Angel connects to Location B

• Policy 1 is matching on locations but not the username

• Policy 2 is for roaming users only and Angel is connected to Location B and hence will not be applicable

• Policy 3 is also not valid since username is different in that

• Policy 4 (Global Policy) will apply since it has 'All Locations' and 'Everyone'.