Apply Policies
- After enrolling networks, the default global policy will be automatically applied to end users in your networks.
- You can configure new policies and deploy them to your networks as required. You can tailor polices and schedule them to specific users, groups, departments and computers.
- Click 'Configuration' > 'Policy' to open the policy list.
- This screen allows you to create new policies and view/edit existing policies.
Policy List - Table of Column Descriptions |
|
---|---|
Column Header |
Description |
# |
The priority of the policy. The policy that is nearer the top of the list will be implemented on matching objects. Tip – Put user/location specific policies above 'catch-all' policies like 'All locations', 'Everyone', 'All computers' etc. You want to make sure the targeted policy does not get over-ruled. |
Name |
Label of the policy. The default 'Global Policy' cannot be deleted. This policy contains the default Security Policy and Web Content Policy. |
Remark |
Comments provided for the policy. |
User |
The name of the user that is applied the policy. |
Location |
The name of the network location to which the policy is applied. |
Group |
The name of the group to which the policy is applied. |
Department |
The name of the department to which the policy is applied. |
Computer Name |
The name of the computer to which the policy is applied. Note – This will be available only if 'Hosted DB' is selected as user authentication method. |
Scheduled |
Check mark - The policy is
active only at specific times. Blank - The policy is active at all times. |
Policy Details |
Click to view policy rule settings. These include security rules, web content control rules and any schedules. |
Control buttons |
|
How policy deployment works
- Comodo SWG applies policy after analyzing the connection used by a device.
- It uses five criteria, or 'Objects', to determine whether it should apply a particular policy to a device. These are 'Location', 'User', 'Group', 'Department' and 'Computer Name'. SWG also checks if the policy is scheduled for specific days / time-period and applies it appropriately.
- If a connection matches all five objects then Comodo SWG will apply the policy.
- Note – 'Computer Name' object will be available only if 'Hosted DB' is selected as user authentication method.
- Comodo SWG ships with a default 'Global Policy' that is applied to all connections. Its objects are set as 'Location' = 'All', 'Users' = 'Everyone', 'Group' = 'Everyone', 'Department' = 'Everyone' , 'Computer Name' = 'Everyone', 'Scheduled' = ''Always'
- You cannot modify the objects in the global policy as it is intended to be a catch-all if no other policy has been set. However, you can modify the settings that it implements (the 'Security' and 'Web Content' components).
- You can add as many new policies as you want for specific locations, users, groups, departments and computers.
- Policies are prioritized according to their rank the in the policy list ('Configuration' > 'Policy').
- The first policy from the top that matches all five objects for a connection will be applied. You can change the priority of a policy by clicking 'Edit' > 'Policy Order'.
- Note - The first policy with a schedule that matches all five objects will be applied during the scheduled times. During non-scheduled times, SWG will move down the policy list and apply the next matching policy. Make sure to place a scheduled policy above 'Always on' policies.
- The 'Global Policy' is always last in the list. If a device is not covered by any custom policy then the global policy will be implemented.
- To deploy policies by 'Computer Name', you must install the SWG agent on the endpoints.
- To protect a device that is outside a trusted network, you must install the SWG agent on the device.
- If you want to create a specific policy for outside devices then you must set the 'Location' object as 'Roaming Users'. You can then set the 'Users', 'Group' , 'Department' and 'Computer Name' objects as required. as
- FYI – 'All Locations' also covers 'Roaming Users' (if you want a policy to apply to both internal and external connection types).
- Location = All locations
- Users = < User Name >
- Group = Everyone
- Department = Everyone
- Computer Name = Everyone
-
Scheduled = Always
b) A policy that only applies to members of a group, regardless of location:
- Location = All locations
- Users = Everyone
- Group = < Group Name >
- Department = Everyone
- Computer Name = Everyone
- Scheduled = Always
- Location = Roaming Users
- Users = Everyone
- Group = Everyone
- Department = Everyone
- Computer Name = Everyone
- Scheduled = Always
d) A policy that applies to a specific endpoint, regardless of other objects
- Location = All locations
- Users = Everyone
- Group = Everyone
- Department = Everyone
- Computer
Name = < Computer Name > Note: The SWG agent should be
installed on endpoints to deploy policies by computer names.
- Scheduled = Always
e) A policy that only applies to members of a group on specific days / time-period regardless of location.
- Location = All locations
- Users = Everyone
- Group = < Group Name >
- Department = Everyone
- Computer Name = Everyone
- Scheduled = [Time frame]
- Give policies which target a specific audience a higher rank than policies which cover large user bases. This is to ensure your targeted policies are not over-ruled by the policy above it. The 'All locations' and 'All Users' settings will over-rule every corresponding object below them if the policy has a high rank.
Add a new policy
- Click 'Add Policy' at top-right. The 'Add Policy' dialog will be displayed.
Step 1 - Policy Details
- Policy Order - Select where the rule has to be placed.
- The drop-down will display the number of rules that are currently available.
- Policies are prioritized according to their rank in the the policy list.
- The first policy from the top that matches all the five objects defined in step 2 for a connection will be applied.
- If you select '1', then the policy will be placed at the top of the list.
- Name - Create a label for the policy.
- Remark - Enter appropriate comments for the policy.
Click 'Next' or 'Select Objects' at
the top to process further.
Step 2 - Define Objects
In the 'Select Objects' section, you can specify the object(s) for which you want to apply the policy.
- Location - Select the required trusted network from the list. 'All Locations' is selected by default.You can add networks in the Locations area ('Administration' > 'Locations').
- User - Select the required users from the list. 'Everyone' is selected by default. You can add users in the User Management area ('Administration' > 'User Management').
- Group - Select any required user-groups from the list. 'Everyone' is selected by default. You can create user-groups in the User Management area ('Administration' > 'User Management').
- Department - Select any required department from the list. 'Everyone' is selected by default. You can create departments in the User Management area ('Administration' > 'User Management').
- Computer Name - Select required endpoints from the list. 'Everyone' is selected by default. You can add endpoints the User Management area ('Administration' > 'User Management').
- Click 'Next' or 'Apply Policy' to proceed.
Step 3 - Select Security and Web
Content Policy and
Schedule it
In the 'Apply Policy' section, specify the security and web content profiles that you want to add to the policy. Select the time interval that the policy should be active.
Add Security Profile
- Select Advanced Threat Protection Profile - Select the appropriate ATP profile from the list. The default profile is selected by default. The drop-down will display the ATP exception profiles that are available in the Security Policy section.
- Containment - Select whether you want to run unknown files in the sandbox. Containment is enabled by default.
Add Access Control Profile
- Select URL Filtering Profile - The default profile will be selected. The drop-down will display the URL filtering profiles that are available in URL Filtering section. Select the appropriate URL filtering profile from the list.
- SSL Inspection Settings - Allows you to configure how Comodo SWG should act if SSL certificates for the visited websites are untrusted or revoked. Please note this is a global setting, meaning any modification done will apply for all the policies. Clicking the 'Show Details' link will open the 'SSL Inspection' page.
- File Type Control Policy - Displays file download restriction rules that were created in 'Configuration' > 'Web Content Policy' > 'File Type Control'. Select the appropriate file control rule you wish to apply.
- Select Time Interval of Activity – By default it will be 'Always' meaning the policy will be applied at all times. The drop-down lists the schedules that you have configured in Configuration' > 'Configuration' > 'Time Intervals'. Select the schedule from the drop-down list. Note – Make sure to place a scheduled policy above a non scheduled policy.
Click 'Create' to deploy the policy. The policy will be displayed in the Policy List.
Policy Deployment Examples
Example 1 - Deploy same policy for all users, either roaming or inside the
network
Step 1 - Name
- Name – Select policy order as 1
- Policy Name – Enter a name for the policy
- Remark – Comment for the policy
Step 2 – Select Objects
- Select Location(s) – Select 'All Locations'
- Select User(s) – Select 'Everyone'
- Select Groups(s) – Select 'Everyone'
- Select Department(s) – Select 'Everyone'
- Select Computer Name(s) - Select 'Everyone'
Step 3 - Apply Policy
- Select the Security component profile and Web Content component profiles
- Click 'Create'
In this
example, all users will be applied the same policy since 'All
Locations' include 'Roaming users' and 'Trusted Network'.
Example 2 - User specific and Location specific policy
- Create two trusted networks – Location A and Location B
- Add usernames in User Management
- Create four polices
- Policy 1 – Location = Location B, User = John Smith, Group = Everyone, Department = Everyone, Computer Name = Everyone
- Policy 2 – Location = Roaming Users, User = Everyone, Group = Everyone, Department = Everyone, Computer Name = Everyone
- Policy 3 – Location = All Locations, User = John Smith, Group = Everyone, Department = Everyone, Computer Name = Everyone
- Policy 4 – Global Policy (default profile), All Locations and Everyone
Scenario 1
- John Smith is out of trusted location – Policy 2 will be applied since it matches the current location (Roaming) and other objects are 'Everyone', which includes John Smith.
Scenario 2
- John Smith connects to Location A – SWG first checks first rule, then second and third. Policy 3 will be applied since 'All Locations' in rule 3 includes Location A and username John Smith is specified in that policy with other objects as 'Everyone'.
Scenario 3
- John Smith connects to Location B – Policy 1 will be applied since it matches location and other objects.
Scenario 4
- Another user Angel is out of trusted location - Policy 2 will be applied since it matches the current location (Roaming) and other objects are 'Everyone', which includes Angel.
Scenario 5
- Angel connects to Location B
- Policy 1 is matching on locations but not the username.
- Policy 2 is for roaming users only and Angel is connected to Location B and hence will not be applicable.
- Policy 3 is also not valid since username is different in that.
- Policy 4 (Global Policy) will apply since it has 'All Locations' and 'Everyone'.