Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Web Policies > Web Categories tab > Filtering action order
Filtering action order
 
Related topics:
*
Policy enforcement actions
*
Exceptions
*
Category list
When a user requests access to a site, the cloud service determines whether to block or permit access based on the details in the policy associated with the user. See Creating a new policy for information.
By default, the cloud service applies the appropriate policy enforcement action to a user request using these steps. If, at any step, the appropriate action is to block the request, the user receives the appropriate block page.
1.
Security category
2.
Application control, File extension, File type, File Size
3.
Cloud Apps
4.
Standard or custom web categories:
a.
Allow access
b.
Require user authentication
c.
Confirm
d.
Quota
e.
Block
f.
Do not block
If the Always allow access to cloud apps on the Allow Access list option is selected on the Cloud Apps tab of the policy, then requests to any cloud app listed on the Allow Access list are allowed, regardless of the action assigned to the associated web category or its security status. Requests to the apps listed on the Protected Cloud Apps list are always forwarded to CASB for further enforcement.
 
* 
Note 
If you do not see the Always allow access to cloud apps on the Allow Access list option on the Cloud Apps tab, contact Technical Support.
When this option is enabled, the cloud service applies the appropriate policy enforcement action to requests using these steps.
1.
File extension, File type, File Size
2.
Cloud apps (This includes protected cloud apps. Requests to those apps are forwarded to Forcepoint CASB for enforcement.)
3.
Security category
4.
Application control
5.
Standard or custom web categories
a.
Allow
b.
Require user authentication
c.
Confirm
d.
Quota
e.
Block
f.
Do not block
When a category exception specifies a time period, several factors affect whether the exception is applied:
*
If the time period includes a timezone, the timezone is used.
*
If a time period does not include a timezone, but the user request originates from a proxied connection that has an associated timezone, the connection's timezone is used.
*
If the time period does not include a timezone, and the user is either roaming or at a proxied connection that has no timezone, the policy timezone is used.
*
If no timezone is available for a time period, any exceptions based on that time period are ineffective.
Given the considerations above, when a per-time, per-user, or per-group exception also exists, it applies actions in this order:
*
users with a time period defined
*
users with no time period defined
*
groups with a time period defined
*
groups with no time period defined
*
default with a time period defined
*
default without a time period defined
In other words, rules with a usable time period defined take precedence over equivalent rules with no time period.
Within each of these, the cloud service uses the same order as the default.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Web Policies > Web Categories tab > Filtering action order
Copyright 2024 Forcepoint. All rights reserved.