General tab

User and group exceptions for time-based access control

Use the General tab to configure settings that cover basic aspects of your users' web browsing, for example availability at certain times of the day, quota time limits, and agreement to your acceptable use policy.

This is also the tab that you see, with some additional options, when you create a new policy. For more information, see Creating a new policy.

If you make any changes to this tab, click Save when done.

Policy name

The name of the policy, which you may want to rename from Default to something more meaningful to your organization, especially if you have a requirement for multiple policies.

Administrator email

This is the email address for the web administrator of this policy. This email address is used as the address from which system messages are sent. Your users may occasionally reply to these messages, so this should be an email address that is monitored by your IT staff or administrative contact.

Default and alternate PAC file address

The default PAC file address is the policy-specific PAC file for this policy. The alternative PAC file address can be used for remote user requests from a network that has port 8081, 8082 or 8087 locked down.

See Policy-specific PAC file for further details.


	Note If you have already deployed a policy-specific PAC file that uses a different URL than the one displayed on this page, there is no need to change it unless you wish to. PAC file URLs provided with earlier versions of your cloud web product will continue to work.

Time zone

To use time-based web filtering, the cloud service must first determine the time zone where users are located. The time zone you set can be used as a single zone for the whole policy, or you can set up time zones for one or more of your proxied connections that override the time zone on the General tab (see Proxied connections).

Daylight saving time is supported where valid on all time zones except GMT and UTC, which are static.

Internet availability

Use this option to configure time-based policy enforcement. The default setting is to allow Internet access at all times, although you can apply user and group-based exceptions (see User and group exceptions for time-based access control).

Alternatively, you can restrict all access by time and display an appropriate block page when access is unavailable. There are 2 formats for this:

Block access for the duration of a defined period (for example, during working hours).

Block access outside a defined period (for example, allowing users to access the Internet only during their lunch period).

The drop-down list contains the standard time periods and any custom periods you have set up (see Time periods).

Full traffic logging


	Important The full traffic logging feature is not available by default. To make it available in your account, contact Support. As an alternative, consider migrating to SIEM Integration. Take advantage of Bring your own storage or switch between Forcepoint storage and your own. See Configuring SIEM storage.

When you enable full traffic logging for your account, all web policies inherit the default setting that you configure. If you want to override the default log retention for a particular policy, change the selection in the Full traffic logging drop-down list from Use account default to either Enabled or Disabled.

For full details of setting up and using full traffic logging, see the "Configuring Full Traffic Logging" technical paper.

Confirm timeout

Enter the maximum time in minutes (default 10) that a user who clicks Continue can access sites in categories governed by the Confirm action. See Policy enforcement actions.

Quota time

Use this option to configure quota times for web categories accessed by users in this policy. See Using quota time to limit Internet access for more information. Select one of the following:

A Daily quota applies to all users accessing categories with Quota as the filtering action or exception. Enter the daily limit in minutes (default 60) for all users of this policy. Then define the session length in minutes (default 10) during which users can visit sites in quota-limited categories.

A Per-category quota allows you to specify a daily limit per category and a session length per category that applies to all quota-limited categories by default. You can then change the daily quota time settings for particular categories or filtering exceptions on the Web Categories tab. See Managing categories, actions, and SSL decryption.

A session begins when the user clicks the Use Quota Time button.

The daily quota allocation for users within a policy is refreshed at midnight in the time zone defined for the user's proxied connection. If no specific time zones are defined in either the proxied connection or the policy, the quota allocation is refreshed at midnight UTC.

If you change the total quota time or session time after a user has started to use their daily quota or has received the quota block page from the cloud-based service, the changes will not take effect until the next day. Similarly, if you move a user to a different policy after they have started to use their daily quota or has received the quota block page from the cloud-based service, the change does not take effect until the next day.

Search filtering

Search filtering is a feature offered by some search engines that helps to limit the number of inappropriate search results displayed to users.

To activate this option, select Enable search filtering.

Ordinarily, Internet search engine results may include thumbnail images associated with sites matching the search criteria. If those thumbnails are associated with blocked sites, the cloud service prevents users from accessing the full site, but does not prevent the search engine from displaying the image.

When you enable search filtering, the cloud service activates a search engine feature that stops thumbnail images associated with blocked sites from being displayed in search results. Enabling search filtering affects both local and roaming users.

Acceptable use policy


	Note Acceptable use policy is a limited-availability feature and may not be enabled for your account.

This feature does not apply to I Series appliances.

You can display a notice to users informing them of your organization's acceptable use policy for Internet use and asking them to agree to accept its terms before they can continue browsing.

To display the notice, mark Require users to agree with acceptable use policy every.... In the drop-down menus, select the AUP page and how frequently you would like to display the notice. The choices are 1, 7, and 30 days.

You can tailor the default acceptable use policy notification to meet your needs, or add different AUP pages for different polices. See Configure block and notification pages.

To apply exceptions to the acceptable use policy for certain domains:

Click Domain Exceptions. This button appears only when you have selected the Require users to agree with acceptable use policy box.

Enter one or more domain names, separated by commas. When users in this policy browse to these domain names, they will never be asked to agree to the acceptable use policy notification page configured for the policy.

Click Add. The domains you have specified are listed below the Add field. To delete a domain, select it from the list and click Delete.

Click Save when you are done.