Application control examples

To help give a better understanding of how to implement Application Control and to give some ideas as to why it would be used, a number of examples of scenarios are included.

Blocking all instant messaging

Instant messaging use is not permitted at the Example Corporation. Application control helps enforce this policy. First you will create an application sensor with a single entry that includes all instant messaging applications. You will set the list action to block.

To create the application sensor

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter no_IM for the application sensor name.

4. Left-click on the IM category.

5. From the dropdown select Block.

6. Select OK to save the new sensor. Next you will assign the sensor to a policy.

To enable application control and select the application sensor

1. Go to Policy & Objects > IPv4 Policy.

2. Select the security policy that allows the network users to access the Internet and choose Edit.

3. Under the heading Security Profiles toggle the button next to Application Control to turn it on.

4. In the drop down menu field next to the Application Control select the no_IM application sensor.

5. Select OK.

No IM use will be allowed by the security policy. If other firewall policies handle traffic that users could use for IM, enable application control with the no IM application sensor for those as well.

Allowing only software updates

Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is time- consuming.

The solution is configuring application control to allow only automatic software updates to access the Internet.

To create an application sensor — web-based manager

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter Updates_Only as the application sensor name.

4. Using the left-click and drop down on the items in the Category lis..

a. Select Monitor from the dropdown menu.

b. Select Block for the rest of the categories.

5. Select OK.

To create an application sensor — CLI

config application list edit Updates_Only

config entries edit 1

set category 17 set action pass

end

set other-application-action block set unknown-application-action block

end

You will notice that there are some differences in the naming convention between the Web Based Interface and the CLI. For instance the Action in the CLI is “pass” and the Action in the Web Based Manager is “Monitor”.

Selecting the application sensor in a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the application sensor in a security policy — web-based manager

1. Go to Policy & Objects > IPv4 Policy.

2. Select a policy.

3. Select the Edit icon.

4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.

5. In the drop down menu field next to the Application Control select the Updates_only list.

6. Select OK.

To select the application sensor in a security policy — CLI

config firewall policy edit 1

set utm-status enable

set profile-protocol-options default set application-list Updates_Only

end

Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Working with other FortiOS components

Leave a reply

Working with other FortiOS components

Application Control is not just a modulal that is inserted in to the OS and works independantly of all of the other components.

WAN Optimization

There is a feature that enables both IPS and Application Control on both non-HTTP WANOpt traffic and HTTP- tunneled traffic through HTTP CONNECT. The basic idea is that it hooks a scan connection to a port so that traffic will be redirected to the IPS engine before forwarding to a different module.

Application control monitor

The application monitor enables you to gain an insight into the applications generating traffic on your network. When monitor is enabled in an application sensor entry and the list is selected in a security policy, all the detected traffic required to populate the selected charts is logged to the SQL database on the FortiGate unit hard drive.

The charts are available for display in the executive summary section of the log and report menu.

Because the application monitor relies on a SQL database, the feature is available only on FortiGate units with an internal hard drive.

While the monitor charts are similar to the top application usage dashboard widget, it offers several advantages. The widget data is stored in memory so when you restart the FortiGate unit, the data is cleared. Application monitor data is stored on the hard drive and restarting the system does not affect old monitor data.

Application monitor allows you to choose to compile data for any or all of three charts: top ten applications by bandwidth use, top ten media users by bandwidth, and top ten P2P users by bandwidth. Further, there is a chart of each type for the traffic handled by each security policy with application monitor enabled. The top application usage dashboard widget shows only the bandwidth used by the top applications since the last system restart.

Enable application control

Application control examines your network traffic for traffic generated by the applications you want it to control.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create an application sensor.

2. Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.

3. Enable any other applicable options.

4. Enable application control in a security policy and select the application sensor.

Creating an application sensor

You need to create an application sensor before you can enable application control.

To create an application sensor

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter the name of the new application sensor.

4. Optionally, you may also enter a comment.

Adding applications to an application sensor

Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications. Filter overrides allow you to select groups of applications and override the application signature settings for them.

To add a category of signatures to the sensor.

1. Go to Security Profiles > Application Control.

2. Under Categories, you may select from the following:

Botnet
Business
Cloud.IT
Collaboration
Email
Game
General.Interest
Mobile
Network.Service
P2P
Proxy
Remote.Access
Social.Media
Storage.Backup
Update
Video/Audio
VoIP
Web.Clients
Unknown Applications

When selecting the category that you intend to work with, left click on the icon next to the category name to produce a drop down menu that includes:

Allow
Monitor
Block
Quarantine
View Signatures

3. If you wish to add individual applications, select Add Signatures under Application Overrides.

a. Use the Add Filter search field to narrow down the list of possible signatures by a series of attributes.

b. When finished, select Use Selected Signatures.

4. If you wish to add advanced filters, select Add Filter under Filter Overrides.

a. Use the Add Filter search field to narrow down the list of possible filters by a series of attributes.

b. When finished, select Use Filters.

4. Select, if applicable, from the following options:

Allow and Log DNS Traffic
Replacement Messages for HTTP-based Applications

6. Select OK.

There is a disabled category called Industrial. This category is disabled by default, however it can be applied through use of the CLI command below. Note that none will mean no signatures are excluded, and that industrial will exclude all industrial signatures.

CLI Syntax

config ips global

set exclude-signatures [none | industrial]

end

Creating a New Custom Application Signature

If you have to deal with an application that is not already in the Application List you have the option to create a new one.

1. Go to Security Profiles > Application Control.

2. Select the link in the upper right corner, [View Application Signatures]

3. Select the Create New icon

4. Give the new signature a name (no spaces) in the Name field.

5. Enter a brief description in the Comments field

6. Enter the text for the signature in the signature field. Use the rules found in the Custom IPS signature chapter to determine syntax.

7. Select OK.

You can configure rate based application control signatures in the CLI Console using similar IPS signature rate CLI commands.

For more information on this and the CLI syntax, see IPS signature rate count threshold on page 2169

Messages in response to blocked applications

Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.

config application list

edit <name of the sensor>

set app-replacemsg {enable | disable}

end

Application considerations

Leave a reply

Application considerations

Some applications behave differently from most others. You should be aware of these differences before using application control to regulate their use.

IM applications

The Application Control function for a number of IM application is not in the Web Based Manager, in the CLI of the FortiGate unit. These applications are:

AIM
ICQ
MSN
Yahoo

These applications are controlled by either permitting or denying the users from logging in to the service. Individual IM accounts are configured as to whether or not they are permitted and then there is a global policy for how to action unknown users, by the application, and whether to add the user to the black list or the white list.

The configuration details for these settings can be found in the CLI Reference guide under the heading of imp2p.

Skype

Based on the NAT firewall type, Skype takes advantage of several NAT firewall traversal methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT), to make the connection.

The Skype client may try to log in with either UDP or TCP, on different ports, especially well-known service ports, such as HTTP (80) and HTTPS (443), because these ports are normally allowed in firewall settings. A client who has previously logged in successfully could start with the known good approach, then fall back on another approach if the known one fails.

The Skype client could also employ Connection Relay. This means if a reachable host is already connected to the Skype network, other clients can connect through this host. This makes any connected host not only a client but also a relay server.

SPDY

SPDY (pronounced speedy, it’s a trademarked name not an acronym) is a networking protocol developed to increase the speed and security of HTML traffic. It was developed primarily by Google. The Application Control engine recognises this protocol and its required SSL/TLS component within Application Control sensors. It is counted as part of application traffic for Google and other sources that use the protocol.

Basic FortiGate Configuration On FortiOS 5.4.x

5 Replies

This is a short little stream of concious video relating to how I like to configure my SOHO units (smaller units) when they are new arrivals. I cover some simple things like why I setup policies the way I do etc. If you have specific video topics you would like me to cover please let me know. I want to provide what Fortinet users want.

Application Control Actions

Leave a reply

Application Control Actions

Allow

This action allows the targeted traffic to continue on through the FortiGate unit.

Monitor

This action allows the targeted traffic to continue on through the FortiGate unit but logs the traffic for analysis.

Block

This action prevents all traffic from reaching the application and logs all occurrences.

Reset

This action resets the session or connection between the FortiGate and the initiating node.

Traffic Shaping

This action presents a number of default traffic shaping options:

guarantee-100kbps
high-priority
low-priority
medium-priority
shared-1M-pipe

View Signatures

This option brings up a window that displays a list of the signatures with the following columns:

Application Name
Category
Technology – Technology is broken down into 3 technology models as well as the more basic Network-Protocol which would can be used as a catch all for anything not covered by the more narrowly defined technologies of:
Browser-Based
Client-Server
Peer -to-Peer
Popularity – Popularity is broken down into 5 levels of popularity represented by stars. 5 stars representing the most popular applications and 1 star representing applications that are the least popular.
Risk – The Risk property does not indicate the level of risk but the type of impact that is likely to occur by allowing the traffic from that application to occur. The Risk list is broken down into the following

Application control concepts

Leave a reply

Application control concepts

You can control network traffic generally by the source or destination address, or by the port, the quantity or similar attributes of the traffic itself in the security policy. If you want to control the flow of traffic from a specific application, these methods may not be sufficient to precisely define the traffic. To address this problem, the application control feature examines the traffic itself for signatures unique to the application generating it. Application control does not require knowledge of any server addresses or ports. The FortiGate unit includes signatures for over 1000 applications, services, and protocols.

Updated and new application signatures are delivered to your FortiGate unit as part of your FortiGuard Application Control Service subscription. Fortinet is constantly increasing the number of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

To view the version of the application control database installed on your FortiGate unit, go to the License Information dashboard widget and find the IPS Definitions version.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.

Application Control

Leave a reply

Application Control

Using the Application Control Security Profile feature, your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non- standard ports or protocols.

The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.

Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

You can find the version of the application control database that is installed on your unit, by going to the License Information dashboard widget and find IPS Definitions version.

You can go to the FortiGuard Application Control List to see the complete list of applications supported by FortiGuard. This web page lists all of the supported applications. You can select any application name to see details about the application.

If you enable virtual domains (VDOMs) on the Fortinet unit, you need to configure application control separately for each virtual domain.

The following topics are included in this section:

Application control concepts
Application considerations
Application traffic shaping
Application control monitor
Enable application control
Application control examples

To view the version of the application control database installed on your FortiGate unit, go to the License Information dashboard widget and find the IPS Definitions version.

Configuring Web Filter Profiles

2 Replies

Configuring Web Filter Profiles

Enabling FortiGuard Web Filter

FortiGuard Web Filter is enabled and configured within web filter profiles by enabling FortiGuard Categories. The service is engaged by turning on the Web Filter profile and selecting a profile that has FortiGuard Categories enabled on one or more active policies being run by the firewall.

There is also a system wide setting for the enabling or disabling of FortiGuard Web Filter that is only in the CLI.

config system fortiguard set webfilter-force-off

The two options on this setting are enable or disable. The syntax of the settings name is “force-off” so in order to enable FortiGuard Webfilter you have to choose disable for the setting and enable if you want to turn it off.

General configuration steps

1. Go to Security Profiles > Web Filter.

2. Determine if you wish to create a new profile or edit an existing one.

3. Select an Inspection Mode.

4. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the action to be performed.

5. Configure any Quotas needed. (Proxy Mode)

6. Allow blocked override if required.(Proxy Mode)

7. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based)

8. Configure Static URL Settings. (All Modes)

9. Configure Rating Options. (All Modes)

10. Configure Proxy Options.

11. Save the filter and web filter profile.

12. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.

Configuring FortiGuard Web Filter settings

FortiGuard Web Filter includes a number of settings that allow you to determine various aspects of the filtering behavior.

Getting to the Edit Web Filter Profile configuration window

Once you have gotten to the profile configuration window there are a number of settings that can be used, most of which are optional, so to avoid redundancy we will treat each of these sections of options separately, but without dupicating the common instructions of how to get to the profile editing page. Those instructions are here.

1. Go to Security Profiles > Web Filter.

2. Determine if you wish to create a new profile or edit an existing one.

a. New profile:

i. Select the Create New icon, in the upper right of the window (looks like a plus sign in a circle) or…

ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the Create

New icon in the upper left.

b. Edit existing profile:

i. Select the name of the profile that you wish to edit from the dropdown menu.

ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the name of the profile from the list.

3. Make sure there is a valid name, and comment if you want.

4. Configure the settings to best achieve your specific requirements

5. Select Apply or OK, depending on whether you are editing or creating a new profile..

In older versions of FortiOS there was a character limitation for the URL of 2048 bytes or approximately 321 characters. If the URL you were trying to reach was longer the URL sent to FortiGuard would be truncated and the service would be unable to cat- egorize the site. Starting in version 5 of the firmware the parsed URL has been increase to 4Kilobytes, effectively doubling the length of a URL capable of being categorized.

To configure the FortiGuard Web Filter categories

1. Go to the Edit Web Filter Profile window.

2. The category groups are listed in a widget. You can expand each category group to view and configure every sub- category individually within the groups. If you change the setting of a category group, all categories within the group inherit the change.

3. Select the category groups and categories to which you want to apply an action.

To assign an action to a category left click on the category and select from the pop up menu.

4. Enable Enforce Quota to activate the quota for the selected categories and category groups.

5. Select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.

6. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

If you look at your logs carefully, you may notice that not every URL connection in the log shows a category. They are left blank. If you take one of those URL and enter it in the FortiGuard website designed to show the category for a URL it will successfully cat- egorize it.

The reason for this is that to optimize speed throughput and reduce the load on the FortiGuard servers the FortiGate does not determine a category rating on scripts and css files.

Configuring FortiGuard Category Quotas

1. Go to the Edit Web Filter Profile window

2. Verify that the categories that need to have quotas on them are set to one of the actions:

Monitor
Warning
Authenticate

3. Select the blue triange expand symbol to show the widget for Quotas

4. Select Create New or Edit.

5. In the New/Edit Quota window that pops up enable or disable the specific categories that the quota will apply to.

6. At the bottom of the widget, select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.

7. Select Apply or OK.

8. Continue with any other configuration in the profile

9. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

Configure Allowed Blocked Overrides

1. Go to the Edit Web Filter Profile window.

2. Enable Allow Blocked Override

3. In the Apply to Group(s) field select the desired User Group

4. In the Assign to Profile field, select the desired profile

Configure Search Engine Section

There are 2 primary configuration settings in this section.

Enable Safe Search

To enable the Safe Search settings

1. Go to the Edit Web Filter Profile window.

2. Enable Safe Search

3. Enable Search Engine Safe Search

4. Enable YouTube Filter

a. Enter the YouTube User ID in the Text field

Log All Search Keywords

In the GUI, the configuration setting is limited to a checkbox.

Configure Static URL Filter

Web Content Filter

To enable the web content filter and set the content block threshold

1. Go to the Edit Web Filter Profile window.

2. In the Static URL Filter section enable Web Content Filter.

3. Select Create New.

4. Select the Pattern Type.

5. Enter the content Pattern.

6. Enter the Language from the dropdown menu.

7. Select Block or Exempt, as required, from the Action list.

8. Select Enable.

9. Select OK.

Configure Rating Options

Allow Websites When a Rating error Occurs

In the GUI, the configuration setting is limited to a checkbox.

Rate URLs by Domain and IP Address

In the GUI, the configuration setting is limited to a checkbox.

Block HTTP Redirects by Rating

In the GUI, the configuration setting is limited to a checkbox.

Rate Images by URL (Blocked images will be replaced with blanks)

In the GUI, the configuration setting is limited to a checkbox.

Configure Proxy Options

Restrict Google Account Usage to Specific Domains

Configuring the feature in the GIU

Go to Security Profiles > Web Filter.

In the Proxy Options section, check the box next to Restrict to Corporate Google Accounts Only. Use the Create New link within the widget to add the appropriate Google domains that will be allowed.

Configuring the feature in the CLI

To configure this option in the CLI, the URL filter must refer to a web-proxy profile that is using the Modifying HTTP Request Headers feature. The command is only visible when the action for the entry in the URL filter is set to either allow or monitor.

1. Configure the proxy options:

config web-proxy profile edit “googleproxy”

config headers edit 1

set name “X-GoogApps-Allowed-Domains” set content “fortinet.com, Ladan.ca” end

end end

end

2. Set a web filter profile to use the proxy options

config webfilter urlfilter edit 1

config entries

edit “*.google.com” set type wildcard

set action {allow | monitor}

set web-proxy-profile <profile>

end end

In the CLI, you can also add, modify, and remove header fields in HTTP request when scanning web traffic in proxy-mode. If a header field exists when your FortiGate receives the request, its content will be modified based on the configurations in the URL filter.

Web Resume Download block

In the GUI, the configuration setting is limited to a checkbox.

Provide Details for Blocked HTTP 4xx and 5xx Errors In the GUI, the configuration setting is limited to a checkbox. HTTP POST Action

Remove Java Applet Filter

In the GUI, the configuration setting is limited to a checkbox.

Remove ActiveX Filter

In the GUI, the configuration setting is limited to a checkbox.

Remove Cookie Filter

In the GUI, the configuration setting is limited to a checkbox.

Web filtering example

Web filtering is particularly important for protecting school-aged children. There are legal issues associated with improper web filtering as well as a moral responsibility not to allow children to view inappropriate material. The key is to design a web filtering system in such a way that students and staff do not fall under the same web filter profile in the FortiGate configuration. This is important because the staff may need to access websites that are off-limits to the students.

School district

The background for this scenario is a school district with more than 2300 students and 500 faculty and staff in a preschool, three elementary schools, a middle school, a high school, and a continuing education center. Each elementary school has a computer lab and the high school has three computer labs with connections to the Internet. Such easy access to the Internet ensures that every student touches a computer every day.

With such a diverse group of Internet users, it was not possible for the school district to set different Internet access levels. This meant that faculty and staff were unable to view websites that the school district had blocked. Another issue was the students’ use of proxy sites to circumvent the previous web filtering system. A proxy server acts as a go-between for users seeking to view web pages from another server. If the proxy server has not been blocked by the school district, the students can access the blocked website.

When determining what websites are appropriate for each school, the district examined a number of factors, such as community standards and different needs of each school based on the age of the students.

The district decided to configure the FortiGate web filtering options to block content of an inappropriate nature and to allow each individual school to modify the options to suit the age of the students. This way, each individual school was able to add or remove blocked sites almost immediately and have greater control over their students’ Internet usage.

In this simplified example of the scenario, the district wants to block any websites with the word example on them, as well as the website www.example.com. The first task is to create web content filter lists for the students and the teachers.

Create a Webfilter for the students

1. Go to Security Profiles > Web Filter.

2. Select the Create New icon.

3. Enter the name “Students” in the name field.

4. For the Inspection mode, select Proxy.

5. Enable FortiGuard Categories.

a. Set to block the following categories:

Potentially Liable
Adult/Mature Content
Security Risk

URL Content

6. Check Enable Safe Search

a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex

b. Check YouTube Education Filter and enter the YouTube User ID

7. In the Static URL Filter section, check Enable URL Filter.

a. In the URL Filter widget, Select Create New.

i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii. For the Action field, select Block iv. For the Status field, check enable v. Select OK

Web Content Filter

8. In the Static URL Filter section, check Enable Web Content Filter.

a. In the Web Content Filter widget, select Create New.

b. Enter the name “Teachers” in the name field.

i. For the Pattern Type field, select

ii. In the Pattern field, enter “example”

iii. For the Language field, choose Western

iv. For the Action field, select “Block” v. For the Status field, check Enable. vi. Select OK

9. Check Rate URLs by Domain and IP Address

10. Check Block HTTP Redirects by Rating

11. Check Rate Images by URL (Blocked images will be replaced with blanks)

12. Select OK

Create a Webfilter for the Teachers

It might be more efficient if the Teacher Web Content List included the same blocked content as the student list. From time to time a teacher might have to view a blocked page. It would then be a matter of changing the Action from Block to Allow as the situation required. The following filter is how it could be set up for the teachers to allow them to see the “example” content if needed while keeping the blocking inappropriate material condition.

1. Go to Security Profiles > Web Filter.

2. Select the Create New icon.

3. Enter the name “Teachers” in the name field.

4. For the Inspection mode, select Proxy.

5. Enable FortiGuard Categories.

a. Set to block the following categories:

Potentially Liable
Adult/Mature Content
Security Risk

URL Content

6. Check Enable Safe Search

a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex

b. Check YouTube Education Filter and enter the YouTube User ID

7. In the Static URL Filter section, check Enable URL Filter.

a. In the URL Filter widget, Select Create New.

i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii. For the Action field, select Block iv. For the Status field, check enable v. Select OK

Web Content Filter

8. In the Static URL Filter section, check Enable Web Content Filter.

a. In the Web Content Filter widget, select Create New.

b. Enter the name “Teachers” in the name field.

i. For the Pattern Type field, select

ii. In the Pattern field, enter “example”

iii. For the Language field, choose Western

iv. For the Action field, select “Exempt”

v. For the Status field, check Enable.

vi. Select OK

9. Check Rate URLs by Domain and IP Address

10. Check Block HTTP Redirects by Rating

11. Check Rate Images by URL (Blocked images will be replaced with blanks)

12. Select OK

To create a security policy for the students

1. Go to Policy & Objects > IPv4 Policy.

2. Select the policy being used to manage student traffic.

3. Enable Web Filter.

4. Select Students from the web filter drop-down list.

5. Select OK.

To create a security policy for Teachers

1. Go to Policy & Objects > IPv4 Policy.

2. Select the policy being used to manage teacher traffic.

3. Enable Web Filter.

4. Select Teachers from the web filter drop-down list.

5. Select OK.

6. Make sure that the student policy is in the sequence before the teachers’ policy.