Policies

To create a URL Group, Navigate to; Policies > URL Groups and click the “Add URL Group” button.

A dialog box will appear where network administrators can paste a pre-defined list of domains, or domains can be manually entered. In our example we have used WhatsApp; to create the URL group specify a URL group name, this name will be referenced when using it in web rules, so make sure it makes sense to anyone who may be working on the iShield. 

Domains can then be inserted into the list using wildcards. Wildcards allow a network administrator to match domains based on the domain name in question, this simplifies URL group creation as we do not need to know every permutation of the domain name, including possible subdomains and tlds.

Once you have completed the URL group setup click the “Add URL Group” button. Our URL Group page should now list the newly created URL group for WhatsApp as seen below.

A dialog box will appear with the title “Add Time Condition”. To create the time condition; specify the time condition name, select the days on which the time condition will execute, and set the start and end time for the time condition.

Refer to the below example for a visual guide to setting up a time condition.

Once the time condition has been configured to your needs, click on the “Add Time Condition” button to create the time condition. The time condition tab page should now look like this.

The final step to creating policies is to combin our URL groups, blacklists, and, time conditions into a web rule that will either block or allow traffic outright or based on the time conditions that we have configured.

Policies

To create a policy, navigate to the policies tab and click on the “Create New Policy” button. A dialog box will appear where the network administrator must enter the name of the policy. I.e. Guest, Admin, Staff, Students, Executives.

Click the “Create New Policy” button to add the policy to the list of policies on the policies tab page.

To add a web rule to a policy and begin blocking internet resources, click on the “Add Rule” button within the policy you would like to add the rule to. 

A dialog box will appear with the title “Create Web Rule”. Within this dialog box the network administrator can select a URL group or blacklist from the available list of options.

Once the list of blacklists or URL groups has been selected a time condition can be set (if configured) and the action can be set to block or allow.

Once the network administrator is comfortable with the options of this web rule, click “Add Web Rule”. The web rule will be added to the policy and will be actioned once we apply the changes with a reload.

iShield policies execute rules from top to bottom, so always ensure that allow rules are set before block rules. In some cases block rules will be set before allow rules, depending on the policy and what it is that you need to achieve.

As seen in the below screenshot, the social media block rule is at the bottom of the list of web rules and will execute during work hours which has been configured to execute from Mon-Fri, 08h00 - 17h00. Any day or time outside of this time condition will use the next rule in the list which is the default rule of “allow”. This means that before work hours from 00h00 to 07h59 social media will be allowed, and after work hours from 17h01 to 23h59 social media will be allowed. Social media will also be allowed all day on a Saturday and Sunday as the time condition does not include these days.

Always remember to save your changes, it is easy to overlook the “Save Changes” button at the bottom of the policies page. Be on the lookout for it when configuring your policies.

The default rule within a policy affects how policies configured. For more sensitive environments we recommend a default block rule and only apply allow rules for isolated websites that the users on the network will need access to in order to complete their work online.

Note: Creating blacklist rules and URL group rules within a single web rule may not work as expected. The below example indicates how the iShield will interpret the rule defined. Creating a single web rule that lists both URL groups and blacklists will create an AND condition between the lists. If a domain matches a URL group and it matches a blacklist, then only will the action of block or allow be applied to the domain.

To achieve a filter for whatsapp and social media outright, split the URL group and blacklist rules.