Filtering action order

When a user requests access to a site, the cloud service determines whether to block or permit access based on the details in the policy associated with the user. See Creating a new policy for information.

By default, the cloud service applies the appropriate policy enforcement action to a user request using these steps. If, at any step, the appropriate action is to block the request, the user receives the appropriate block page.

  1. Security category
  2. Application control, File extension, File type, File Size
  3. Cloud Apps
  4. Standard or custom web categories:
    1. Allow access
    2. Require user authentication
    3. Confirm
    4. Quota
    5. Block
    6. Do not block

If the Always allow access to cloud apps on the Allow Access list option is selected on the Cloud Apps tab of the policy, then requests to any cloud app listed on the Allow Access list are allowed, regardless of the action assigned to the associated web category or its security status. Requests to the apps listed on the Protected Cloud Apps list are always forwarded to CASB for further enforcement.

Note: If you do not see the Always allow access to cloud apps on the Allow Access list option on the Cloud Apps tab, contact Technical Support.

When this option is enabled, the cloud service applies the appropriate policy enforcement action to requests using these steps.

  1. File extension, File type, File Size
  2. Cloud apps (This includes protected cloud apps. Requests to those apps are forwarded to Forcepoint CASB for enforcement.)
  3. Security category
  4. Application control
  5. Standard or custom web categories
    1. Allow
    2. Require user authentication
    3. Confirm
    4. Quota
    5. Block
    6. Do not block

When a category exception specifies a time period, several factors affect whether the exception is applied:

  • If the time period includes a timezone, the timezone is used.
  • If a time period does not include a timezone, but the user request originates from a proxied connection that has an associated timezone, the connection’s timezone is used.
  • If the time period does not include a timezone, and the user is either roaming or at a proxied connection that has no timezone, the policy timezone is used.
  • If no timezone is available for a time period, any exceptions based on that time period are ineffective.

Given the considerations above, when a per-time, per-user, or per-group exception also exists, it applies actions in this order:

  • users with a time period defined
  • users with no time period defined
  • groups with a time period defined
  • groups with no time period defined
  • default with a time period defined
  • default without a time period defined

In other words, rules with a usable time period defined take precedence over equivalent rules with no time period.

Within each of these, the cloud service uses the same order as the default.