Lesson 6: Using the sample policies

Use a sample policy to learn more about how to apply different filters at different times of day and on different days of the week.

In addition to the Default policy, your web protection software includes two sample policies that you can use to learn more about managing Internet activity.

  • The Unrestricted policy enforces the Permit All category and protocol filters, 24 hours a day and 7 days a week. Apply this policy to any members of your organization whose Internet activity should never be restricted.
  • The Example - Standard User policy provides an example of how one policy can apply different filters at different times.
    Note: If you are a delegated administrator and do not see the Example - Standard User policy, ask a Super Administrator to copy the sample policy to your role.

Exercise 1: Apply the sample policy to clients

  1. Go to the Policy Management > Policies page.

    A list of policies and descriptions appears in the content pane.

  2. Click Example - Standard User to view the sample policy.
  3. Under the policy name and description at the top of the page, check to see if the policy is applied to any Clients.

    When you make changes to a policy, any clients governed by the policy are affected.

  4. Examine the Schedule portion of the policy.

    This policy includes multiple lines. Each line corresponds with a block of time. Add multiple time blocks to a policy to enforce different filters and different times. In the sample policy:

    • The Default category and protocol filters and the Monitor Only cloud app filter are enforced from 8:00 a.m. to 5:00 p.m., Monday through Friday.
    • The Basic category filter, Basic Security protocol filter, and Monitor Only cloud app filter are enforced from 5:00 p.m. to 8:00 a.m. Monday through Friday. Note that when an enforcement period spans midnight, you must create 2 time blocks: one ending at 24:00 (midnight) and another starting at 00:00 (midnight).
    • The Monitor Only filters are enforced on Saturday and Sunday, permitting access to all sites.
  5. Select each time block in turn. The filters enforced during that period are displayed on the corresponding tabs.

    When a time block is selected, you can edit the filters enforced during that period on the Edit Policies page.

  6. To assign the sample policy to a client, click Apply to Clients in the toolbar at the top of the screen.
  7. Browse the Clients tree to identify a client to be governed by the sample policy. Pick a client added in Lesson 6 that you can use to test the effects of this change.
  8. Mark the check box next to the client name or IP address, and then click OK to cache your change and return to the Edit Policy page.
  9. Click OK on the Edit Policy page and then click Save and Deploy to implement your change.

The selected client now receives the Example - Standard User policy.

Exercise 2: Verify policy enforcement behavior manually

One way to judge the effects of applying a policy to a client is to access the client machine or log on using the client’s network credentials and use a browser to see which sites are permitted and blocked.

Important:

Before performing this lesson, make sure that the Forcepoint URL Database has finished downloading. Go to the Status > Dashboard page, then click Database Download in the toolbar at the top of the content pane. Verify that the download status is Successfully updated.

You may need to log off of the Forcepoint Security Manager and log on again to allow the new database to finish loading.

  1. If you applied the sample policy to a computer client in the previous exercise, log on to that client machine.

    If you applied the sample policy to a user or group client, log on as the affected user.

  2. Open a browser window and navigate to www.ucsd.edu.

    This site is part of the Educational Institutions category, which is permitted by the Default, Basic, and Monitor Only category filters.

  3. Browse to www.calottery.com.

    This site belongs to the Gambling category. Both the Basic and Default category filters block this category. If you are performing this exercise on any day from Monday through Friday, a block page appears.

  4. Browse to www.amazon.com.

    This site belongs to the Shopping category. If the Default category filter is in effect, you are prompted to use quota time to access the site. (More information about quota time appears in the next lesson.) If the Basic category filter is in effect, the site is permitted.

When you are finished exploring which sites are blocked and permitted by the sample policy, return to the Forcepoint Security Manager.

Exercise 3: Use the Test Filtering tool to verify policy enforcement behavior:

The Security Manager includes tools to help you see how client requests are handled without logging on as the user or accessing the Internet from a specific machine.

  • Make sure that the right policy is being applied.
  • Verify that the active policy is blocking and permitting sites as expected.

To see whether a client requesting a specific site would be permitted access:

  1. Click Test Filtering in the Toolbox section of the right navigation pane.
  2. To identify the client to whom you have applied the Example - Standard User policy, do one of the following:
    • Enter the IP address of a computer client.
    • Enter the full distinguished name of a directory client in the User field, or click Find User to browse or search the directory. The search feature is available only if you are using an LDAP-based directory service.
  3. Enter the URL of a site that you want to check.
  4. Click Go.

A pop-up window shows the name and description of the website’s category, the action applied to the site, and the reason for that action.

In the sections that follow, you will learn how to create custom category filters and then to create custom policies to manage client Internet requests.