How is a policy or exception assigned to a request?

Web protection policies are used to determine how to respond to a user request for a website or Internet application. Exceptions allow administrators to identify specific websites that should be handled in a different manner than is defined in policies.

Exceptions and policies can be applied to directory clients (user, group, or OU) or computer and network clients (individual IP addresses or IP address ranges). It is therefore possible to have a policy for all of the following:
  • The user making the request
  • The group or groups to which the user is assigned
  • The specific IP address from which a request originates
  • The IP address range from which the request originates
In situations where there are multiple exceptions or policies as described above, the service handling the request uses a precedence order to figure out the most applicable exception or policy:
  • When Filtering Service (an on-premises component) is used to respond to a request, one of two precedence orders is used:

    User > Computer > Network > Group > OU (default)

    User > Group > OU > Computer > Network

    For more information about configuring the Filtering Service precedence order, see “Prioritizing group and domain policies” in Administrator Help.

  • The hybrid service always uses the following policy precedence order:

    User > Group > OU > IP address (filtered location)

Exceptions take precedence over policies. The general rules for determining which exception to apply are:
  • Super Administrator exceptions take precedence over exceptions created by delegated administrators, unless the Super Administrator has configured an option to allow delegated administrator exceptions take precedence.
  • Exceptions that apply to one or more individual clients take precedence over exceptions applied to an entire delegated administrator role.
  • If multiple equivalent exceptions could be applied (for example, 2 Super Administrator exceptions applied to the same group):
    • Blocked takes precedence over permit.
    • If there are multiple blocked exceptions, the first one found is applied.
    • If there are multiple permitted exceptions and no blocked exceptions, the first permitted exception found is applied.
If no applicable exceptions are found, the service determines which policy to apply:
  • When on-premises components respond to a request, by default, a computer or network policy takes precedence over a group policy.
  • When the hybrid service enforces policy, a group policy takes precedence over a computer or network policy.
  • A policy assigned to a computer (single IP address) takes precedence over a policy assigned to a network (IP address range).
  • If multiple group policies apply to the same user, and no higher-priority policy applies, precedence is applied based on the Use most restrictive group policy setting set on the Settings > General > Filtering page in the Web module of the Forcepoint Security Manager.
    • If the option is selected, the request is blocked if any of the applicable policies blocks the URL category.
    • If the option is not selected, the request is permitted if any of the applicable policies permits the URL category.
    • If all groups have the same policy, that policy is used.
  • Custom protocols take precedence over pre-defined protocols.
  • Custom categorization take precedence over pre-defined categories.
  • The Manage Role Priority option in Delegated Administration sets precedence when a user is in multiple groups managed by different delegated administrator roles.
  • If no other policy is found, the Default policy is applied.