Set up multiple Policy Manager rule sets for different users?

We've seen it happen in many different organizations: Marketing needs access to Twitter and Facebook, but leaving these open drives productivity down in other departments. The solution is simple - using Policy Manager, create an additional rack for the Marketing department which allows them (and only them) to access social networking sites.

There are two steps to this process - creating a new rack and sending users to that new rack. The instructions below will walk you through setting up an additional rack and sending users to it.

Quick Links

Click an item to jump directly to that section.

  1. Creating and Configuring a New Rack
  2. Creating Policies Based on IP Address
  3. Creating Policies Based on Username or Group


Creating and Configuring a New Rack

  1. Click Settings on Policy Manager, then click the Policies tab.

  2. Click Add Policy to add a new rack.
    Clicking the image above will load it, full-size, in a new window.

  3. Give it a name, description, and set the Parent Rack to "Default Rack". Hit Add, then Save in the lower right corner of the main window.

  4. Click Back to Apps to return to the main rack view.
    Clicking the image above will load it, full-size, in a new window.

  5. Near the top there will be an entry that says Default Policy with an arrow by the side, click this arrow and select your new rack.

    When viewing your new rack, you'll notice you cannot click Settings on the applications because they are grayed out. This is because this is a "Child Rack"; all settings in these applications are being copied from the "Parent Rack" you set in Policy Manager.

  6. Click Install Apps > Web Filter, which will install a new instance of Web Filter into this rack (overriding the one from the Parent Rack) and allow you to configure it.

    At this point, all "greyed-out" apps are copying their configuration from the Default Rack while the Web Filter settings only come from this instance of Web Filter. This enables you to keep settings for virus scanning and spam blocking the same between racks and only change web filtering settings, which is by far the most often use case - simply configure Web Filter to allow the sites you want and save.

Rack configuration is done - as soon as you send users to this rack they will start being filtered by the new rules. Now you'll need to set up policies to get users to that rack, we'll go over how to do that next. We've covered the two most often used methods, however there are many more options such as policies by interface as well as having time-based policies which let you do things like allow social networking sites for all employees during lunch only. Feel free to explore once you get the hang of it!

Creating Policies Based on IP Address

Setting users to either static IPs or static DHCP entries is a good idea if you're going to set up policies by IP.

  1. Click Settings on Policy Manager, then click Add under the Rules tab.
    Clicking the image above will load it, full-size, in a new window.

  2. Give a description, like "Move Marketing to Allow Facebook", then click the Add Condition button to start adding conditions.

  3. For Type select "Source Address" and in the Value field include the IP(s) you want going through the new rack - you can enter single IPs (, ranges (, or use CIDR notation (

    More specific information on syntax is available here.

  4. Once you enter the IP(s), choose what rack to send them to in the "Target Policy" entry near the bottom, then click Done and Save

Creating Policies Based on Username or Group

Using Directory Connector or Captive Portal with Policy Manager will allow you to create policy rules by username or group name. User name and group name are both available when used with Active Directory; only user name is available when used with NG Firewall's built-in Local Directory.

To send users to a rack by username, simply follow the instructions above and select the "Directory Connector: User in Group" or "Username" condition instead of "Source Address" in your policy rule.


Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk