Adapting the filter policy for temporary account users
The filter policy described below allows sponsored users to access websites in HTTP and HTTPS with URL filtering.
Two rules can be created in the wizard: one to decrypt HTTPS traffic and the other to redirect such traffic to the SSL proxy so that it can be analyzed by URL filter rules and intrusion prevention processes.
- In the Filtering tab in the Security policy > Filter - NAT module, click on New rule and select SSL inspection rule.
- Enter details about the source networks or hosts (From column - sponsorship_network in the example), the destination (To column - Internet in the example) and the destination port (HTTPS in the example). Confirm by clicking on Finish.
- Double click on the source of the rule that redirects to the SSL proxy. In the User field, select Any user@sponsored_users.local.domain.
- In the Advanced properties tab, select Sponsorship as the Authentication method.
- In Port / Protocol, select Application protocol for the Protocol type field, then HTTP for the Application protocol.
- In Inspection, select the URL filter profile to apply (URLFilter_00 in the example),
- Confirm by clicking on OK.
- In the Filtering tab in the Security policy > Filter - NAT module, click on New rule and select Authentication rule.
- In the wizard, enter the source networks or hosts (From field - sponsorship_network in the example) and the destination (To field - Internet in the example) for which unauthenticated users will be redirected to the captive portal.
- Confirm by clicking on Finish. This rule selects the HTTP port as the default destination port.
- To add the HTTPS port to it, double click on the Dest. port field in this rule. In the Destination port field in the window where rules are edited, click on Add an object () and select the HTTPS port. Confirm by clicking on OK.
- Using the Up and Down arrows, position this rule between the SSL decryption rule and the SSL proxy redirection rule.
- In the Filtering tab in the Security policy module, click on New rule and select Single rule.
- In the Status column, double-click on Off to enable the rule (the status of the rule becomes On).
- In the Action column, double-click on block then select the value pass for the Action field: Select the desired log level for connections that match this rule; log (filter log) makes it possible to view events relating to the connections of sponsored users in connection logs, for example.
- In the Source section located to the left of the rule editing window, assign the following values to the various fields:
- User: select Any user@sponsored_users.local.domain.
- Source hosts: select the temporary account network.
Advanced properties tab
- Authentication method: select the Temporary accounts method
- In the Destination section, select the Internet object for the Destination hosts field
- In the Port / Protocol section, select the HTTP object for the Destination port field
- In Inspection, leave the IPS mode suggested by default and select the URL filter profile to apply (URLFilter_00 in the example), This profile can be customized in the Security policy > URL filtering menu.
The filter policy regarding sponsored users will therefore resemble the following: