ScreenOS Firewalls (NOT SRX)
Reply
Contributor
imageblur
Posts: 14
Registered: ‎07-24-2008
0

SSG 5 Web Filtering by clients IP or by user / group

[ Edited ]

I now have web filtering setup in transpartent mode (thanks AndyC) and now the boss man wants to know if I can give some users full access and restrict others on the same subnet. We have a 192.168.0.0 /24. I have been reading through other posts and forums and know that you can make users and groups and then link them to a policy. however I'm a bit stumped on this.

 

I have my transparent mode setup up for v1-trust to v1-untrust

 

I created a new user under policy elements/adresses/list and placed him in v1-trust

 

I have made a new policy for admins under policy/polices with no web filtering

 

And I have done the same for a restriced user, same steps but this time with web filtering

 

Both are enabled however the restriced user policy overrides the admin policy and web sites are blocked.  Depending on what order I move them up or down in the policy list either everyone has full access or everyone has limited access. I have read that I may have to place these users on differant subnets and create differant zones. Is it possable to have everyone on the same subnet 192.168.0.0 /24 and still acomplish this?

Message Edited by imageblur on 07-30-2008 10:04 PM
Message Edited by imageblur on 07-30-2008 10:15 PM
Contributor
Louis_Winston
Posts: 22
Registered: ‎05-12-2008
0

Re: SSG 5 Web Filtering by clients IP or by user / group

hi,

It is possible but u need to use specefic ip address for each user insteand of using a genralised policy . Eg

 

if A user of the same subnet wants to have access and B user of the same subnet has to get denied then get the ip address of user A and user B.

 

Then the policy will be like this

 

v1-trust to v1-untrust

 

<user A ip address(192.168.0.10/32)> <destiantion ip address any> <service any> <action allow>

<user B ip address(192.168.0.11/32> < destination ip address any> <service any> <action deny>

 

Note : dont use major subnet for both the policy. Eg 192.168.0.0/24

 

 

Contributor
imageblur
Posts: 14
Registered: ‎07-24-2008
0

Re: SSG 5 Web Filtering by clients IP or by user / group

Thanks Louis, rock on!  worked like a champ.  I did not realize that /32 specified that IP only, ( I just know /24 is class C LOL).

 

 

Thanks again for your help and quick response 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.