07-30-2008 10:03 PM - edited 07-30-2008 10:15 PM
I now have web filtering setup in transpartent mode (thanks AndyC) and now the boss man wants to know if I can give some users full access and restrict others on the same subnet. We have a 192.168.0.0 /24. I have been reading through other posts and forums and know that you can make users and groups and then link them to a policy. however I'm a bit stumped on this.
I have my transparent mode setup up for v1-trust to v1-untrust
I created a new user under policy elements/adresses/list and placed him in v1-trust
I have made a new policy for admins under policy/polices with no web filtering
And I have done the same for a restriced user, same steps but this time with web filtering
Both are enabled however the restriced user policy overrides the admin policy and web sites are blocked. Depending on what order I move them up or down in the policy list either everyone has full access or everyone has limited access. I have read that I may have to place these users on differant subnets and create differant zones. Is it possable to have everyone on the same subnet 192.168.0.0 /24 and still acomplish this?
07-30-2008 10:26 PM
It is possible but u need to use specefic ip address for each user insteand of using a genralised policy . Eg
if A user of the same subnet wants to have access and B user of the same subnet has to get denied then get the ip address of user A and user B.
Then the policy will be like this
v1-trust to v1-untrust
<user A ip address(192.168.0.10/32)> <destiantion ip address any> <service any> <action allow>
<user B ip address(192.168.0.11/32> < destination ip address any> <service any> <action deny>
Note : dont use major subnet for both the policy. Eg 192.168.0.0/24
07-30-2008 10:55 PM
Thanks Louis, rock on! worked like a champ. I did not realize that /32 specified that IP only, ( I just know /24 is class C LOL).
Thanks again for your help and quick response