Filtering Rules:

1. The global (default) filtering profile applies to any user who does not belong to a master IP group.

2. If the minimum filtering level is defined, it applies to all master IP groups and members assigned filtering profiles. The minimum filtering level combines with the user’s profile to guarantee that categories blocked in the minimum filtering level are blocked in the user’s profile.

3. For master IP group members:

a) A master IP group filtering profile takes precedence over the global profile.
b) A master IP group time profile takes precedence over the master IP group profile.

4. For IP sub-group members:

a) An IP sub-group filtering profile takes precedence over the master IP group’s time profile.
b) An IP sub-group time profile takes precedence over the IP sub-group profile.

5. For individual IP members:

a) An individual IP member filtering profile takes precedence over the IP sub-group’s time profile.
b) An individual IP member time profile takes precedence over the individual IP member profile.

6. For LDAP users, if a user is authenticated, settings for the user’s group or individual profile from the LDAP domain are applied and take precedence over any IP profile.

a) If the user belongs to more than one group in an authentication domain, the profile for the user is determined by the order in which the groups are listed in the Group Priority list set by the global administrator. The user is assigned the profile for the group highest in the Group Priority list.

NOTE: In an LDAP domain, if a user belongs to a container, that profile takes precedence over the group profile for that user.

b) If a user has an individual profile set up, that profile supercedes all other profile levels for that user. The user can have only one individual profile in each domain.
c) A profile for a workstation takes precedence over a user’s individual profile.
d) If the user has a time profile, that profile takes precedence over other profiles. A group time profile takes precedence over a domain time profile, and an individual time profile takes precedence over a group time profile.
If an individual is a member of an LDAP container, that profile takes precedence over the LDAP group authentication profile, but does not take precedence over the individual's LDAP authentication profile. An individual's LDAP time profile would take precedence over the individual's LDAP authentication profile.

NOTE: A Radius profile is another type of authentication profile, and is used if a Radius accounting server is attached to the Web Filter. This authentication profile bears the same weight as an LDAP authentication profile in the precedence hierarchy.

7. An override account profile takes precedence over an authentication profile. This account may override the minimum filtering level—if the override account was set up in the master IP group tree, and the global administrator allows override accounts to bypass the minimum filtering level, or if the override account was set up in the global group tree.

8. A lock profile takes precedence over all filtering profiles. This profile is set up under Filter Options, by enabling the X Strikes Blocking feature.

NOTE: A Threat Analysis Reporter (TAR) profile is another type of lock profile, and is used if a Threat Analysis Reporter (TAR) server is attached to the Web Filter and an end user is locked out of his machine by the TAR server.

Related Topics:

• Override Account Setup
• Authentication Settings

Back | Top