Hi Mike,
You have got the correct output. Since the time is now one of the group membership criteria and the time does not match, it applies the global policy. Finance websites are blocked in the global policy. When you do not add the time range in the AP group membership criteria, then the user matches the Finance group based on username/group/subnet info. Ft.com is a finance URL category, which has warn when it falls out of the specified time range. Hence in your access logs you see "MONITOR_CONTINUE_WEBCAT". Sam From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Tuesday, June 18, 2013 8:16 AM To: [email protected] Subject: [OSL | CCIE_Security] Time Range Policies on WSA Hi Team, I have a quick question, I see that under Access policies, specifically policy member definition you can use a Time range. Now the LAB2 there is an specific task where you need to give access to Financial Users for certain amount of time. Now I see that you define the time range and them assign it to the specific URL category you want and then, you select the logical or if the match criteria fails. My question is, in which cases we will be using time-range for "policy member definition"? By mistake I put it as a matching criteria for this task and all the traffic was being blocked, once I removed, I was obtaining the desired results. Funny part is that, looking at the access logs, when I had that time range as match criteria for Policy member definition, It seemed like it was not even able to find it on the AD... I.E 1371523366.155 34 192.168.22.10 TCP_DENIED/403 0 GET http://www.ft.com/home/us "VPN\finuser1@WSA" NONE/- - BLOCK_WEBCAT_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE <IW_fnnc,4.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_fnnc,-,"-","-"," Unknown","Unknown","-","-",0.00,0,-,"-","-"> - Whereas if I remove it: 1371522757.853 245 192.168.22.10 TCP_MISS/301 582 GET http://ft.com/ "VPN\finuser1@WSA" DIRECT/ft.com text/html MONITOR_CONTINUE_WEBCAT_12-FINANCIAL-DefaultGroup-NONE-NONE-NONE-DefaultGrou p <IW_fnnc,4.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_fnnc,-,"Unknown" , "-","Unknown","Unknown","-","-",19.00,0,-,"Unknown","-"> - Thanks in Advanced Mike
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
