Sam;

Ahhhh...that makes much sense now.Thanks for the clarification...


Sent from my iPhone

On Jun 17, 2013, at 9:29 PM, "Samarth Chidanand" <[email protected]> wrote:

> Hi Mike,
>  
> You have got the correct output. Since the time is now one of the group 
> membership criteria and the time does not match, it applies the global 
> policy. Finance websites are blocked in the global policy.
>  
> When you do not add the time range in the AP group membership criteria, then 
> the user matches the Finance group based on username/group/subnet info. 
> Ft.com is a finance URL category, which has warn when it falls out of the 
> specified time range. Hence in your access logs you see 
> “MONITOR_CONTINUE_WEBCAT”.
>  
> Sam
>  
> From: [email protected] 
> [mailto:[email protected]] On Behalf Of Mike Rojas
> Sent: Tuesday, June 18, 2013 8:16 AM
> To: [email protected]
> Subject: [OSL | CCIE_Security] Time Range Policies on WSA
>  
> Hi Team, 
> 
> I have a quick question, I see that under Access policies, specifically 
> policy member definition you can use a Time range. Now the LAB2 there is an 
> specific task where you need to give access to Financial Users for certain 
> amount of time. 
> 
> Now I see that you define the time range and them assign it to the specific 
> URL category you want and then, you select the logical or if the match 
> criteria fails. 
> 
> My question is, in which cases we will be using time-range for "policy member 
> definition"? By mistake I put it as a matching criteria for this task and all 
> the traffic was being blocked, once I removed, I was obtaining the desired 
> results. 
> 
> Funny part is that, looking at the access logs, when I had that time range as 
> match criteria for Policy member definition, It seemed like it was not even 
> able to find it on the AD... 
> 
> I.E
> 
> 1371523366.155 34 192.168.22.10 TCP_DENIED/403 0 GET 
> http://www.ft.com/home/us "VPN\finuser1@WSA" NONE/- - 
> BLOCK_WEBCAT_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE 
> <IW_fnnc,4.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_fnnc,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-">
>  -
> 
> Whereas if I remove it: 
> 
> 
> 1371522757.853 245 192.168.22.10 TCP_MISS/301 582 GET http://ft.com/ 
> "VPN\finuser1@WSA" DIRECT/ft.com text/html 
> MONITOR_CONTINUE_WEBCAT_12-FINANCIAL-DefaultGroup-NONE-NONE-NONE-DefaultGroup 
> <IW_fnnc,4.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_fnnc,-,"Unknown",
> "-","Unknown","Unknown","-","-",19.00,0,-,"Unknown","-"> -
> 
> 
> Thanks in Advanced 
> 
> Mike
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to