Sam; Ahhhh...that makes much sense now.Thanks for the clarification...
Sent from my iPhone On Jun 17, 2013, at 9:29 PM, "Samarth Chidanand" <[email protected]> wrote: > Hi Mike, > > You have got the correct output. Since the time is now one of the group > membership criteria and the time does not match, it applies the global > policy. Finance websites are blocked in the global policy. > > When you do not add the time range in the AP group membership criteria, then > the user matches the Finance group based on username/group/subnet info. > Ft.com is a finance URL category, which has warn when it falls out of the > specified time range. Hence in your access logs you see > “MONITOR_CONTINUE_WEBCAT”. > > Sam > > From: [email protected] > [mailto:[email protected]] On Behalf Of Mike Rojas > Sent: Tuesday, June 18, 2013 8:16 AM > To: [email protected] > Subject: [OSL | CCIE_Security] Time Range Policies on WSA > > Hi Team, > > I have a quick question, I see that under Access policies, specifically > policy member definition you can use a Time range. Now the LAB2 there is an > specific task where you need to give access to Financial Users for certain > amount of time. > > Now I see that you define the time range and them assign it to the specific > URL category you want and then, you select the logical or if the match > criteria fails. > > My question is, in which cases we will be using time-range for "policy member > definition"? By mistake I put it as a matching criteria for this task and all > the traffic was being blocked, once I removed, I was obtaining the desired > results. > > Funny part is that, looking at the access logs, when I had that time range as > match criteria for Policy member definition, It seemed like it was not even > able to find it on the AD... > > I.E > > 1371523366.155 34 192.168.22.10 TCP_DENIED/403 0 GET > http://www.ft.com/home/us "VPN\finuser1@WSA" NONE/- - > BLOCK_WEBCAT_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE > <IW_fnnc,4.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_fnnc,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> > - > > Whereas if I remove it: > > > 1371522757.853 245 192.168.22.10 TCP_MISS/301 582 GET http://ft.com/ > "VPN\finuser1@WSA" DIRECT/ft.com text/html > MONITOR_CONTINUE_WEBCAT_12-FINANCIAL-DefaultGroup-NONE-NONE-NONE-DefaultGroup > <IW_fnnc,4.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_fnnc,-,"Unknown", > "-","Unknown","Unknown","-","-",19.00,0,-,"Unknown","-"> - > > > Thanks in Advanced > > Mike
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
