Filtering Rules:

1. The global (default) filtering profile applies to any user who does not belong to a master IP group.

2. If the minimum filtering level is defined, it applies to all master IP groups and members assigned filtering profiles. The minimum filtering level combines with the user’s profile to guarantee that categories blocked in the minimum filtering level are blocked in the user’s profile.

3. For master IP group members:

a) A master IP group filtering profile takes precedence over the global profile.
b) A master IP group time profile takes precedence over the master IP group profile.

4. For IP sub-group members:

a) An IP sub-group filtering profile takes precedence over the master IP group’s time profile.
b) An IP sub-group time profile takes precedence over the IP sub-group profile.

5. For individual IP members:

a) An individual IP member filtering profile takes precedence over the IP sub-group’s time profile.
b) An individual IP member time profile takes precedence over the individual IP member profile.

6. For LDAP users, if a user is authenticated, settings for the user’s group or individual profile from the LDAP domain are applied and take precedence over any IP profile.

a) If the user belongs to more than one group in an authentication domain, the profile for the user is determined by the order in which the groups are listed in the Group Priority list set by the global administrator. The user is assigned the profile for the group highest in the Group Priority list.

NOTE: In an LDAP domain, if a user belongs to a container, that profile takes precedence over the group profile for that user.

b) If a user has an individual profile set up, that profile supercedes all other profile levels for that user. The user can have only one individual profile in each domain.
c) A profile for a workstation takes precedence over a user’s individual profile.
d) If the user has a time profile, that profile takes precedence over other profiles. A container time profile takes precedence over a domain time profile, and a group time profile takes precedence over a container time profile. An individual time profile takes precedence over a group time profile, and a workstation time profile takes precedence over an individual time profile.

NOTE: A Radius profile is another type of authentication profile, and is used if a Radius accounting server is attached to the Web Filter. This authentication profile bears the same weight as an LDAP authentication profile in the precedence hierarchy.

7. A Threat Analysis Reporter (TAR) profile is a type of lockout profile. If using a Security Reporter (SR) or TAR server with a Web Filter, the TAR low level lockout profile takes precedence over an authentication profile or a time profile profile, locking out the end user from library categories specified by the lockout profile in the TAR module.

8. An override account profile takes precedence over a TAR lockout profile. This account may override the minimum filtering level—if the override account was set up in the master IP Policy tree, and the global administrator allows override accounts to bypass the minimum filtering level, or if the override account was set up in the Global Group section of the Policy tree.

9. An X Strikes lockout profile takes precedence over all filtering profiles. This profile is set up under Filter Options, by enabling the X Strikes Blocking feature.

Related Topics:

• Override Account Setup
• Authentication Settings

Back | Top