Configuring Web Policy Enforcement Service

You can configure the WPE service on an Instant AP to block certain categories of websites based on your organization specifications by defining ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules by using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To configure WPE service:

1. Navigate to Security > Roles.

2. Under Roles , select any WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or wired profile role, and click New in the Access Rules for <network> section. The New Rule window is displayed.

3. Select the rule type as Access Control.

4. To set an access policy based on the web category:

a. Under Service, click the Web category radio button and expand the drop-down list that contains the web categories.

b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.

c. From the Action drop-down list, select Allow or Deny as required.

d. Click OK in the New Rule window.

e. Click OK in the Roles tab.

5. To filter access based on the security ratings of the website:

a. Select Web reputation under Service.

b. Move the slider to the required security rating level. Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value. The following options are available:

Trustworthy—These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads.

Low risk—These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads.

Moderate risk—These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads.

Suspicious—These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads.

High risk—These are high-risk sites. There is a high probability that the user will be exposed to malicious links or payloads.

c. From the Action drop-down list, select Allow or Deny as required.

For a complete list of categories and information about each of these categories, visit the BrightCloud® Security Services web page at http://www.brightcloud.com/tools/change-request-url-ip.php.

6. To set a bandwidth limit based on web category or web reputation score, select the Application Throttling check box and specify the downstream and upstream rates in KbpsKilobits per second.. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high-risk sites.

7. If required, select the following check boxes :

Log

Blacklist

Disable scanning

DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag

Time Range

802.1p priority

8. Click OK in the New Rule window.

9. Click OK in the Roles tab.

In the New WebUI

To configure WPE service:

1. Navigate to Configuration > Security > Roles section.

2. Under Roles , select any WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or wired profile role, and click + in the Access Rules for <network> section. The New rule window is displayed.

3. Select the rule type as Access control.

4. To set an access policy based on the web category:

a. Under Service, slect the Web category radio button and expand the corresponding drop-down list that contains the web categories.

b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.

c. From the Action drop-down list, select Allow or Deny as required.

d. Click OK.

e. Click Save.

5. To filter access based on the security ratings of the website:

a. Select Web reputation under Service.

b. Move the slider to the required security rating level. Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value. The following options are available:

Trustworthy—These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads.

Low risk—These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads.

Moderate risk—These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads.

Suspicious—These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads.

High risk—These are high-risk sites. There is a high probability that the user will be exposed to malicious links or payloads.

c. From the Action drop-down list, select Allow or Deny as required.

For a complete list of categories and information about each of these categories, visit the BrightCloud® Security Services web page at http://www.brightcloud.com/tools/change-request-url-ip.php.

6. To set a bandwidth limit based on web category or web reputation score, select the Application Throttling check box and specify the downstream and upstream rates in KbpsKilobits per second.. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high-risk sites.

7. If required, select the following check boxes :

Log

Blacklist

DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag

Disable scanning

802.1p priority

8. Click OK.

9. Click Save.

In the CLI

To control access based on web categories and security ratings:

(Instant AP)(config)# wlan access-rule <access_rule>

(Instant AP)(Access Rule "<access-rule>")# rule <dest> <mask> <match> webcategory <webgrp> {permit | deny}[<option1....option9>]

(Instant AP)(Access Rule "<access-rule>")# rule <dest> <mask> <match> webreputation <webrep> {permit | deny}[<option1....option9>]

Example

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example shows how to set access rules based on the web category and the web reputation:

(Instant AP)(config)# wlan access-rule URLFilter

(Instant AP)(Access Rule "URLFilter")# rule any any match webcategory gambling deny

(Instant AP)(Access Rule "URLFilter")# rule any any match webcategory training-and-tools permit

(Instant AP)(Access Rule "URLFilter")# rule any any match webreputation suspicious-sites deny