Allow policy for 2 hours per day

Reply
L0 Member

Allow policy for 2 hours per day

Hi 

It is possible to allow a rule for 2 hours within a possible time window

I would like to allow for exampe youtube for 2 hours per day for our employees .

 

 

Could i solve this somehow via API ? 

 

Regards Markus

L7 Applicator

Re: Allow policy for 2 hours per day

Hi @Mr.Robot

 

Yes, you can solve this via API with complex rulechanges, dynamic addressgroups and enabling/disabling rules ...

 

But for your initial question there is a much simpler solution: use a schedule object in your youtube policy to allow access at specific times per day.

Screenshot_20181229-163333_Chrome.jpg

 

Regards,

Remo

L0 Member

Re: Allow policy for 2 hours per day

Hi Remo

Thanks for reply , but that is what i already found .

What i like is to have is a budget of two hours and i´d like to use this two hours somewhere between the scheduler timeframe.

Bye Mr.R.

L7 Applicator

Re: Allow policy for 2 hours per day

Hi @Mr.Robot

 

Ok, now I get it. The only solution in this case is the API and it heavily depends on how important this is to you and your skills on programming/scripting (or the skills of the people who will implement this), because this task (I assume) will be time consuming.

 

At this point I need to say I haven't done this, but the following lines describe the way I would do it/try it.

 

Requirements:

  • User-ID
  • TLS decryption
  • a computer/server that has access to the firewall management interface
  • 2 Firewallrules: one that blocks youtube for a specific usergroup and one that allows youtube with a schedule applied with the timeframe where youtube should be allowed

 

The solution:

You need to write a program that runs on the server. This program needs to constantly check the sessiontable for youtube sessions. If there are sessions you need to track these sessions to check when they reach 2 hours and if they do you need to close that session and add the user to the youtube-deny-usergroup, so that if this user tries again to access youtube he/she will not be able to. In addition to this you also need to check the logs for sessions that do not last 2 hours. The times of these sessions you need to sum together and as soon as this time reaches 2 hours you have to add the user to the deny-youtube-group. Once a day you can then remove the users from that deny group.

With all this you need to check on what specific app you need to use for the session tracking because accessing youtube opens quite a few sessions in parallel - this is to make sure that the two hours aren't reached when a user is only about 10 min on youtube.

 

In all this you need to also do a lot of testing, but I think there is a solution for your requirement.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!