Blocked category override?

I’m playing with blocked categories in gateway and would like to know how I can override a site being blocked.

I’ve tried the following (just for testing - I don’t actually care about blocking gambling specifically, that’s just a relatively safe category to play around with on a work device):

Firewall Policy … DNS policy…

Content Categories in Gambling
and
Domain not in list “Test”

Block.

That works reasonably well, it blocks all gambling sites, but if I add a domain into the list “Test” it stays blocked.

I’ve also tried creating a completely different allow rule and prioritising it over the block rule with just one domain specified, that also doesn’t override the content category block list.

How to do this please?

Thanks

If I need to allow some specific domain, which is in a category which is in a policy “block”, I make sure the policy “allow” is above the “block” one.

In “AD dopusti” I allow domains which are usually blocked by other defined policies, either manually or via content categories.

Furthermore, recently I have had a case where bit.ly domain was blocked by the “AD security” policy with the specific content categories selected on purpose.

Later, once needed (still deactivated) is “bit.ly” plicy which have had action “allow” and is listed above the “AD seucrity” which is with the action “block” as expected to “override” or is being checked first as the “order & priority of precedence” rule.

Screenshot:

Helpful article:

1 Like

Thanks for the reply.

I don’t know if this makes a difference, but I’m currently playing with the free tier (almost certainly with a plan to move onto the ‘Pay-as-you-go’ tier if we can make this work how we want it to work).

I have the same setup as you. I’ve simplified this right down to test…

Priority 1: Domain is 888 . com - Allow

Priority 2: Content Categories in Gambling - Block

Reload the URL in a dedicated VM and I get a block page. :man_shrugging:

A bit strange, yes :thinking:

888.com redirects to https://www.888.com.

www.888.com has a TTL 86400 seconds and is a CNAME to d15djvuktw4vyy.cloudfront.net.

d15djvuktw4vyy.cloudfront.net has a TTL of 60 seconds.

d15djvuktw4vyy.cloudfront.net is classified under the following categories Gambling, CIPA Filter.

If you check your logs you will see that you aren’t being blocked for 888.com, you’re being blocked based on DNS lookup results for d15djvuktw4vyy.cloudfront.net.

3 Likes

Thank you very much for this. :+1:

1 Like

No worries, the first time I encountered this scenario I spent an hour trying to debug and was convinced I was having a stroke.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.