Quiz Entry - updated: 2026.07.05
Suppose ordinary staff are blocked from a site (say a weather site) but executives are allowed. How does a firewall combine URL filtering with user/group identity so the same URL is treated differently per person?
Add a Source User filter to the Security Rule — the rule only fires for users in that group.
The rule logic:
- Rule 1:
source=inside, user=Normalbürger-group, dest=outside, url-category=block-weather, action=deny - Rule 2 (default below):
source=inside, user=any, dest=outside, action=allow - C-level user is not in
Normalbürger-group→ Rule 1 misses → falls through to allow.
Why this matters:
- Same domain, different access — based on identity, not network location.
- Common real-world need: marketing can use Facebook (their job), engineering cannot.
- Auditing: logs now say "user X tried Y," not just "IP a.b.c.d tried Y."
Prerequisite: User-ID must be active on the zone, and the FW must know who's behind each IP — this is what Captive Portal / AD agent / GlobalProtect is for.
Tip: Without User-ID, every rule is IP-based — terrible for laptops on DHCP. With User-ID, rules become "who can do what."
Go deeper:
Identity-based security (Wikipedia) — access decisions tied to an authenticated identity rather than an IP.