Web Filter 3

Rule Sets

Rule Set Basics


This page opens when you navigate to Web Filter, open the Policy Management menu, and click Rule Sets.

Rule Sets are lists of web site categories, keywords, and actions that control how users can access the Internet. The Lightspeed Systems Web Filter module comes with three built-in rule sets:

  • Default – CIPA-compliant filtered access to Internet content. Content categories such as Adult and Forums, and sites in the Security category are blocked, while most other categories are allowed. The Lightspeed Systems Web Filter module applies this Rule Set to anyone who is not assigned to any other Rule Set.
  • Allow All – Unfiltered access to all Internet content, including Adult, Forums, and Security category.
  • Block All – No Internet access. All categories are blocked.

You can create local exceptions to define different content for your users.

Use this page to manage rules for the web filter.

Adding a Rule Set

Fill out the following fields and click Save to save the Rule Set.

Field Name Description
Name Give the Rule Set a descriptive name that will help you remember what it does.
Description Enter a description for the Rule Set.
Copy settings from This option allows you to copy settings from a pre-existing Rule Set. You can copy the settings from a Rule Set that closely matches your new Rule Set, or from one of the default Rule Sets.
Field Name Description
Name Enter a name for this Rule Set.
Description Enter a brief description for this Rule Set.
Copy Settings From Select an existing rule set from the dropdown list to use as a template for your new rule set. This action populates your new rule set with allowed and blocked categories from the rule set you selected.

Editing a Rule Set

  • 1. Click Web Filter, then open the Policy Management menu and click Rule Sets.
  • 2. Click the name to edit the item. This action opens the following page:

  • 3. In the Edit Rule Set form, edit the fields as needed.
  • 4. Click Save to apply your changes, or click Cancel to discard your changes and return to the previous page.

Note: The built-in Rule Sets Allow All, Block All, and Default, are read-only and cannot be modified. To create an editable version of these Rule Sets, create a new Rule Set and select one of the built-in Rule Sets to use as a template.

Configurable Fields on this Page

 

Deleting a Rule Set

  • To delete (permanently remove) an item, mouse over the item you wish to remove, then click the X on the right side of the row. You will be prompted to confirm the action.

Caution: Items deleted this way are permanently removed, and cannot be recovered.

 

Built-in Rule Sets

Rule Sets govern the Web Filter. Rule Sets determine exactly which users can access which internet content and in what way. Built-in and custom Rule Sets do not take effect until you assign the Rule Set to users, groups, organizational units, or devices on your network (with the exception of the Default Rule Set.) You will learn about Assignments in the next lesson. You can access the rule sets by navigating to Web Filter > Policies: Policy Assignments > Rule Sets.

The Web Filter comes with 3 built-in rule sets.

  • Default – CIPA-compliant filtered access to Internet content. Content categories such as Adult and Forums as well as sites in the Security category are blocked, while most other categories are allowed. The Lightspeed Systems Web Filter module applies this Rule Set to anyone who is not assigned to any other Rule Set. It is applied by default as the “Tier Policy” for your Rocket, meaning all users even without a Policy are automatically CIPA compliant.
  • Allow All – Unfiltered access to all Internet content, including Adult, Forums, and Security category, with the exception of Sealed Categories.
  • Block All – No Internet access. All categories are blocked.

The built-in Rule Sets Allow All, Block All, and Default, are read-only and cannot be modified. To create an editable version of these Rule Sets, create a new Rule Set and select one of the built-in Rule Sets to use as a template.

Note: Rule Sets do not take effect until you assign them.

Search Engines

Field Name Description
Force safe search (Google) Restrict all Google searches to enable their “safe search” feature.
Best Practice: Enable
Filter image search thumbnails (Google) Remove image thumbnails from search results from blocked content categories.
Best Practice: Enable
Disable auto-complete (Google) Check (select) this option to prevent Google instant search from auto-suggesting search queries.
Select blocked search keywords to filter Once you create Blocked Search Keyword lists you can enable them on your Rule Sets.

Note: 
The Web Filter fully supports Google and Bing search and image controls. Search queries and images on other search engines may not be fully blocked due to the restrictions of the search engines themselves.

Tip: When Unknown URLs, Domains and IP Addresses are blocked, the web filter is unable to display thumbnails for image searches using the Research tool in Google Documents and Presentations. This is because the Research Tool does not append a source URL or domain to the search string, which the web filter requires for filtering.

Non-HTTP Traffic

  • Filter non-HTTP traffic by IP address – The Web Filter is designed to filter HTTP traffic. With this option enabled, the Web Filter will additionally block other protocols (e.g., HTTPS, FTP, SMTP, etc.) that have a destination IP address in a category that is set to “Block”.
  • Block non-HTTP traffic to unknown IP addresses – Similar to the above feature, when this option is enabled, the Web Filter will block any non-HTTP sessions that have a destination IP address not yet categorized in our content database.
Note: We recommend that you enable both options for student policies and enable only the first option for teacher policies.

Allowed Referrers

The Select allowed referrers lists option allows you to select Allowed Referrer lists. Learn more here.

URL Patterns

The Content Filter can allow or block requests that match the selected lists of URL Patterns. Select the URL pattern list to use, then choose to block or allow requests from each list.

Caution: Sites that match a URL Pattern will override the “Force safe search” option in the rule set where the URL Pattern is assigned. For example, adding google.com or youtube.com to a URL pattern will effectively disable Safe Search.

Lockouts

The Web Filter has the ability to temporarily lock out users who persistently try to visit blocked websites. You can configure the number of minutes a user will be locked out of internet access, the lockout trigger in terms of attempts over a specified period of time, and email notifications

Use the Lockouts report to view and manage locked-out users. An optional email can also be sent to notify an administrator that the Lockout has occurred.

Field Name Description
Block internet access for Temporarily block the user from continued web access for X number of minutes. (Default is 15 minutes. Maximum is 60 minutes. Set to 0 to alert only and not block.)

Best Practice: For testing, set to 0 in order to alert only and then set Lockouts for Porn and Gambling.

Alert Only To send a notification and alert, without suspending the user’s internet access, set the Block Internet Access to 0 (zero) minutes.
Tolerance A Lockout will occur when a user attempts to access a blocked category more than X times in X seconds. (Maximum 60 seconds, default of 5 times in 30 seconds)
Email Notifications Email notifications can be sent whenever a lockout occurs. Enter one or more email addresses in this field. Separate multiple addresses with commas.
Note: The email notification identifies the IP address. If the locked out machine is running the User Agent, the email will also identify the logged-in user.

The following is the user view of a lockout. The lockout states Sorry, your access to the internet has been temporarily revoked. You have been identified as ****** from (IP)

Access Page

You can access the settings by navigating to Web Filter > Policies: Rule Sets > Access Page

When a user tries to visit a blocked web page, the request redirects to the Access Page. The Access Page shows the site name and reason for blocking. In addition, the Access Page may be configured to prompt the user to authenticate, override, or submit the blocked site for review.

You can also create and assign Custom Access Pages with your own images and text, and assign a custom page to a Rule Set.

Field Name Description
Override duration Set the override duration, which can be from 15 to 120 minutes.
Require username and password to override Select (check) this option to require users to enter their network login and password to unblock the requested website. Select from dropdown menu.
Allow users to submit blocked websites for review This option allows users to click a link to submit the requested site to District staff for review and recategorization. Users will be presented with a form to complete.

Best Practice: Most Districts opt to only allow Staff to submit websites for review.

Use custom access page If you created customized access pages with school logos and/or text, you can select one for this Rule Set.

Unknown URLs, Domains, and IP Addressses

The Unknown URLs section of the Rule Set determines how the Web Filter should handle requests for URLs, Domains, and IP Addresses that are not in the Web Filter’s database.

This category is allowed in the Default Rule Set, though we recommend blocking unknown for most installations.

Do you want to learn more about how the Web Filter handles Unknown URLS?

Learn more about: Unknown URLs

Local Categories

Local Categories contain URLs, Domains, and IP Addresses that are held on the Web Filter’s database. This means that any changes locally will be specific to your environment and not changed if a conflicting update is made to our master database.

The local-allow category is for content that Web Filter is blocking but that you want to be allowed for everyone. The local-block category is for content that the Web Filter is allowing but you want to be blocked for everyone. These categories are empty by default. The best practice is to allow local-allow, and block local-block in all of your rule sets.

Normally Blocked Categories

See a full list of categories and descriptions on the Database Categories page.

Normally Allowed Categories

See a full list of categories and descriptions on the Database Categories page.

Category Options

You can set options for each content category.

Field Name Description
Allow All / Block All Click button to allow or block the category and all its sub-categories.
Allow / Block Toggle to allow or block individual sub-categories.
Overrides Select (check) to apply this rule set’s Override settings so users can visit websites that would otherwise be blocked due to being in a blocked category.
Lockout Select (check) to apply the Lockout feature to a category.
File Extensions (Optional) Open the dropdown menu to select a Blocked File Extensions list to this content category. This allows users to reach websites but not download files matching the selected extensions. File Extensions only apply if the category is allowed.

Do you want to learn more about Database Categories and Blocked File Extensions?

Learn more about: Database Categories
Learn more about: Blocked File Extensions

Override Types

The Access Page section of the Rule Set is where you define how to handle override requests.

Users can only override the web filter for categories where Overrides are enabled.

There are three types of overrides:

  • Anonymous overrides – Requires a username and a password when override is unselected. The user can click the Override button on the Access Page to open the requested site.
  • Challenged (Authenticated) overrides – Requires a username and a password when override is selected, and a restrict username account to override the access list. The user must authenticate on the access page before they can click the Override button.
  • Restricted (Teacher) overrides – Requires a username and a password when override is selected, and a restrict username account when the override access list is unselected. The user must authenticate on the access page, and the user must match an entry in the Override Users list.
Note: Google authentication can be used for challenged overrides, but not for restricted overrides where the override is performed for another user.
Note: Override users lists are not active until you assign them to a rule set.

LSoverride.me

If you’re not using the proxy option on the Web Filter to decrypt SSL, your staff may be frustrated by their inability to access some https sites including social media, shopping, and banking. LSoverride.me is a simple way to make everyone happy. It’s a special domain owned by Lightspeed Systems that will allow an end user to activate any available overrides in the rule set assigned to them.

The following steps illustrate how to properly use LSoverride.me:

1. Navigate to Categories and choose an existing category that you already allow overrides for, or create a custom category and set its default behavior to Block. Add LSoverride.me to that category. In the screenshot below, we have created a custom category.

ls1

 

2. Navigate to Rule Sets. For each Rule Set where you are allowing overrides, make sure that the category containing LSoverride.me (in our case, “LSoverride Sample”) is blocked and that the Override check box is checked next to it.

ls2

 

3. Direct your end users to http://lsoverride.me whenever they need to activate their overrides to access social media or other https sites. Users will be presented with the Access Page and will be able to activate the overrides and access the resources they need.

Note: Do not use “www” when inputting the LSoverride.me URL, as it will cause an error.