/
Configure Web Security Policies

Configure Web Security Policies

Mar 13, 2026

This article applies to the CloudGen Access agent version 2.0 and higher.

Note that DoH (DNS over HTTPs) is currently not supported by CloudGen Access. You must disable the DoH setting in your browser to ensure DNS Filtering and web filtering works as intended.

 

To view and/or edit web security policies you already created, see View Web Security Policies. Note that policies are enforced in the order they are listed on the page: policies above others in the table take precedence. For a new account, there is a default policy already created, which you can delete or leave in place. 

To create customized policies for everyone, particular users, or group(s), you can base policies on either categories of domains or specific domains:

  1. Click on the shield icon on the left navigation pane. You'll see the Web Security > Policies page with a list of any policies you might already have created.

  2. Click the + on the right side of the screen to begin creating a new policy.

  3. In the New Policy popup, give the policy a Name

  4. Optional: Use Policy Status to temporarily disable an existing policy.

  5. Select either the Block or Allow action.

  6. For Select what you want to Secure, select Categories if you want the policy to apply based on domain categories visited. Or select Domains if you want the policy to apply when one or more specific domains are visited. See the Creating Policies by Categories and Creating Policies by Domains sections below for more details.

  7. Determine to whom you want to apply this policy:

    – To apply the policy to ALL users, set Apply To to EveryoneOr  –

    – Select one or more groups of users if you want the policy to apply to groups.

    – Select one or more users if you want to create a policy for one or more specific users.

Creating Policies by Categories 

If you selected Categories in step 6 above, you'll see a list of Supercategories. To see the list of categories within each supercategory, click Expand All. Now you can either:

  • Select each individual category you want to block or allow  – Or –

  • Click the box in the Select All column to the right of the supercategory name to automatically apply your policy to all of the categories within that supercategory.

Click Collapse All to just show the supercategories.

At the bottom of the page, configure Feedback Settings (alerts), and then click Create at the bottom of the page to save your policy.

Creating Policies By Domains

If you selected Domains in step 6 above, you'll see the Domains text box. Enter a domain name, and then press Enter. You can then add the next domain name, and so on. To remove a domain name, click the X to the right of the domain name.

  • When you enter a domain name, a wild card is automatically applied to include subdomains and the TLD (for example, .com, .org, .net, .us, .de., etc.)

  • For domain-based policies, you cannot add a URL. For example, you could enter redfin.com, but  https://www.redfin.com/zipcode/95123 would not be accepted.

At the bottom of the page, configure Feedback Settings (alerts), and then click Create at the bottom of the page to save your policy.

Feedback Settings

Configure these settings to determine how the administrator will be alerted to violations to policy, blocked domains, or to track policy related activity.

  • Logs – The Activity page will show policy related activity.     

  • System Notification – Show a system notification on the client if a domain is blocked.

Save Your Policy

To save your policy, click Create at the bottom of the page.

Best Practices for Creating Policies

  1. Pay attention to policy precedence when you create user and group policies: policies above others in the table take precedence.

  2. Barracuda Networks recommends beginning by creating a baseline policy for everyone with a default action of Allow. Do this by not selecting any users or groups for the policy. This prevents you from accidentally blocking newly discovered websites that may be important to people in your organization, such as new competitors, local government alerts, or breaking weather events. You can later add exception policies as needed. This policy would end up at the bottom of the table, so all policies created after that, or placed above it in the table, would take precedence and/or be exceptions to the everyone policy.   

  3. The next policy you create should be an everyone policy that blocks a broad set of categories. 

     
    After you create these two policies, you'll see the second policy you created above the first policy in the table. This means that the higher level policy (block) takes precedence over the one(s) below it. See How Policies Are Applied (Order of Precedence) below for more information.

  4. Finally, create your group and user specific policies. These should be in the table above the first general Everyone policies you created, and represent exceptions to those policies. Barracuda Networks recommends placing user polices at the top of the list (table) and group policies near the bottom for easy policy precedence. 

Syntax for policies by domains and subdomains

When entering a domain for a policy, do not use wildcards ('*'), or include protocols, such as http:// or https://. When you enter a domain name, a wild card is automatically applied to include subdomains and the TLD.

Correct

Incorrect

Correct

Incorrect

mydomain.net, www.mydomain.net

https://www.mydomain.net

www.mail.barracuda.com

*mail.barracuda.com

yourdomain.org

 *.yourdomain.org

All subdomains of the domain you enter are automatically included; in other words, subdomains inherit policies applied for a domain, UNLESS you create an exception. If you want to create an exception for a particular subdomain, you must specify that subdomain explicitly. For example, if you create a block policy for google.com, all subdomains are included and blocked. Here are more examples of how exceptions work with domains and subdomains:

Policy

Results

Policy

Results

BLOCK google.com

ALLOW mail.google.com

BLOCK server1.mail.google.com

 

 

http://google.com/ BLOCKED (matches google.com), and blocks ALL Google subdomains

http://mail.google.com/ ALLOWED (matches mail.google.com)

http://server1.mail.google.com/ BLOCKED (matches server1.mail.google.com)

http://server2.mail.google.com/ ALLOWED (matches mail.google.com)

BLOCK www.abc.com

http://abc.com ALLOWED (doesn't match www.abc.com)

BLOCK abc.com

http://www.abc.com BLOCKED (inherits policy from abc.com domain)

ALLOW abc.com
BLOCK z.abc.com

http://z.abc.com BLOCKED (matches z.abc.com)
http://y.abc.com ALLOWED (inherits policy from abc.com)

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.