/
How to Configure Advanced Filtering Policies

How to Configure Advanced Filtering Policies

Jan 07, 2026

With BCS Plus, you can either use preset filtering policies or create customized policies for a particular user or group, and base policies on either categories, domains, or URLs.

Configuring Local or LDAP Users and Groups

You can either manually add local users and groups, or synchronize your LDAP / AD services with the BCS service – this enables you to apply policies by users and / or groups. If you have a configured LDAP server, you can connect to your LDAP per instructions in LDAP Active Directory and BCS. For manual entry, see Manually Configure Local Users and Groups.

Creating Rules

See Best Practices for Creating Rules/Policies below. Before you create policies, make a list of the most important policies, and try to keep the policy compact – too many rules can render the entire policy almost useless and result in slower performance of the BCS agent. If you can, choose category policies over domain and URL-based rules.

  1. From the ACCOUNTS page, click Manage in the table for the account for which you want to configure rules/policies.

  2. Click on Advanced Filtering in the left pane.

  3. On the Advanced Filtering page you can either:

    • Click ADD RULE. Click in the text box at the top of the popup to select one or more users or groups.  - OR -

    • Scroll down to an existing user or group in the table and, in the More column, click on the 3 dots () and click Create Rule

  4. Select an Action of Block or Allow.

  5. Select a rule Type of either Categories, Domains, or URLs.

  6. Check each category for which you want the rule to apply, or enter the target domain or URL in the pop-up. When you enter a domain name, a wild card is automatically applied to include subdomains and the TLD (for example, .com, .org, .net, . us, .de., etc.) BCS validates domain or URL inputs is as follows: 

    • For domain-based rules, you cannot add a URL. For example, you could enter redfin.com, but https://www.redfin.com/zipcode/95123 would not be accepted.

    • You cannot enter and save an IP address for a domain/URL based rule.

    • Wild card masks are not accepted when entering a domain/URL based rule, e.g. *.microsoft.com, because wildcards are automatically included as stated above.

  7. Click Save.

  • Domain look up: To find out which category a domain belongs to, go to the ACCOUNT SETTINGS page and use the Look For Domain Category feature.

  • Updates to policies may take up to 15 minutes to go into effect.

Best Practices for Creating Rules/Policies

  1. Pay attention to policy precedence when you create user and group policies: policies above others in the table take precedence.

  2. Barracuda Networks recommends beginning by creating a baseline policy for Everyone with a default action of Allow. This prevents you from accidentally blocking newly discovered websites that may be important to people in your organization, such as new competitors, local government alerts, or breaking weather events. You can later add exception policies as needed. This policy would end up at the bottom of the table, so all policies created after that, or placed above it in the table, would take precedence and/or be exceptions to the Everyone policy.   

  3. The next policy you create should be an Everyone policy that blocks a broad set of categories. You can start with the default categories that are set up in the account at activation, or check categories or supercategories you want to block. Important: Be sure NOT to block the Content Delivery Networks & Infrastructure (CDNs) category under the Security super-category, because thousands of websites rely on CDNs to deliver critical website content.  
     
    After you create these two policies, you'll see the second policy you created above the first policy in the table. This means that the higher level policy (block) takes precedence over the one(s) below it. See How Rules Are Applied (Order of Precedence) below for more information.

  4. Finally, create your group and user specific policies. These should be in the table above the first general Everyone policies you created, and represent exceptions to those policies. Barracuda Networks recommends placing user polices at the top of the list (table) and group policies near the bottom for easy policy precedence. 

  5. When changing an AD group policy, restart the agent to make sure it gets the latest policy updates.

To create this set of policies:

Step 1: Create an Allow policy for Everyone.

  1. On the Advanced Filtering page, click ADD RULE.

  2. In the Select one or more users or groups this rule should apply to drop-down, select Everyone.

  3. In the Action drop-down, select Allow.

  4. In the Type drop-down, select Categories.

  5. Check the box for each supercategory you want to allow (recommended: check all of them, and then create your block policy).

  6. Click CREATE to save the policy.

Step 2: Create a Block policy for Everyone, as needed.

  1. On the Advanced Filtering page, click ADD RULE.

  2. In the Select one or more users or groups this rule should apply to drop-down, select Everyone.

  3. In the Action drop-down, select Block.

  4. In the Type drop-down, select Categories.

  5. Check the box for each supercategory and/or category you want to block. As noted above, be sure NOT to block the Content Delivery Networks & Infrastructure (CDNs) category under the Security super-category, because thousands of websites rely on CDNs to deliver critical website content.

  6. Click CREATE to save the policy.

Step 3: Create exceptions to the policy for specific users and/or groups.

In the following example, say you have blocked the Commerce and Shopping supercategory, but you want staff in the Finance department to be able to visit domains categorized under Financial Products in that supercategory.

  1. Click ADD RULE.

  2. In the Select one or more users or groups this rule should apply to drop-down, select the Finance group.

  3. In the Action drop-down, select Allow.

  4. In the Type drop-down, select Categories.

  5. In the Commerce and Shopping supercategory, check Financial Products. Domains in this category will be allowed for members of the Finance Department.

  6. Click CREATE.

You could do the same for a specific user, or by domain or URL. Make sure that this new rule is placed ABOVE the Everyone policies in the table so that it takes precedence.

Important: When you create a URL policy for a user or group, BCS intercepts SSL traffic in order to view the URL contents, which can require additional processing resources on the endpoint machine. For this reason, make sure to only create URL policies for specific users, not for entire groups – unless everyone in the group has a machine that can handle the additional resource usage.

Syntax for policies by domains and subdomains

When entering a domain for a policy, do not use wildcards ('*'), or include protocols, such as http:// or https://. When you enter a domain name, a wild card is automatically applied to include subdomains and the TLD.

Correct

Incorrect

Correct

Incorrect

mydomain.net

https://www.mydomain.net

www.mail.barracuda.com

*.mail.barracuda.com

google.com, www.google.com

http://www.google.com

yourdomain.org

 *.yourdomain.org

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.