A policy takes effect when DNS traffic arrives at WebTitan for filtering. As such, only one policy can take effect at a time for a given DNS request.

While policies can be applied to users, groups, locations and devices, the policy that is selected for a single DNS request is done following an order of precedence, using a principle of the policy closest to the user wins.

The following is the order of precedence WebTitan uses to select a policy, starting at 1 and going to 4:







For a user policy to take effect, that user must be identified through WebTitan AD integration or using WebTitan OTG.

When traffic arrives at WebTitan from an identified user that has a policy explicitly assigned to them, that user will always be filtered using that policy -- even if there is a policy assigned to a group the user is a member of, or the location from which the user's traffic arrives has a policy assigned.

If a user does not have a policy assigned to them, the policy on their AD group is the next in order of precedence.




For group policies to take effect, WebTitan AD integration must be in place.

If a user is a member of an active directory group, the policy from their AD group applies if that user does not have a policy explicitly assigned to them.

A user can be a member of more than one active directory group. In this case, Group Ranking is used to determine which group's policy is applied. See Group Ranking.


Location Policy

If there is no user or group policy explicitly assigned, the policy that takes effect for a DNS request is the policy applied to the location that the user's traffic is coming through.


Customer Default Policy

If no user, group, or location policy is assigned, the customer default policy always applies. This policy can be viewed and updated from Settings > (Global) Default Policy.