A policy takes effect when DNS traffic arrives at WebTitan for filtering. As such, only one policy can take effect at a time for a given DNS request.

While policies can be applied to users, groups, locations and devices, the policy that is selected for a single DNS request is done following an order of precedence, using a principle of the policy closest to the user wins.

The following is the order of precedence WebTitan uses to select a policy, starting at 1 and going to 4:

Order

Policy

Description

1

User

Note

For a user policy to take effect, that user must be identified through WebTitan AD integration or using WebTitan OTG.

When traffic arrives at WebTitan from an identified user that has a policy explicitly assigned to them, that user will always be filtered using that policy -- even if there is a policy assigned to a group the user is a member of, or the location from which the user's traffic arrives has a policy assigned.

If a user does not have a policy assigned to them, the policy on their AD group is the next in order of precedence.

2

Group

Note

For group policies to take effect, WebTitan AD integration must be in place.

If a user is a member of an active directory group, the policy from their AD group applies if that user does not have a policy explicitly assigned to them.

A user can be a member of more than one active directory group. In this case, Group Ranking is used to determine which group's policy is applied. See Group Ranking.

3

Location Policy

If there is no user or group policy explicitly assigned, the policy that takes effect for a DNS request is the policy applied to the location that the user's traffic is coming through.

4

Customer Default Policy

If no user, group, or location policy is assigned, the customer default policy always applies. This policy can be viewed and updated from Settings > (Global) Default Policy.