Blocking internet access for a length of time

I have to block internet usage for a certain number of students who are taking an exam soon. I have added these users to an ad group and added the ad group to my Firebox T80. I have also created a Firewall policy so that connections are blocked to this group but my policy is being skipped and traffic goes to the default https-policy. 'Enable Policy Auto-Order Mode' is disabled and I cannot find out why my policy is being ignored/skipped.


  • What is this policy type? A TCP-UDP packet filter?
    Move this policy to the top of the policy list.
    Is this policy set to Denied?
    Do you have SSO set up so that these users get automatically authenticated?
    If so, do you see them in the Authenticated Users list in the Web UI or Firebox System Manager?

    Turn on Logging on this policy to see what is blocked by it in Traffic Monitor.

  • It's currently a https-proxy filter. I have moved the policy to the top. Under settings I have set it so that connections are denied from the exam users group. Looking at the authenticated users list this appears to be empty.

  • Users need to be authenticated to the firewall in order to use AD groups to control access.

    Have you set up SSO?
    About Active Directory Single Sign-On (SSO)

  • Thanks for your help so far. I have set sso up and I can now see my test user in the authenticated users list but despite my policy being at the top of the list it is still being overrided by the https-proxy policy

  • I've now found it is the scheduling that is not working. If I set the schedule to 'always on' then the policy works. If I set the schedule to between, say, today and between 08:45 BST and 09:15 BST the policy won't work.

  • I have now got this working. Thank you Bruce for your assistance. It looks like it was a combination of sso not being installed and the Watchguard which, unless I'm missing a setting somewhere, cannot distinguish between BST and GMT. If I set the schedule to to be enabled in GMT time then the policy works.

  • Do you have NTP set up?
    Daylight Savings Time for my time zone (US EDT) works for me.

    Enable NTP and Configure NTP Servers

Sign In to comment.