Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Imposing Quotas and Restrictions on Web Usage

Imposing quotas and other restrictions you can guide the users of your network in their web usage and limit their consumption of resources.
The quota management process includes several elements:

  • Quota management rules, which control the process
  • Quota management lists, which rules use to impose restrictions depending on listed objects, such as URLs, IP addresses, and others
  • Quota management modules (engines), which are called by rules to handle quotas, session time, and other restrictions

A quota management process is not implemented by default on Web Gateway after the initial setup. You can implement a process by importing suitable rule sets from the rule set library and modify it to meet the requirements of your organization.

Quota management rules 

The rules that control quotas and other restrictions are contained in various rule sets, for example, in a time quota, or a volume quota, or a coaching rule set. 

These rules check whether the configured time and volume of web usage is exhausted and eventually block requests for further web usage.
Quota management rule sets are not part of the default rule set system, but can be imported from the rule set library.

You can review the rules that are implemented with the library rule sets, modify or delete them, but also create your own rules.

Quota management lists 

Rules for quotas and other restrictions use lists of web objects and users to impose restrictions on them.

For example, a time quota rule set uses a list with URLs of particular websites to record the time a user spends visiting these websites. When the time configured for weekly usage is exhausted, further access is blocked.

You can add and remove entries to and from these lists. You can also create your own lists.

Quota management modules

The quota management modules (engines) handle time and volume parameters of the quota management process. They are checked by rules to find out, for example, about consumed and remaining times and volumes.

By configuring settings for these modules, you specify times and volumes, for example, how many hours and minutes per day users are allowed to access particular web objects.

Session time

Session time is the time allowed for a single session of web usage by a user. It is configured in different ways:

  • Session time for time quotas — When configuring time quotas, you also configure a session time. When session time is exhausted for a user, it is deducted from the user’s time quota. 
    As long as the overall time quota is not exhausted, the user can start a new session. Otherwise, any request sent by the user is blocked and a block message appears.
  • Session time for volume quotas — Session time has no impact on the volume quota for a user. 
    You can still configure a session time to inform the user about the time that has been used up. When this session time is exhausted, the user can start a new session, as long as the volume quota is not exhausted. 
    If you set the session time to zero, no session time is configured.
  • Session time for other quota management functions — You can also configure session time for other types of restrictions, such as coaching, authorized override, and blocking sessions.
    When session time is exhausted for coaching and authorized overriding, a request that a user sends is blocked. 
    A message appears, stating the block reason. The user can start a new session unless time quota has also been configured and is exhausted. 
    The session time for a blocking session is the time during which requests sent by a user are blocked. When this time has elapsed, requests from the user are again accepted unless time quota has also been configured and is exhausted.

Combining quota management functions

A particular quota management function that is configured to restrict web usage does not impact other quota management functions. But you can combine these functions in meaningful ways.

For example, you can impose coaching on users when accessing some URL categories, while requesting authorized override credentials for accessing others.

  • Was this article helpful?