Imposing quotas and other restrictions on web usage

Imposing quotas and other restrictions in a quota management process for the users of your network allows you to guide their web usage and limit their consumption of network resources.

The quota management process includes several elements, which contribute to it in different ways.

  • Quota management rules control the process.
  • Quota management lists are used by the rules to impose restrictions with regard to users and particular web objects, such as URLs, IP addresses, and others.
  • Quota management modules, which are called by the rules, handle time and volume quotas, session times, and other restrictions within the process.

A quota management process is not implemented by default on Web Gateway after the initial setup. You can implement a process by importing suitable rule sets from the rule set library and modify this process to adapt it to the requirements of your web security policy.


To configure quota management, you can work with:

  • Key elements of rules — After importing the library rule sets for quota management and clicking them on the rule sets tree, you can view and configure key elements of the rules for the quota management process.
  • Complete rules — After clicking Unlock View in the key elements view, you can view the rules for the quota management process completely, configure all their elements, including the key elements, and also create new rules or delete rules.

    You cannot return from this view to the key elements view unless you discard all changes or re-import the rule set.

Quota management rules

The rules that control the management of quotas and other restrictions are contained in different rule sets, according to the type of restriction, for example, in a time quota or a coaching rule set.

The rules in these rule sets check whether the configured limits for time or and volume have been exceeded and eventually block requests for further web access. They also redirect requests when a user chooses to continue with a new session.

Quota management rule sets are not implemented in the default rule set system, but can be imported from the rule set library. The library rule set names are Time Quota, Volume Quota, Coaching, Authorized Override, and Blocking Sessions.

You can review the rules that are implemented with the library rule sets, modify or delete them, and also create your own rules.

Quota management lists

The rule sets for managing quotas and other restrictions use lists of web objects and users to impose restrictions accordingly. The lists are contained in the criteria of a rule set.

For example, a list contains a number of URLs and the time quota rule set has this list in its criteria. Then this rule set and the rules within it apply only if a user accesses one of the URLs on the list. Lists of IP addresses or media types can be used in the same way.

You can add entries to these lists or remove entries. You can also create your own lists and let them be used by the quota management rule sets.

Quota management modules

The quota management modules (also known as engines) handle the time and volume parameters of the quota management process and are checked by the rule sets of the process to find out about consumed and remaining times or volumes, session times, and other values.

There is a module for each type of restriction, for example, the Time Quota or the Coaching module.

By configuring settings for these modules, you specify the times and volumes that apply in the quota management process. For example, when configuring the time quota module, you specify how much hours and minutes per day users can access web objects with particular URLs or IP addresses.

Session time

Among the settings that you can configure for the quota management module is also session time. This is the time allowed for a single session that a user spends on web usage.

Session time is configured separately and handled differently for time quotas, volume quotas, and other parameters of the quota management process.

  • Session time for time quotas — When configuring time quotas, you also need to configure a session time. Whenever session time has elapsed for a user, the amount of time that is configured as session time is deducted from the user’s time quota.

    As long as the time quota has not been used up, the user can start a new session. When the time quota has elapsed, a request that the user sends is blocked and a block message is displayed.

  • Session time for volume quotas — When configuring volume quotas, the session time has no impact on the volume quota for a user.

    You can still configure a session time to inform the user about the amount of time that has been used up for web access. When time has elapsed for a session, the user can start a new session, as long as the configured volume has not been consumed.

    If you set the session time to zero, no session time is configured and communicated to the user.

  • Session time for other quota management functions — Session time can also be configured for other Coaching, Authorized Override, and Blocking Sessions. Accordingly, there can be a coaching, an authorized override, or a blocking session.

    When session time has elapsed for coaching and authorized overriding, a request that a user sends is blocked.

    A message is displayed to the user, stating why the request was blocked. The user can start a new session unless time quota has also been configured and is used up.

    The session time that is configured for a blocking session is the time during which requests sent by a particular user are blocked. When this time has elapsed, requests from the user are again accepted unless time quota has also been configured and is used up.

Combining quota management functions

Using a particular quota management function to restrict web usage has no impact on the use of other quota management functions. For example, time quotas and volume quotas are configured and implemented separately on the appliance.

You can, however, combine these functions in meaningful ways.

For example, you can impose coaching on users’ access to some URL categories, while requesting authorized override credentials for others.

For still another group of categories you could block users who attempt to access them over a configured period of time.