Time Based Policies
Time Based Policies
Time Based Policies extend your existing Real-time Protection policy infrastructure by supporting policies with time restrictions on day, date, and time of day.
Contact Support to enable this feature in your account if you do not see the option in the Policy creation page.
Currently, you cannot use time based policies to enforce time quotas, daylight savings, and predefined time zones functionality.
Prior to using time intervals, you must configure SSL Decryption. Traffic must be decrypted for the time intervals to function successfully.
For Time Based Policies, you can configure Time Ranges and Time Intervals. A Time Range has a single start date with start time and a single end date with end time. A Time Interval specifies the periods within the Time Range to which the Policy Schedule applies. Once created, time intervals can be reused in other policies.
Netskope enforces the Time Ranges and Time Intervals based on UTC. The diagram below shows a graphical example.
Some use cases of time based policies include the following scenarios:
- Block all social media sites for all users across the world during work hours (9 a.m. to 5 p.m.) from Monday to Friday, starting on January 10, 2020 and ending on February 20, 2020.
- Block access to work-related sites on the weekends for 24 hours a day, starting now with no end date.
- Block online retail sites Monday to Sunday at 9 a.m. to 5 p.m. PST, starting on November 1, 2020 to December 31, 2020.
To create a Policy Schedule:
- When creating or editing a Real-time Protection policy, go to the Status section and click Policy Schedule. The Policy Schedule window appears.
- Configure a Time Range. The Time Range always applies to the Policy Schedule, regardless if the Time Interval is modified for not.
Use the Start and End calendar pickers to choose a single start date with start time, and a single end date with end time. When configuring the Time Range, keep the following in mind:
- The default setting is set to start “Now” (today’s date at 12AM) and end time is default set to “Infinite“ (no set date and time).
- The dates before TODAY (based on UTC-12:00) are disabled for both “Start” and “End”.
- Netskope saves and enforced the Time Range is based on UTC. For example, you set the following Time Range for your policy: July 1 at 9 a.m. to July 8 at 5 p.m. You also have users in the time zones UTC+14 and UTC-12. The policy first activates on July 1 at 9 a.m. (UTC+14). The policy then ends on July 8 at 5 p.m. (UTC-12).
From the admin’s standpoint, the policy becomes active on the start date and time in the earliest time zone the users belong to. The policy deactivates on the end date and time in the latest time zone the users belong to.
- Select a Time Interval or No Interval. Time Interval emphasizes intervals, allowing you to make further specifications during the chosen Time Range. You must create a time interval before you’re able to select it from the drop down.
Click the gear icon to open the Manage Time Intervals window. This window populates with any time intervals you have already created. These can be reused in other policies and easily searched and added from this window.
If you try to delete a time interval that is used in other policies, an error displays, you must delete the time interval from the other policies before deleting from the Manage Time Intervals list.
Click button to create a new Time Interval from the Manage Time Intervals window. You can also click the plus icon to open the Create Time Interval window.
To create a time interval:
- Type a name for the time interval profile.
- Specify Daily or Weekly intervals. If you select Daily, the system assumes all days of the week. Within the Weekly interval, you can further specify Days of the Week and Time of Day between a set time. Time of Day is enabled by default. However, if you disable the toggle button, the system treats Time of day as ‘all day’.
- Save your time interval.
- Once you have made time based selections in the Policy Schedule window, click Save. The system checks if there is any overlap between time range and time interval. If there is NO overlap, you will see an error message similar to the following:
If there are no errors, the Policy creation page shows shows the details of the policy schedule, similar to the following:
However, if there are any errors such as an expired time range, the time range appears grayed out and a notice displays, similar to the following:
- Click Save to save your changes to the Real-time Protection policy.
From the Real-time Protection policy list page if a policy schedule is configured, you will see a clock icon beside the policy name in the Policy list page.
If a time range has expired, you will see a grayed out clock icon and policy name. The policy is no longer enabled because the time range no longer matches the criteria.
In both cases, you can hover over the clock icon for details.